logo标签列表

使用Docker + Kubernetes在NGINX反向代理后面的Blazor Server应用程序中使用Identity Server 4添加身份验证和授权

nginxidentityserver4blazor
3
我已经尝试了几天,想找出为什么我无法使用NGINX作为反向代理来与在docker容器中运行的Identity Server4和Blazor Server应用程序配合使用。
发生的情况是我可以浏览Blazor应用程序,按登录按钮,然后被重定向到Identity Server登录页面,输入用户名和密码,同意同意书,但是重定向回Blazor应用程序并不起作用。
尽管Blazor应用程序设置为使用带有LetsEncrypt证书的HTTPS,但Nginx日志显示下面的POST请求返回400。
[06/Dec/2019:15:45:34 +0000] "GET /account/login HTTP/1.1" 302 0 "https://dev.codescu.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
[06/Dec/2019:15:45:34 +0000] "GET /connect/authorize?client_id=sdehelperwebui&redirect_uri=https%3A%2F%2Fdev.codescu.com%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile&response_mode=form_post&nonce=637112439340098608.NGY4ZGY2MWQtNTQyNy00NWRlLThiNjUtOWFjYjJhMDE0MzhiMTFkYTc3NmUtMGRlMi00Y2MwLWI0MWYtNTY2MzUzOWFlOGVk&state=CfDJ8KMZi0b-1bJCq1rFhJ3cRbHrbVT7oo9NFGXrRCXzkFjao9vVEBAMSvpBPimLtESIVXxpNOgMCQddEfRBwniwkNoDZzdVdQdViLWoSDdfm_Eftppnhnz77okwELuUANmR7DNixxpiSbDvSB8WhW-zrwrXjPjgDaja7tRST1Vvd_K-cDBiEu8ZsYXpkkNEhoMqhYHnBiD6JhYUIgto99pbUyjVtAFxDKvHBWEfwDVstQsLjh2ld4hPagk3jLYN0G0Od9aMQrkU5tqRf_B4_gZoYJgrjs8jkI7c3d2oksH0wACc&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=5.5.0.0 HTTP/1.1" 302 0 "https://dev.codescu.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
[06/Dec/2019:15:45:34 +0000] "GET /Account/Login?ReturnUrl=%2Fconnect%2Fauthorize%2Fcallback%3Fclient_id%3Dsdehelperwebui%26redirect_uri%3Dhttps%253A%252F%252Fdev.codescu.com%252Fsignin-oidc%26response_type%3Dcode%2520id_token%26scope%3Dopenid%2520profile%26response_mode%3Dform_post%26nonce%3D637112439340098608.NGY4ZGY2MWQtNTQyNy00NWRlLThiNjUtOWFjYjJhMDE0MzhiMTFkYTc3NmUtMGRlMi00Y2MwLWI0MWYtNTY2MzUzOWFlOGVk%26state%3DCfDJ8KMZi0b-1bJCq1rFhJ3cRbHrbVT7oo9NFGXrRCXzkFjao9vVEBAMSvpBPimLtESIVXxpNOgMCQddEfRBwniwkNoDZzdVdQdViLWoSDdfm_Eftppnhnz77okwELuUANmR7DNixxpiSbDvSB8WhW-zrwrXjPjgDaja7tRST1Vvd_K-cDBiEu8ZsYXpkkNEhoMqhYHnBiD6JhYUIgto99pbUyjVtAFxDKvHBWEfwDVstQsLjh2ld4hPagk3jLYN0G0Od9aMQrkU5tqRf_B4_gZoYJgrjs8jkI7c3d2oksH0wACc%26x-client-SKU%3DID_NETSTANDARD2_0%26x-client-ver%3D5.5.0.0 HTTP/1.1" 200 2177 "https://dev.codescu.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
[06/Dec/2019:15:45:34 +0000] "GET /Account/Login?ReturnUrl=%2Fconnect%2Fauthorize%2Fcallback%3Fclient_id%3Dsdehelperwebui%26redirect_uri%3Dhttps%253A%252F%252Fdev.codescu.com%252Fsignin-oidc%26response_type%3Dcode%2520id_token%26scope%3Dopenid%2520profile%26response_mode%3Dform_post%26nonce%3D637112439340098608.NGY4ZGY2MWQtNTQyNy00NWRlLThiNjUtOWFjYjJhMDE0MzhiMTFkYTc3NmUtMGRlMi00Y2MwLWI0MWYtNTY2MzUzOWFlOGVk%26state%3DCfDJ8KMZi0b-1bJCq1rFhJ3cRbHrbVT7oo9NFGXrRCXzkFjao9vVEBAMSvpBPimLtESIVXxpNOgMCQddEfRBwniwkNoDZzdVdQdViLWoSDdfm_Eftppnhnz77okwELuUANmR7DNixxpiSbDvSB8WhW-zrwrXjPjgDaja7tRST1Vvd_K-cDBiEu8ZsYXpkkNEhoMqhYHnBiD6JhYUIgto99pbUyjVtAFxDKvHBWEfwDVstQsLjh2ld4hPagk3jLYN0G0Od9aMQrkU5tqRf_B4_gZoYJgrjs8jkI7c3d2oksH0wACc%26x-client-SKU%3DID_NETSTANDARD2_0%26x-client-ver%3D5.5.0.0 HTTP/1.1" 200 2176 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
[06/Dec/2019:15:45:35 +0000] "POST /Account/Login?ReturnUrl=%2Fconnect%2Fauthorize%2Fcallback%3Fclient_id%3Dsdehelperwebui%26redirect_uri%3Dhttps%253A%252F%252Fdev.codescu.com%252Fsignin-oidc%26response_type%3Dcode%2520id_token%26scope%3Dopenid%2520profile%26response_mode%3Dform_post%26nonce%3D637112439340098608.NGY4ZGY2MWQtNTQyNy00NWRlLThiNjUtOWFjYjJhMDE0MzhiMTFkYTc3NmUtMGRlMi00Y2MwLWI0MWYtNTY2MzUzOWFlOGVk%26state%3DCfDJ8KMZi0b-1bJCq1rFhJ3cRbHrbVT7oo9NFGXrRCXzkFjao9vVEBAMSvpBPimLtESIVXxpNOgMCQddEfRBwniwkNoDZzdVdQdViLWoSDdfm_Eftppnhnz77okwELuUANmR7DNixxpiSbDvSB8WhW-zrwrXjPjgDaja7tRST1Vvd_K-cDBiEu8ZsYXpkkNEhoMqhYHnBiD6JhYUIgto99pbUyjVtAFxDKvHBWEfwDVstQsLjh2ld4hPagk3jLYN0G0Od9aMQrkU5tqRf_B4_gZoYJgrjs8jkI7c3d2oksH0wACc%26x-client-SKU%3DID_NETSTANDARD2_0%26x-client-ver%3D5.5.0.0 HTTP/1.1" 400 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"

