1

I've created a simple ASP.NET Core Web Application (as an Api), and everything is working fine on Windows. I am trying to run it through a reverse proxy on Nginx and the app fails with an authentication error:

info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
      Request starting HTTP/1.1 GET http://ite.photosite.shop/Ite/Status
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
      Request starting HTTP/1.1 GET http://ite.photosite.shop/Ite/Status
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[1]
      Executing action method IteWebCore.Controllers.IteController.Status (IteWebCore) with arguments ((null)) - ModelState is Valid
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[1]
      Executing action method IteWebCore.Controllers.IteController.Status (IteWebCore) with arguments ((null)) - ModelState is Valid
info: Microsoft.AspNetCore.Mvc.ForbidResult[1]
      Executing ForbidResult with authentication schemes ().
info: Microsoft.AspNetCore.Mvc.ForbidResult[1]
      Executing ForbidResult with authentication schemes ().
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[2]
      Executed action IteWebCore.Controllers.IteController.Status (IteWebCore) in 48.0151ms
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[2]
      Executed action IteWebCore.Controllers.IteController.Status (IteWebCore) in 48.0151ms
fail: Microsoft.AspNetCore.Server.Kestrel[13]
      Connection id "0HLDAN95N3T3V", Request id "0HLDAN95N3T3V:00000001": An unhandled exception was thrown by the application.
System.InvalidOperationException: No authenticationScheme was specified, and there was no DefaultForbidScheme found.
   at Microsoft.AspNetCore.Authentication.AuthenticationService.<ForbidAsync>d__12.MoveNext()

It works fine directly going through Kestral on port 5000 (it looks like this):

info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
      Request starting HTTP/1.1 GET http://localhost:5000/Ite/Status
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[1]
      Executing action method IteWebCore.Controllers.IteController.Status (IteWebCore) with arguments ((null)) - ModelState is Valid
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
      Request starting HTTP/1.1 GET http://localhost:5000/Ite/Status
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[1]
      Executing action method IteWebCore.Controllers.IteController.Status (IteWebCore) with arguments ((null)) - ModelState is Valid
info: Microsoft.AspNetCore.Mvc.Internal.ContentResultExecutor[1]
      Executing ContentResult with HTTP Response ContentType of text/html
info: Microsoft.AspNetCore.Mvc.Internal.ContentResultExecutor[1]
      Executing ContentResult with HTTP Response ContentType of text/html
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[2]
      Executed action IteWebCore.Controllers.IteController.Status (IteWebCore) in 10.979ms
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
      Request finished in 12.1335ms 200 text/html
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[2]
      Executed action IteWebCore.Controllers.IteController.Status (IteWebCore) in 10.979ms
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
      Request finished in 12.1335ms 200 text/html

I've tried all the suggestions about various ways of setting up the authentication service, the current Startup Class looks like:

    public class Startup
    {
        public Startup(IConfiguration configuration)
        {
            Configuration = configuration;
        }

        public IConfiguration Configuration { get; }

        // This method gets called by the runtime. Use this method to add services to the container.
        public void ConfigureServices(IServiceCollection services)
        {

            services.AddMvc();
            services.AddAuthentication(Microsoft.AspNetCore.Server.HttpSys.HttpSysDefaults.AuthenticationScheme);
        }

        // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
        public void Configure(IApplicationBuilder app, IHostingEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
            }

            app.UseForwardedHeaders(new ForwardedHeadersOptions
            {
                ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
            });

            app.UseAuthentication();

            app.UseMvc(routes =>
            {
                routes.MapRoute("default", "{controller=Ite}/{action=Execute}");
            });
        }
    }

The current nginx conf looks like:

server {
     listen 80;
     server_name ite.photosite.shop;

     access_log  /var/log/nginx/ite-photosite-access.log;
     error_log /var/log/nginx/ite-photosite-error.log notice;


     location / {
         proxy_pass http://127.0.0.1:5000;
         proxy_http_version 1.1;
         proxy_set_header   Upgrade $http_upgrade;
         proxy_set_header   Connection keep-alive;
         proxy_set_header   Host $http_host;
         proxy_cache_bypass $http_upgrade;
     }
 }

Which I took from the this instructions on deploying on linux. Even though I am currently doing no authentication, I also added (and removed, and tried every combination of):

        app.UseForwardedHeaders(new ForwardedHeadersOptions
        {
            ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
        });

In the configure section.

Every time I get the same error.

Edit - added startup class

Kris Erickson
  • 33,454
  • 26
  • 120
  • 175
  • 1
    And which authentication you are using? Worth posting your configuration (startup). – Evk Apr 25 '18 at 14:58
  • Can you add the entire Startup class? It's going to be easier to diagnose than just `UseForwardedHeaders` – Camilo Terevinto Apr 25 '18 at 15:00
  • @Evk Added startup class... – Kris Erickson Apr 25 '18 at 15:09
  • I'd start with removing `services.AddAuthentication(Microsoft.AspNetCore.Server.HttpSys.HttpSysDefaults.AuthenticationScheme);`, because that's windows authentication scheme. – Evk Apr 25 '18 at 15:09
  • @evk I've only added it because of this: https://stackoverflow.com/questions/45818095/asp-net-core-2-0-httpsys-windows-authentication-fails-with-authorize-attribute . The same error happens with it removed... – Kris Erickson Apr 25 '18 at 15:11
  • Still not quite clear. If you removed it, then what did you add instead? No authentication at all (I mean in version which works fine on Windows)? Is controller\actoin decorated with [Authorize] attribute? – Evk Apr 25 '18 at 15:15
  • @Evk no authentication at all (which works fine on windows). It was the default startup built by Visual Studio. Everything works fine, except through Nginx. – Kris Erickson Apr 25 '18 at 15:17
  • Those logs aren't the same scenario, you aren't calling forbid on Windows. – Tratcher Apr 25 '18 at 15:31
  • Well not much ideas, maybe worth also posting code of `IteController.Status`. – Evk Apr 25 '18 at 15:49
  • @Evk I took a closer look at IteController.Status and saw that it was doing a forbid if the users remote address wasn't set, I guess that nginx isn't passing some headers. I was almost positive I had commented out those lines, but I guess somethings with the version control affected that. After taking out the forbid everything works, thanks for your help... – Kris Erickson Apr 25 '18 at 16:41
  • You are welcome. As for remote address, you probably need something like `proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;` in nginx config. – Evk Apr 25 '18 at 16:52
  • @Kris Erickson did you get a solution to this – Emmanuel Ogoma Nov 04 '19 at 18:38
  • @EmmanuelOgoma I added the X-Forwarded-For to Nginx and things started working. – Kris Erickson Nov 23 '19 at 00:37

0 Answers0