-
Notifications
You must be signed in to change notification settings - Fork 521
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Updated Dashboard to accept/map forwarded headers #6969
base: main
Are you sure you want to change the base?
Updated Dashboard to accept/map forwarded headers #6969
Conversation
@JamesNK @drewnoakes |
I’m that doesn’t seem right. Do you need to forward all headers? |
@davidfowl I just need For example if a developer uses Yarp to cut the SSL connection at the edge they will need to map the Protocol too. |
@adamint @davidfowl i have limited the forwarded headers to host and protocol, let me know your thoughts. |
I'm still unsure about the security implications of this change. Someone with a better understanding (maybe @drewnoakes @davidfowl) needs to weigh in, but this approach still seems insecure to me at first glance. Why should we implicitly be trusting X-Forwarded-Host? Would it change anything to compare the host against an 'expected' host regex? From my perspective, using an identity provider should be a supported but also secure-by-default scenario. |
Your concerns are valid @adamint, that's why the forwarded headers shouldn't be enabled by default, and should be enabled only by a person that knows how they work with a reverse proxy and why they are needed for their specific scenario, from that perspective this feature is secure by default. In my opinion is that if someone uses this feature, they have some common and basic knowledge like: https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/proxy-load-balancer?view=aspnetcore-9.0 and https://learn.microsoft.com/en-us/aspnet/core/fundamentals/servers/kestrel/host-filtering?view=aspnetcore-9.0 . Like any other feature of .NET or Aspire, this can be used by any bad actor, disabling it by default is a must but for advanced or specific scenarios allowing users to leverage it allows application developers to focus on their business logic while leveraging Aspire's great focus on telemetry. From my perspective and security-wise this feature is no different than allowing an unsecure transport (http) for the dashboard, which is currently supported, but discouraged, and should be used at the users' discretion. |
@adamint answering your comment Currently I am achieving this by only allowing only the hosts that I am expecting my reverse proxy to call e.g. |
Ok thanks for the responses, @danespinosa - and pardon my ignorance. I'm satisfied with this then, @davidfowl? |
Description
This change addresses the need to map the forwarded headers in the application when ASPNETCORE_FORWARDEDHEADERS_ENABLED is enabled. Currently even if a developer enables the ASPNETCORE_FORWARDEDHEADERS_ENABLED environment variable, the application does not map the forwarded headers properly because the application doesn't specify which headers to map.
Without this change the dashboard doesn't work well behind a reverse proxy like YARP when doing OpenID Auth since the app doesn't map the Host or Protocol (http/https) properly and the redirect ends up being the address YARP redirects the call to.
I need guidance for the test I was thinking calling the dashboard and do something similar to
ValidateTokenMiddlewareTests
to validate theHost
, andProto
.Fixes # (issue)
Checklist
<remarks />
and<code />
elements on your triple slash comments?breaking-change
template):doc-idea
template):Microsoft Reviewers: Open in CodeFlow