118

So it appears with the advent of ASP.NET Core 2.1, Kestrel now automatically creates an HTTPS endpoint along side the HTTP one, and default project templates are setup to redirect from HTTP to HTTPS (which is easy enough to undo).

However my question is... how can I disable HTTPS entirely for my project. I've read through the docs and played with a variety of config settings for HTTPS but nothing I do seems to allow me to turn it off and just run an HTTP project.

Am I crazy or just missing something. I would expect this to be super easy to do.

riQQ
  • 9,878
  • 7
  • 49
  • 66
Xorcist
  • 3,129
  • 3
  • 21
  • 47

12 Answers12

100

In the Startup.cs, remove the middleware

app.UseHttpsRedirection();
Tairan
  • 1,099
  • 2
  • 6
  • 6
  • 30
    That only prevents the forced HTTP -> HTTPS redirection (allowing you to get to the site unsecured), it does not disable HTTPS. Two ports are still being consumed by Kestrel (normally 5000 for HTTP and 5001 for HTTPS). What I'm looking for is only HTTP, no HTTPS at all. – Xorcist Jul 15 '18 at 01:46
  • 3
    This helped me. I was using an Android emulator, and of course it most likely not accept the self-signed SSL. So, I tried to connect to the HTTP address, but I kept getting "307 Temporary Redirect". After a little bit of researching, I thought it was because the server was redirecting to HTTPS. Removing that line solved it. – Damn Vegetables Sep 21 '19 at 12:17
  • Even if this doesn't disable HTTPS, this is still very useful information. I too was having the 307 Temporary Redirect problem, and this fixed it. – Ryan Lundy Nov 20 '19 at 10:02
73

If you are using Visual Studio 2017, then you can do the following:

  1. Go to your project properties. (Right-click > Properties)
  2. Click on the Debug tab.
  3. Under Web Server Settings, deselect Enable SSL.
  4. Save, build, and try again.

This will update the iisExpress settings in the launchSettings.json file.

Luke Girvin
  • 13,221
  • 9
  • 64
  • 84
Abhishek Kumar
  • 768
  • 5
  • 9
  • 3
    Somehow in my VS2017, the option is not there. So: Project properties => Debug => App URL (remove the s) and set the proper start page => Save (Popup with override the launchSettings appears => Ok and ready to roll (f5) – Nordes Jun 20 '18 at 03:48
  • I'm using the .NET Core CLI by itself. There is nothing in my *.csproj or appsettings.json that indicate SSL should be used. According to the latest [documentation](https://learn.microsoft.com/en-us/aspnet/core/fundamentals/servers/kestrel?view=aspnetcore-2.1&tabs=aspnetcore2x#endpoint-configuration), ASP.NET will automatically create an SSL endpoint when a local development certificate is present. So I assumed there was a way in code to disable that, but so far I can't find any way. – Xorcist Jun 20 '18 at 17:30
  • 3
    I think this answer would be even better if it didn't have a dependency on visual studio. What happens to the launchSettings.json file? – Yehuda Makarov Jun 18 '19 at 23:21
  • This is extremely unhelpful. The question is about asp core and kestrel, your answer is about legacy dotnet on windows. – djeikyb May 13 '20 at 00:34
  • This same technique works well in VS-2019 as well. Thank you very much for your solution, Abhishek. – Ashok kumar Sep 05 '20 at 04:25
58

In the file Properties/launchSettings.json of your project, look of the key applicationUrl. You will find something like:

...
"applicationUrl": "https://localhost:5001;http://localhost:5000",
...

Remove the https endpoint and it's done.

Edit

As noted by @Xorcist the file launchSettings.json is not published. So, the solution above will only work in a development environment. To disable https and, in general, to configure the urls you want to listen to, both in production and in development, you can also do one of the following:

  • Use --urls parameters of dotnet run, will have the same effect as the applicationUrl in launchSettings.json. For instance: dotnet run --urls=http://0.0.0.0:5000,https://0.0.0.0:5001. Again, remove the one you don't want to use.

  • The same can be achieved with the ASPNETCORE_URLS enviroment variable.

