diff --git a/backend/src/Squidex.Web/UrlsOptions.cs b/backend/src/Squidex.Web/UrlsOptions.cs index b45390301..8ab432d47 100644 --- a/backend/src/Squidex.Web/UrlsOptions.cs +++ b/backend/src/Squidex.Web/UrlsOptions.cs @@ -15,6 +15,8 @@ namespace Squidex.Web public string BaseUrl { get; set; } + public bool EnableXForwardedHost { get; set; } + public string BuildUrl(string path, bool trailingSlash = true) { if (string.IsNullOrWhiteSpace(BaseUrl)) diff --git a/backend/src/Squidex/Areas/IdentityServer/Config/IdentityServerServices.cs b/backend/src/Squidex/Areas/IdentityServer/Config/IdentityServerServices.cs index 5231b29e7..8127fbe1a 100644 --- a/backend/src/Squidex/Areas/IdentityServer/Config/IdentityServerServices.cs +++ b/backend/src/Squidex/Areas/IdentityServer/Config/IdentityServerServices.cs @@ -15,7 +15,6 @@ using Microsoft.AspNetCore.DataProtection; using Microsoft.AspNetCore.DataProtection.KeyManagement; using Microsoft.AspNetCore.DataProtection.Repositories; using Microsoft.AspNetCore.Identity; -using Microsoft.Extensions.Configuration; using Microsoft.Extensions.DependencyInjection; using Microsoft.Extensions.Options; using Squidex.Domain.Users; @@ -27,14 +26,12 @@ namespace Squidex.Areas.IdentityServer.Config { public static class IdentityServerServices { - public static void AddSquidexIdentityServer(this IServiceCollection services, IConfiguration config) + public static void AddSquidexIdentityServer(this IServiceCollection services) { X509Certificate2 certificate; var assembly = typeof(IdentityServerServices).Assembly; - var urlsOptions = config.GetSection("urls").Get(); - using (var certificateStream = assembly.GetManifestResourceStream("Squidex.Areas.IdentityServer.Config.Cert.IdentityCert.pfx")) { var certData = new byte[certificateStream!.Length]; @@ -77,11 +74,6 @@ namespace Squidex.Areas.IdentityServer.Config services.AddIdentityServer(options => { options.UserInteraction.ErrorUrl = "/error/"; - - if (!string.IsNullOrWhiteSpace(urlsOptions.BaseUrl)) - { - options.PublicOrigin = urlsOptions.BaseUrl; - } }) .AddAspNetIdentity() .AddInMemoryApiResources(GetApiResources()) diff --git a/backend/src/Squidex/Config/Web/WebExtensions.cs b/backend/src/Squidex/Config/Web/WebExtensions.cs index 3bc5022cf..abfc13347 100644 --- a/backend/src/Squidex/Config/Web/WebExtensions.cs +++ b/backend/src/Squidex/Config/Web/WebExtensions.cs @@ -13,11 +13,13 @@ using Microsoft.AspNetCore.Builder; using Microsoft.AspNetCore.Diagnostics.HealthChecks; using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.HttpOverrides; +using Microsoft.Extensions.Configuration; using Microsoft.Extensions.DependencyInjection; using Microsoft.Extensions.Diagnostics.HealthChecks; using Microsoft.Net.Http.Headers; using Squidex.Infrastructure.Json; using Squidex.Pipeline.Robots; +using Squidex.Web; using Squidex.Web.Pipeline; namespace Squidex.Config.Web @@ -105,14 +107,32 @@ namespace Squidex.Config.Web .AllowAnyHeader()); } - public static void UseSquidexForwardingRules(this IApplicationBuilder app) + public static void UseSquidexForwardingRules(this IApplicationBuilder app, IConfiguration config) { - app.UseForwardedHeaders(new ForwardedHeadersOptions + var urlsOptions = config.GetSection("urls").Get(); + var forwardedHeadersOptions = new ForwardedHeadersOptions(); + + if (!string.IsNullOrWhiteSpace(urlsOptions.BaseUrl) && urlsOptions.EnableXForwardedHost) { - ForwardedHeaders = ForwardedHeaders.XForwardedProto, - ForwardLimit = null, - RequireHeaderSymmetry = false - }); + forwardedHeadersOptions = new ForwardedHeadersOptions() + { + ForwardedHeaders = ForwardedHeaders.XForwardedProto | ForwardedHeaders.XForwardedHost, + AllowedHosts = new List() { new Uri(urlsOptions.BaseUrl).Host }, + ForwardLimit = null, + RequireHeaderSymmetry = false + }; + } + else + { + forwardedHeadersOptions = new ForwardedHeadersOptions() + { + ForwardedHeaders = ForwardedHeaders.XForwardedProto, + ForwardLimit = null, + RequireHeaderSymmetry = false + }; + } + + app.UseForwardedHeaders(forwardedHeadersOptions); app.UseMiddleware(); app.UseMiddleware(); diff --git a/backend/src/Squidex/Startup.cs b/backend/src/Squidex/Startup.cs index 4fbef75a7..7ae9f946e 100644 --- a/backend/src/Squidex/Startup.cs +++ b/backend/src/Squidex/Startup.cs @@ -54,7 +54,7 @@ namespace Squidex services.AddSquidexHealthChecks(config); services.AddSquidexHistory(); services.AddSquidexIdentity(config); - services.AddSquidexIdentityServer(config); + services.AddSquidexIdentityServer(); services.AddSquidexInfrastructure(config); services.AddSquidexMigration(config); services.AddSquidexNotifications(config); @@ -76,7 +76,7 @@ namespace Squidex app.UseSquidexTracking(); app.UseSquidexLocalCache(); app.UseSquidexCors(); - app.UseSquidexForwardingRules(); + app.UseSquidexForwardingRules(config); app.ConfigureApi(); app.ConfigurePortal(); diff --git a/backend/src/Squidex/appsettings.json b/backend/src/Squidex/appsettings.json index 05362c7e3..ae7b38868 100644 --- a/backend/src/Squidex/appsettings.json +++ b/backend/src/Squidex/appsettings.json @@ -15,7 +15,12 @@ /* * Set it to true to redirect the user from http to https permanently. */ - "enforceHttps": false + "enforceHttps": false, + + /* + * Set it to true to use the X-Forwarded-Host header as internal Hostname. + */ + "enableXForwardedHost": false }, /*