Feature/proxy forwarded host option (#457)

* Add Tenant specific microsoft authentication

* Default no tenant in appsettings

* Adding access to graph to authorize reading profile

* ProxyForwardedHostOption

* ProxyForwardedHost not default in appsettings

* Formatting change

* Reverting change for setting IdentityServer BaseUrl explicitly. Will be replaced with ProxyForwardedHostOption

backend/src/Squidex.Web/UrlsOptions.cs

@@ -15,6 +15,8 @@ namespace Squidex.Web
 
         public string BaseUrl { get; set; }
 
+        public bool EnableXForwardedHost { get; set; }
+
         public string BuildUrl(string path, bool trailingSlash = true)
         {
             if (string.IsNullOrWhiteSpace(BaseUrl))

backend/src/Squidex/Areas/IdentityServer/Config/IdentityServerServices.cs

@@ -15,7 +15,6 @@ using Microsoft.AspNetCore.DataProtection;
 using Microsoft.AspNetCore.DataProtection.KeyManagement;
 using Microsoft.AspNetCore.DataProtection.Repositories;
 using Microsoft.AspNetCore.Identity;
-using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Options;
 using Squidex.Domain.Users;
@@ -27,14 +26,12 @@ namespace Squidex.Areas.IdentityServer.Config
 {
     public static class IdentityServerServices
     {
-        public static void AddSquidexIdentityServer(this IServiceCollection services, IConfiguration config)
+        public static void AddSquidexIdentityServer(this IServiceCollection services)
         {
             X509Certificate2 certificate;
 
             var assembly = typeof(IdentityServerServices).Assembly;
 
-            var urlsOptions = config.GetSection("urls").Get<UrlsOptions>();
-
             using (var certificateStream = assembly.GetManifestResourceStream("Squidex.Areas.IdentityServer.Config.Cert.IdentityCert.pfx"))
             {
                 var certData = new byte[certificateStream!.Length];
@@ -77,11 +74,6 @@ namespace Squidex.Areas.IdentityServer.Config
             services.AddIdentityServer(options =>
                 {
                     options.UserInteraction.ErrorUrl = "/error/";
-
-                    if (!string.IsNullOrWhiteSpace(urlsOptions.BaseUrl))
-                    {
-                        options.PublicOrigin = urlsOptions.BaseUrl;
-                    }
                 })
                 .AddAspNetIdentity<IdentityUser>()
                 .AddInMemoryApiResources(GetApiResources())

backend/src/Squidex/Config/Web/WebExtensions.cs

@@ -13,11 +13,13 @@ using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Diagnostics.HealthChecks;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.HttpOverrides;
+using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Diagnostics.HealthChecks;
 using Microsoft.Net.Http.Headers;
 using Squidex.Infrastructure.Json;
 using Squidex.Pipeline.Robots;
+using Squidex.Web;
 using Squidex.Web.Pipeline;
 
 namespace Squidex.Config.Web
@@ -105,14 +107,32 @@ namespace Squidex.Config.Web
                 .AllowAnyHeader());
         }
 
-        public static void UseSquidexForwardingRules(this IApplicationBuilder app)
+        public static void UseSquidexForwardingRules(this IApplicationBuilder app, IConfiguration config)
         {
-            app.UseForwardedHeaders(new ForwardedHeadersOptions
+            var urlsOptions = config.GetSection("urls").Get<UrlsOptions>();
+            var forwardedHeadersOptions = new ForwardedHeadersOptions();
+
+            if (!string.IsNullOrWhiteSpace(urlsOptions.BaseUrl) && urlsOptions.EnableXForwardedHost)
+            {
+                forwardedHeadersOptions = new ForwardedHeadersOptions()
+                {
+                    ForwardedHeaders = ForwardedHeaders.XForwardedProto | ForwardedHeaders.XForwardedHost,
+                    AllowedHosts = new List<string>() { new Uri(urlsOptions.BaseUrl).Host },
+                    ForwardLimit = null,
+                    RequireHeaderSymmetry = false
+                };
+            }
+            else
+            {
+                forwardedHeadersOptions = new ForwardedHeadersOptions()
                 {
                     ForwardedHeaders = ForwardedHeaders.XForwardedProto,
                     ForwardLimit = null,
                     RequireHeaderSymmetry = false
-            });
+                };
+            }
+
+            app.UseForwardedHeaders(forwardedHeadersOptions);
 
             app.UseMiddleware<EnforceHttpsMiddleware>();
             app.UseMiddleware<CleanupHostMiddleware>();

backend/src/Squidex/Startup.cs

@@ -54,7 +54,7 @@ namespace Squidex
             services.AddSquidexHealthChecks(config);
             services.AddSquidexHistory();
             services.AddSquidexIdentity(config);
-            services.AddSquidexIdentityServer(config);
+            services.AddSquidexIdentityServer();
             services.AddSquidexInfrastructure(config);
             services.AddSquidexMigration(config);
             services.AddSquidexNotifications(config);
@@ -76,7 +76,7 @@ namespace Squidex
             app.UseSquidexTracking();
             app.UseSquidexLocalCache();
             app.UseSquidexCors();
-            app.UseSquidexForwardingRules();
+            app.UseSquidexForwardingRules(config);
 
             app.ConfigureApi();
             app.ConfigurePortal();

backend/src/Squidex/appsettings.json

@@ -15,7 +15,12 @@
     /*
      * Set it to true to redirect the user from http to https permanently.
      */
-    "enforceHttps": false
+    "enforceHttps": false,
+
+    /*
+     * Set it to true to use the X-Forwarded-Host header as internal Hostname.
+     */
+    "enableXForwardedHost": false
   },
 
   /*