Nginx 配置:

server {

        server_name dev.codescu.com;

        location / {


#            add_header 'Access-Control-Allow-Origin' 'http://api.localhost';
#            add_header 'Access-Control-Allow-Credentials' 'true';
#            add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
#            add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH';

    if ($request_method = 'OPTIONS') {
      add_header 'Access-Control-Allow-Origin' 'http://api.localhost';
      add_header 'Access-Control-Allow-Credentials' 'true';
      add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
      add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH';
      add_header 'Access-Control-Max-Age' 1728000;
      add_header 'Content-Type' 'text/plain charset=UTF-8';
      add_header 'Content-Length' 0;
      return 204;
}


                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header   Connection keep-alive;
                proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header   X-Forwarded-Proto $scheme;
                proxy_pass https://10.190.26.242;
                proxy_http_version 1.1;
                proxy_cache_bypass $http_upgrade;
                fastcgi_buffers 16 16k;
                fastcgi_buffer_size 32k;
        }

        real_ip_header proxy_protocol;
        set_real_ip_from 127.0.0.1;

    listen [::]:443 ssl proxy_protocol ipv6only=on; # managed by Certbot
    listen 443 ssl proxy_protocol; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/codescu.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/codescu.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = dev.codescu.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        listen 80 proxy_protocol;

        server_name dev.codescu.com;
    return 404; # managed by Certbot

Identity Server4虚拟主机同样进行了相同的设置。

在代码中,我添加了:

app.UseForwardedHeaders(new ForwardedHeadersOptions
            {
                ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
            });

在Blazor和Identity Server项目中都有尝试运行。

我曾经尝试过运行带或不带TLS的Blazor和Identity Server应用程序。

值得注意的是,在本地浏览而无需通过反向代理路由流量是可行的。

当我尝试从“外部”浏览并需要使用Nginx反向代理时,当我被重定向回Blazor应用程序时它停止工作。

任何想法将不胜感激。

你有kestrel日志和响应浏览器日志吗?也许这些日志可以告诉我们出了什么问题。 - agua from mars
Kestrel没有显示任何内容,因为流量甚至没有到达Blazor应用程序,在从IdentityServer重定向后。浏览器显示400,就像在Nginx日志中一样。 - Mihaimyh
如果你只发送一个POST请求,它会被阻止吗? - agua from mars
1
尝试这个:从配置中删除此行 proxy_set_header Connection 'upgrade';,将其更改为 proxy_set_header Connection ''; https://github.com/IdentityServer/IdentityServer4/issues/867 - agua from mars
那个有效,请添加一个适当的答案以标记为已接受。 - Mihaimyh
1个回答
1
根据问题867Nginx proxy_set_header Connection 应为空。请更新您的Nginx配置:
proxy_set_header Connection '';
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接