Skip to content

HttpsRedirectionMiddleware will throw if there are multiple ambiguous https ports #448

New issue
New issue
Open
Open
HttpsRedirectionMiddleware will throw if there are multiple ambiguous https ports#448
Labels
6.0.0AnnouncementBreaking changeDocumentedThe breaking change has been published to the .NET Core docs
Milestone
 
6.0.0
@Tratcher

Description

@Tratcher
Tratcher
opened on Jan 11, 2021

HttpsRedirectionMiddleware will throw if there are multiple ambiguous https ports

The HttpsRedirectionMiddleware (UseHttpsRedirection) will now throw an InvalidOperationException if it finds multiple https ports in the server config.

"Cannot determine the https port from IServerAddressesFeature, multiple values were found. Set the desired port explicitly on HttpsRedirectionOptions.HttpsPort."

See dotnet/aspnetcore#29222 for discussion.

Version introduced

6.0

Old behavior

When the HttpsRedirectionMiddleware isn't explicitly configured with a port it will search IServerAddressesFeature during the first request to figure out what https port it should redirect to. If there are no https ports or multiple distinct ports then it's ambiguous which should be used so the middleware logs a warning and turns itself off. Http requests will be processed normally.

New behavior

When the HttpsRedirectionMiddleware isn't explicitly configured with a port it will search IServerAddressesFeature during the first request to figure out what https port it should redirect to.

If there are no https ports the middleware still logs a warning and turns itself off. Http requests will be processed normally. This supports development scenarios without https, as well as hosted scenarios where TLS is terminated before reaching the server.

If there are multiple distinct ports then it's ambiguous which should be used so the middleware throws an exception and fails the http request.

Reason for change

This is done to prevent potentially sensitive data from being served over un-encrypted http connections when https is known to be available.

Recommended action

To enable https redirection when the server has multiple distinct https ports you must specify one port in the configuration. See https://docs.microsoft.com/en-us/aspnet/core/security/enforcing-ssl?view=aspnetcore-5.0&tabs=visual-studio#port-configuration.

If you do not need the HttpsRedirectionMiddleware in your app then remove UseHttpsRedirection from Startup.cs.

If you need to select the correct https port dynamically then please provide feedback on dotnet/aspnetcore#21291.

Category

ASP.NET

Affected APIs

UseHttpsRedirection

Issue metadata

  • Issue type: breaking-change

Metadata

Metadata

Assignees

No one assigned

    Labels

    6.0.0AnnouncementBreaking changeDocumentedThe breaking change has been published to the .NET Core docs

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions