7

I have REST API application created using ASP.NET Core 2.1. REST API is created by WebHostBuilder and hosted by Kestrel. 

Startup.Kernel = kernel;
    _restApiServer = new WebHostBuilder()
      .UseKestrel(options =>
      {

      })
      .UseContentRoot(Directory.GetCurrentDirectory())
      .UseIISIntegration()
      .UseStartup<Startup>()
      .UseUrls(string.Format("http://localhost:{0}", _configuration.PortNumber))
      .UseSetting("https_port",_configuration.HttpsPort.ToString())
      .Build();
     _restApiServer.Run();

REST API is served on port 8998 by default. This REST API is started by my different application. I am able to connect to this REST API using browser and POSTMAN.

Now I would like to secure my connection to REST API. What I did is: I've added necessity configuration to force secure connection in my Startup class in Configure method:

app.UseHttpsRedirection();

And I've also executed a code for trusting dev certs:

dotnet dev-certs https --trust

The case is that when I try to access the web api via browser I get and error:

localhost refused to connect. Try:

Checking the connection

Checking the proxy and the firewall

ERR_CONNECTION_REFUSED

Also when I am using POSTMAN to call some REST API methods I got and error:

Could not get any response

What am I doing wrong? Do I need to specify the certificate directly in Kestrel configuration?

niao
  • 4,972
  • 19
  • 66
  • 114

1 Answers1

9

Since https is a different protocol, you need to configure another port for https. There are three things you need to do in order to automatically redirect to the https url:

  1. Add a listener. In program.cs (the port numbers are an example):

    .UseUrls("http://localhost:8998", "https://localhost:8999");

    When you start the application you should see:

enter image description here

  1. Configure the https redirection. In Startup.ConfigureServices:

    services.AddHttpsRedirection(options => options.HttpsPort = 8999);

    If you omit this step then the default port is used, probably 5001. For hosting on Azure you may need to set this to 443.

  2. And in Startup.Configure:

    app.UseHttpsRedirection();

A call to http://localhost:8998 will now be redirected to https://localhost:8999.

If you followed above steps but did not create the certificate then the https port is not listed and will not be available! If the certificate was created then both ports should be listed.

I assume that in production the Api will run behind a proxy. In that case you can omit the above steps. Running behind a proxy means that you can redirect http to https there, which means that you don't need https redirect.

  • I folloed your instruction. When I start my WebApi I get an error : Unable to configure HTTPS endpoint. No server certificate was specified, and the default developer certificate could not be found." I already executed "dotnet dev-certs https and dotnet dev-certs https'. --trust. I've seen this post and someone told there that with .net core 2.1 you need to configure your certificate https://stackoverflow.com/questions/53300480/unable-to-configure-https-endpoint-no-server-certificate-was-specified-and-the . Is there any other option? – niao Feb 19 '19 at 12:56
  • Please note that my web api is started by other application which is running as a windows service – niao Feb 19 '19 at 19:03
  • 3
    Microsoft says explicitly not to do that. Redirections makes no sens for api, as api clients don't understand redirection. See more here : https://learn.microsoft.com/en-us/aspnet/core/security/enforcing-ssl?view=aspnetcore-3.1&tabs=visual-studio – Charles Martin May 09 '20 at 10:35
  • 1
    where is .UseUrls() defined? – Mike W Sep 23 '20 at 15:59
  • @MikeW, you should add it into the `ConfigureWebHostDefaults` method in the Program.cs file like the following: `return Host.CreateDefaultBuilder(args).ConfigureWebHostDefaults(builder => { builder.UseUrls("http://localhost:8998", "https://localhost:8999"); builder.UseStartup(); });` – Barabas Jan 17 '22 at 07:15