Feature/proxy forwarded host option (#457)

* Add Tenant specific microsoft authentication * Default no tenant in appsettings * Adding access to graph to authorize reading profile * ProxyForwardedHostOption * ProxyForwardedHost not default in appsettings * Formatting change * Reverting change for setting IdentityServer BaseUrl explicitly. Will be replaced with ProxyForwardedHostOption
6 years ago · 8d5c92b549
5 changed files with 37 additions and 18 deletions
--- a/backend/src/Squidex.Web/UrlsOptions.cs
+++ b/backend/src/Squidex.Web/UrlsOptions.cs
@ -15,6 +15,8 @@ namespace Squidex.Web

        public string BaseUrl { get; set; }

+        public bool EnableXForwardedHost { get; set; }
+
        public string BuildUrl(string path, bool trailingSlash = true)
        {
            if (string.IsNullOrWhiteSpace(BaseUrl))
--- a/backend/src/Squidex/Areas/IdentityServer/Config/IdentityServerServices.cs
+++ b/backend/src/Squidex/Areas/IdentityServer/Config/IdentityServerServices.cs
@ -15,7 +15,6 @@ using Microsoft.AspNetCore.DataProtection;
 using Microsoft.AspNetCore.DataProtection.KeyManagement;
 using Microsoft.AspNetCore.DataProtection.Repositories;
 using Microsoft.AspNetCore.Identity;
-using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Options;
 using Squidex.Domain.Users;
@ -27,14 +26,12 @@ namespace Squidex.Areas.IdentityServer.Config
 {
    public static class IdentityServerServices
    {
-        public static void AddSquidexIdentityServer(this IServiceCollection services, IConfiguration config)
+        public static void AddSquidexIdentityServer(this IServiceCollection services)
        {
            X509Certificate2 certificate;

            var assembly = typeof(IdentityServerServices).Assembly;

-            var urlsOptions = config.GetSection("urls").Get<UrlsOptions>();
-
            using (var certificateStream = assembly.GetManifestResourceStream("Squidex.Areas.IdentityServer.Config.Cert.IdentityCert.pfx"))
            {
                var certData = new byte[certificateStream!.Length];
@ -77,11 +74,6 @@ namespace Squidex.Areas.IdentityServer.Config
            services.AddIdentityServer(options =>
                {
                    options.UserInteraction.ErrorUrl = "/error/";
-
-                    if (!string.IsNullOrWhiteSpace(urlsOptions.BaseUrl))
-                    {
-                        options.PublicOrigin = urlsOptions.BaseUrl;
-                    }
                })
                .AddAspNetIdentity<IdentityUser>()
                .AddInMemoryApiResources(GetApiResources())
--- a/backend/src/Squidex/Config/Web/WebExtensions.cs
+++ b/backend/src/Squidex/Config/Web/WebExtensions.cs
@ -13,11 +13,13 @@ using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Diagnostics.HealthChecks;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.HttpOverrides;
+using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Diagnostics.HealthChecks;
 using Microsoft.Net.Http.Headers;
 using Squidex.Infrastructure.Json;
 using Squidex.Pipeline.Robots;
+using Squidex.Web;
 using Squidex.Web.Pipeline;

 namespace Squidex.Config.Web
@ -105,14 +107,32 @@ namespace Squidex.Config.Web
                .AllowAnyHeader());
        }

-        public static void UseSquidexForwardingRules(this IApplicationBuilder app)
+        public static void UseSquidexForwardingRules(this IApplicationBuilder app, IConfiguration config)
        {
-            app.UseForwardedHeaders(new ForwardedHeadersOptions
+            var urlsOptions = config.GetSection("urls").Get<UrlsOptions>();
+            var forwardedHeadersOptions = new ForwardedHeadersOptions();
+
+            if (!string.IsNullOrWhiteSpace(urlsOptions.BaseUrl) && urlsOptions.EnableXForwardedHost)
+            {
+                forwardedHeadersOptions = new ForwardedHeadersOptions()
+                {
+                    ForwardedHeaders = ForwardedHeaders.XForwardedProto | ForwardedHeaders.XForwardedHost,
+                    AllowedHosts = new List<string>() { new Uri(urlsOptions.BaseUrl).Host },
+                    ForwardLimit = null,
+                    RequireHeaderSymmetry = false
+                };
+            }
+            else
+            {
+                forwardedHeadersOptions = new ForwardedHeadersOptions()
                {
                    ForwardedHeaders = ForwardedHeaders.XForwardedProto,
                    ForwardLimit = null,
                    RequireHeaderSymmetry = false
-            });
+                };
+            }
+
+            app.UseForwardedHeaders(forwardedHeadersOptions);

            app.UseMiddleware<EnforceHttpsMiddleware>();
            app.UseMiddleware<CleanupHostMiddleware>();
--- a/backend/src/Squidex/Startup.cs
+++ b/backend/src/Squidex/Startup.cs
@ -54,7 +54,7 @@ namespace Squidex
            services.AddSquidexHealthChecks(config);
            services.AddSquidexHistory();
            services.AddSquidexIdentity(config);
-            services.AddSquidexIdentityServer(config);
+            services.AddSquidexIdentityServer();
            services.AddSquidexInfrastructure(config);
            services.AddSquidexMigration(config);
            services.AddSquidexNotifications(config);
@ -76,7 +76,7 @@ namespace Squidex
            app.UseSquidexTracking();
            app.UseSquidexLocalCache();
            app.UseSquidexCors();
-            app.UseSquidexForwardingRules();
+            app.UseSquidexForwardingRules(config);

            app.ConfigureApi();
            app.ConfigurePortal();
--- a/backend/src/Squidex/appsettings.json
+++ b/backend/src/Squidex/appsettings.json
@ -15,7 +15,12 @@
    /*
     * Set it to true to redirect the user from http to https permanently.
     */
-    "enforceHttps": false
+    "enforceHttps": false,
+
+    /*
+     * Set it to true to use the X-Forwarded-Host header as internal Hostname.
+     */
+    "enableXForwardedHost": false
  },

  /*