使用NGINX反向代理后面的docker + kubernetes在带有Identity Server 4的Blazor Server应用程序中添加身份验证和授权

时间:2019-12-06 16:11:27

标签: nginx identityserver4 blazor

我现在尝试了几天,以找出为什么我无法使NGINX作为反向代理与在Docker容器中运行的Identity Server4和Blazor Server应用程序一起工作。

发生的事情是,我能够浏览到Blazor应用程序,按登录按钮,我被重定向到Identity Server登录页面,输入用户名和密码,接受同意,但是重定向回Blazor应用程序不起作用。

Nginx日志在下面的POST中显示400,尽管Blazor App已设置为使用HTTPS和LetsEncrypt证书。

[06/Dec/2019:15:45:34 +0000] "GET /account/login HTTP/1.1" 302 0 "https://dev.codescu.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
[06/Dec/2019:15:45:34 +0000] "GET /connect/authorize?client_id=sdehelperwebui&redirect_uri=https%3A%2F%2Fdev.codescu.com%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile&response_mode=form_post&nonce=637112439340098608.NGY4ZGY2MWQtNTQyNy00NWRlLThiNjUtOWFjYjJhMDE0MzhiMTFkYTc3NmUtMGRlMi00Y2MwLWI0MWYtNTY2MzUzOWFlOGVk&state=CfDJ8KMZi0b-1bJCq1rFhJ3cRbHrbVT7oo9NFGXrRCXzkFjao9vVEBAMSvpBPimLtESIVXxpNOgMCQddEfRBwniwkNoDZzdVdQdViLWoSDdfm_Eftppnhnz77okwELuUANmR7DNixxpiSbDvSB8WhW-zrwrXjPjgDaja7tRST1Vvd_K-cDBiEu8ZsYXpkkNEhoMqhYHnBiD6JhYUIgto99pbUyjVtAFxDKvHBWEfwDVstQsLjh2ld4hPagk3jLYN0G0Od9aMQrkU5tqRf_B4_gZoYJgrjs8jkI7c3d2oksH0wACc&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=5.5.0.0 HTTP/1.1" 302 0 "https://dev.codescu.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
[06/Dec/2019:15:45:34 +0000] "GET /Account/Login?ReturnUrl=%2Fconnect%2Fauthorize%2Fcallback%3Fclient_id%3Dsdehelperwebui%26redirect_uri%3Dhttps%253A%252F%252Fdev.codescu.com%252Fsignin-oidc%26response_type%3Dcode%2520id_token%26scope%3Dopenid%2520profile%26response_mode%3Dform_post%26nonce%3D637112439340098608.NGY4ZGY2MWQtNTQyNy00NWRlLThiNjUtOWFjYjJhMDE0MzhiMTFkYTc3NmUtMGRlMi00Y2MwLWI0MWYtNTY2MzUzOWFlOGVk%26state%3DCfDJ8KMZi0b-1bJCq1rFhJ3cRbHrbVT7oo9NFGXrRCXzkFjao9vVEBAMSvpBPimLtESIVXxpNOgMCQddEfRBwniwkNoDZzdVdQdViLWoSDdfm_Eftppnhnz77okwELuUANmR7DNixxpiSbDvSB8WhW-zrwrXjPjgDaja7tRST1Vvd_K-cDBiEu8ZsYXpkkNEhoMqhYHnBiD6JhYUIgto99pbUyjVtAFxDKvHBWEfwDVstQsLjh2ld4hPagk3jLYN0G0Od9aMQrkU5tqRf_B4_gZoYJgrjs8jkI7c3d2oksH0wACc%26x-client-SKU%3DID_NETSTANDARD2_0%26x-client-ver%3D5.5.0.0 HTTP/1.1" 200 2177 "https://dev.codescu.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
[06/Dec/2019:15:45:34 +0000] "GET /Account/Login?ReturnUrl=%2Fconnect%2Fauthorize%2Fcallback%3Fclient_id%3Dsdehelperwebui%26redirect_uri%3Dhttps%253A%252F%252Fdev.codescu.com%252Fsignin-oidc%26response_type%3Dcode%2520id_token%26scope%3Dopenid%2520profile%26response_mode%3Dform_post%26nonce%3D637112439340098608.NGY4ZGY2MWQtNTQyNy00NWRlLThiNjUtOWFjYjJhMDE0MzhiMTFkYTc3NmUtMGRlMi00Y2MwLWI0MWYtNTY2MzUzOWFlOGVk%26state%3DCfDJ8KMZi0b-1bJCq1rFhJ3cRbHrbVT7oo9NFGXrRCXzkFjao9vVEBAMSvpBPimLtESIVXxpNOgMCQddEfRBwniwkNoDZzdVdQdViLWoSDdfm_Eftppnhnz77okwELuUANmR7DNixxpiSbDvSB8WhW-zrwrXjPjgDaja7tRST1Vvd_K-cDBiEu8ZsYXpkkNEhoMqhYHnBiD6JhYUIgto99pbUyjVtAFxDKvHBWEfwDVstQsLjh2ld4hPagk3jLYN0G0Od9aMQrkU5tqRf_B4_gZoYJgrjs8jkI7c3d2oksH0wACc%26x-client-SKU%3DID_NETSTANDARD2_0%26x-client-ver%3D5.5.0.0 HTTP/1.1" 200 2176 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
[06/Dec/2019:15:45:35 +0000] "POST /Account/Login?ReturnUrl=%2Fconnect%2Fauthorize%2Fcallback%3Fclient_id%3Dsdehelperwebui%26redirect_uri%3Dhttps%253A%252F%252Fdev.codescu.com%252Fsignin-oidc%26response_type%3Dcode%2520id_token%26scope%3Dopenid%2520profile%26response_mode%3Dform_post%26nonce%3D637112439340098608.NGY4ZGY2MWQtNTQyNy00NWRlLThiNjUtOWFjYjJhMDE0MzhiMTFkYTc3NmUtMGRlMi00Y2MwLWI0MWYtNTY2MzUzOWFlOGVk%26state%3DCfDJ8KMZi0b-1bJCq1rFhJ3cRbHrbVT7oo9NFGXrRCXzkFjao9vVEBAMSvpBPimLtESIVXxpNOgMCQddEfRBwniwkNoDZzdVdQdViLWoSDdfm_Eftppnhnz77okwELuUANmR7DNixxpiSbDvSB8WhW-zrwrXjPjgDaja7tRST1Vvd_K-cDBiEu8ZsYXpkkNEhoMqhYHnBiD6JhYUIgto99pbUyjVtAFxDKvHBWEfwDVstQsLjh2ld4hPagk3jLYN0G0Od9aMQrkU5tqRf_B4_gZoYJgrjs8jkI7c3d2oksH0wACc%26x-client-SKU%3DID_NETSTANDARD2_0%26x-client-ver%3D5.5.0.0 HTTP/1.1" 400 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"

Nginx配置:

server {

        server_name dev.codescu.com;

        location / {


#            add_header 'Access-Control-Allow-Origin' 'http://api.localhost';
#            add_header 'Access-Control-Allow-Credentials' 'true';
#            add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
#            add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH';

    if ($request_method = 'OPTIONS') {
      add_header 'Access-Control-Allow-Origin' 'http://api.localhost';
      add_header 'Access-Control-Allow-Credentials' 'true';
      add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
      add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH';
      add_header 'Access-Control-Max-Age' 1728000;
      add_header 'Content-Type' 'text/plain charset=UTF-8';
      add_header 'Content-Length' 0;
      return 204;
}


                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header   Connection keep-alive;
                proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header   X-Forwarded-Proto $scheme;
                proxy_pass https://10.190.26.242;
                proxy_http_version 1.1;
                proxy_cache_bypass $http_upgrade;
                fastcgi_buffers 16 16k;
                fastcgi_buffer_size 32k;
        }

        real_ip_header proxy_protocol;
        set_real_ip_from 127.0.0.1;

    listen [::]:443 ssl proxy_protocol ipv6only=on; # managed by Certbot
    listen 443 ssl proxy_protocol; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/codescu.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/codescu.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = dev.codescu.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        listen 80 proxy_protocol;

        server_name dev.codescu.com;
    return 404; # managed by Certbot

为Identity Server4虚拟主机进行了相同的设置。

在我添加的代码中:

app.UseForwardedHeaders(new ForwardedHeadersOptions
            {
                ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
            });

在Blazor和Identity Server项目中。

我尝试运行带有或不带有TLS的Blazor和Identity Server应用程序。

值得一提的是,无需进行反向代理路由就可以在本地浏览。

当我尝试从“外部”浏览并且需要使用Nginx反向代理时,当我重定向回Blazor应用程序时,它将停止工作。

任何想法都会受到赞赏。

1 个答案:

答案 0 :(得分:1)

根据问题867 Nginx proxy_set_header连接应为空

使用以下命令更新您的Nginx配置:

proxy_set_header Connection '';
相关问题
最新问题