  • As mentioned in the answer by @Konstantin to this question, in ASP Net Core 2.1 you can also configure Kestrel endpoints in the appsettings.json (it seems this cannot be done in 2.0).

  • Finally, the same can also be achieved with the useUrls extension method WebHost.CreateDefaultBuilder(args).UseUrls("http://0.0.0.0:5000"). I prefer the other solution because this ones hardcodes you're application endpoints, and can't be changed without recompiling the application.

All the possible options are explained in detail in the Microsoft Docs on this.

Update (09 Dec 2020): these options are still valid for Net Core 3.1, as per Microsoft Docs, except for the appsettings one. Maybe it still works but I am not sure.

Update (19 May 2021): these options are still valid for Net 5, as per Microsoft Docs, except for the appsettings one. Maybe it still works but I am not sure.

joanlofe
  • 3,360
  • 2
  • 26
  • 44
  • Please note, that the above answer references a config file for launch profiles that is created by **Visual Studio**, this file will not be auto-created when using **VSCode** or via **dotnet new**. However it does appear to function as stated so long as the file is present, and the appropriate profile is referenced (i.e. **dotnet run --launch-profile=ProfileNameHere**). _Note that the first profile in the config is always used as the default if no profile is specified_. This being said, I believe launchSettings.json is not a replacement for appsettings.json as it will not be published. – Xorcist Sep 28 '18 at 16:17
  • In fact, `dotnet new` does automatically create a `launchSettings.json` file in dotnet 2.1. This was not the case in dotnet 2.0. I've just tested this in my Ubuntu box, in which Visual Studio is not installed. So, at least for 2.1 version, `launchSettings.json` is not a Visual Studio specific file. – joanlofe Sep 29 '18 at 15:57
  • Regarding the fact that `launchSettings.json` is not published, it's also true, but in a production setting you are likely to want https enabled by default. Anyway, I will update my answer with other options. – joanlofe Sep 29 '18 at 16:12
  • yeah it appears I totally missed the fact 2.1 now includes launchsettings.json in their web templates. I apologize for the confusion as we use some custom templates at my job which apparently have not been fully updated for 2.1. As for production with 2.1, we currently use the "Kestrel" endpoints section in the appsettings.Production.json to configure HTTPS (and exclude these endpoints from from appsettings.json and or appsettings.Development.json). My original question though was geared towards dev training, where I want to start with HTTP and specifically configure HTTPS later. – Xorcist Sep 30 '18 at 19:55
  • 1
    Many thanks, but appsettings work without problem, as MS described in your docs you linked -- it is the very first thing they describe :-). I just tested it (Net 5). – astrowalker Nov 03 '21 at 19:40
46

Turns out the proper way to achieve what I wanted to do, was to specifically configure Kestrel with .UseKestrel() and simply specify a single address, like this:

  WebHost.CreateDefaultBuilder(args)
    .UseKestrel(options => {
      if (context.Configuration[WebHostDefaults.EnvironmentKey] == Environments.Development) {
        options.Listen(IPAddress.Loopback, 5080); //HTTP port
      }
    })
    .UseStartup<Startup>();

in effect overriding the default setup, and displaying this warning when Kestel starts:

warn: Microsoft.AspNetCore.Server.Kestrel[0]
  Overriding address(es) 'https://localhost:5001, http://localhost:5000'. Binding to endpoints defined in UseKestrel() instead.

Note the check for development environment; in production the default ports are different (80) and without HTTPS.

if a second address is specified it will assume that address is to be secured with the built-in developer cert, as such:

  WebHost.CreateDefaultBuilder(args)
    .UseKestrel(options => {
      options.Listen(IPAddress.Loopback, 5080); //HTTP port
      options.Listen(IPAddress.Loopback, 5443); //HTTPS port
    })
    .UseStartup<Startup>();

you may of course specifically secure your SSL address as described here:

https://learn.microsoft.com/en-us/aspnet/core/fundamentals/servers/kestrel?view=aspnetcore-2.1&tabs=aspnetcore2x

which is necessary for production setups.

