NGINX HTTPS Proxy Not Working With Azure AD Redirect Uri

Question

I recently developed a Blazor Server application that requires users to login through my Azure AD in order to access the app. The project uses .NET 7 and is published through a Docker container. I can login to my app with Azure AD perfectly fine while developing in Visual Studio with HTTPS.

In the past, I have simply hosted my Blazor projects as Docker containers, using NGINX as a reverse proxy. My NGINX configuration uses the following setup to point to any of my containers and force HTTPS (this container is exposed at 192.168.1.11:8081):

server {
  listen 443 ssl;
  server_name www.example.com;
  ssl_certificate     /https/tags/server.crt;
  ssl_certificate_key /https/tags/server.key;

  # Configure the SignalR Endpoint
  location / {
    # App server url
    proxy_pass http://192.168.1.11:8081;

    # Configuration for WebSockets
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
    proxy_cache off;
    proxy_http_version 1.1;

    # Configuration for LongPolling or if your KeepAliveInterval is longer than 60 seconds
    proxy_read_timeout 100s;

    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
  }
}

Along with the default conf for HTTPS redirection:

    # Default
    server {
      listen 80 default_server;
      server_name _;
      return 301 https://$host$request_uri;
    }

However, with this setup I cannot authenticate into my Azure AD. It appears that the request is still being made from HTTP protocol: AADSTS50011: The redirect URI 'http://www.example.com/signin-oidc' specified in the request does not match the redirect URIs configured for the application. I am simply wanting this HTTP request to my app registration to be HTTPS instead.

I have tried many different approaches with my nginx config, but these current settings are the only way I can successfully reach the container. I have also tried adding ForwardedHeaders to my project's Program.cs as referenced here: stackoverflow.com/azure-ad-nginx-reverse-proxy-https but it does not fix the issue. I am not sure what approach to try next, as the other guides I have found so far are very outdated. Thanks for any help.

Answer 1

I had a similar problem and after some searching found that my problem was with two issues. The first was changing the forwarded headers options.

Originally I had the following in my program.cs file.

  app.UseForwardedHeaders(new ForwardedHeadersOptions
  {
      ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
  });

I removed the ForwardedHeaders.XForwardedFor option as shown below, which made the redirectUri back to my site using the correct scheme, https. This was suggested on this answer comment

  app.UseForwardedHeaders(new ForwardedHeadersOptions
  {
      ForwardedHeaders = ForwardedHeaders.XForwardedProto
  });

Once that was resolved, I was receiving a 502 bad gateway error from nginx. The error logs were showing that it was actually an issue with the header size

2023/08/11 19:47:54 [error] 24#24: *1 upstream sent too big header while reading response header from upstream

Some research on that led me to find some information on proxy buffer size for nginx. Using this answer as inspiration, I added the below lines to my nginx conf file and I was up and working! A little documentation on that--nginx proxy buffer size

   proxy_buffer_size        16k;
   proxy_buffers            8 16k;
   proxy_busy_buffers_size  16k;

I hope this can help you in some way.