Is there a way to make the redirects in the Auth provider always be HTTPS?
For website logins I am using ServiceStack’s Authentication feature with the Authenticate attribute, the CredentialsAuthProvider and the UserAuth repository. It is working great, however, in production we put all IIS hosts behind a loadbalancer that serves only HTTPS by design (forwarding all requests on port 443 to port 80 on the IIS instances). This creates a problem - the Authenticate attribute redirects to the login page on HTTP port 80 only (I think because it sees only the proxied request Url, not the original). This results in a failed request in the browser because the load balancer does not do HTTP and does not redirect HTTP requests to HTTPS. We cannot configure IIS to also be HTTPS only.
Is there a way to make the redirects in the Auth provider always be HTTPS? Or, can the Auth provider look at the HTTP headers for the X-Forwarded-Proto to see that the login page request should be over HTTPS?
Some of the OAuth urls are specified in the configuration: https://github.com/ServiceStack/ServiceStack/wiki/Authentication-and-authorization#oauth-configuration
For other autogenerated Urls you can set it to use https:
SetConfig(new HostConfig {
UseHttpsLinks = true
});
Which should modify the BaseUrl used in the latest v4.0.33 release.
You can also override AppHost. ResolveAbsoluteUrl method to introspect/customize urls.
Michael Hanney:
Thank you Demis, this override of AppHost.ResolveAbsoluteUrl works great in production and dev!
public override string ResolveAbsoluteUrl(string virtualPath, IRequest httpReq)
{
virtualPath = virtualPath.SanitizedVirtualPath();
var absoluteUrl = httpReq.GetAbsoluteUrl(virtualPath);
return httpReq.Headers[“X-Forwarded-Proto”] != null
&& httpReq.Headers[“X-Forwarded-Proto”].Equals(“https”, StringComparison.InvariantCultureIgnoreCase)
? absoluteUrl.Replace(“http://”, “https://”) : absoluteUrl;
}