amosonn
  • 3
  • 2
Xorcist
  • 3,129
  • 3
  • 21
  • 47
  • 3
    Actually this can be simplified even further by using .UseUrls() and or .UseConfiguration() with a JSON config and the "urls" property specified. Both of which work the same when given only a single address. – Xorcist Jul 16 '18 at 17:48
  • I was asked to add an example for my above comment, so here it is: **hosting.json** `{ "urls": "http://localhost:5080" }` **program.cs (main)** `public static void Main(string[] args) { IConfigurationRoot config = new ConfigurationBuilder() .SetBasePath(Directory.GetCurrentDirectory()) .AddJsonFile("hosting.json") .AddCommandLine(args) .Build(); CreateWebHostBuilder(args).UseConfiguration(config).Build().Run(); }` – Xorcist Oct 18 '18 at 18:40
  • Is there any way to remove the kestrel ? – sina_Islam Feb 24 '19 at 16:11
  • 6
    @sina_Islam "remove Kestrel" makes no sense -- Kestrel _is_ the HTTP server. Without it, you don't have a web app. – McGuireV10 Mar 01 '19 at 10:46
18

In the Program.cs, Add UseUrls as following:

WebHost.CreateDefaultBuilder(args)
.UseUrls("http://localhost:5000")
.UseStartup<Startup>();

And In The Startup.cs remove/comment the following:

app.UseHttpsRedirection();
BlackBrain
  • 970
  • 6
  • 18
  • Simply commented "app.UseHttpsRedirection();" in startup.cs and it stopped to redirect to https and started to yield result at http. – Blaze Jun 15 '20 at 11:20
16

The dotnet CLI now has a template for this.

dotnet new webapi --no-https
Clay
  • 10,885
  • 5
  • 47
  • 44
7

Turning off https lies in these 3 changes...

Properties/launchSettings.json

  • set sslPort to 0
  • remove the https url from the applicationUrl

Properties/launchSettings.json

Startup.cs

  • Remove or comment-out app.UseHttpsRedirection()

Startup.cs

tno2007
  • 1,993
  • 25
  • 16
  • 1
    Does not work for me (.Net 5.0 using VS for Mac). I have no references to https, ssl, or port 5001 anywhere in my entire solution and yet the browser opens up with https://....:5001 when debugging locally. – Ash Aug 31 '21 at 09:21
  • @Ash works fine for me on .NET5 - I'm on Windows using Visual Studio Code (though the OS won't matter here). I suspect VS for Mac has something different – PandaWood Mar 07 '22 at 03:20
5

With ASPNET CORE 2.2, I simply set the web server URL to http not https and it picks it up on its own. I run it as a self hosted process.

  1. Go to your project properties.
  2. Click on the Debug tab.
  3. Under Web Server Settings, set the URL to http://xxx
  4. Try again :)
D-Go
  • 413
  • 5
  • 9
2

For Development & not in production: enter image description here

in project properties disable Enable SSL

Community
  • 1
  • 1
Abdulhakim Zeinu
  • 3,333
  • 1
  • 30
  • 37
1

One more way for disabling https epecially is handy when docker is used. Set enviroment variable in Dockerfile with only one HTTP url in value.

#https + http
ENV ASPNETCORE_URLS=http://+:5001;http://+:5000 

#http only
ENV ASPNETCORE_URLS=http://+:5000
Maksim
  • 59
  • 1
  • 7
0

@joanlofe answer is excellent one, but there is also "stupid" way how one can reintroduce HTTPS on 5001 port. If you call Clear on your config sources (for proper layering of config sources for example) it means that one implicit source is gone -- "launchSettings.json" template. So if you rely on this file instead of "appsettings.json" (and by default you probably are) your app will enable HTTPS on port 5001.

astrowalker
  • 3,123
  • 3
  • 21
  • 40
0

My local k8s deployment was failing due to the existence of

"Kestrel": {
  "Certificates": {
    "Default": {
      ...
    }
  }
}

in an appsettings.json override, even after following the other steps here. If you're trying to strip a server of SSL (for example, if SSL is now terminated upstream), make sure to get rid of this configuration as well.

This seems pretty obvious now that I found it, but it still tripped us up for a few hours.

bakester14
  • 153
  • 1
  • 4
  • 14