Linux ASP.Net core with Apache and reverse proxy

Question

I need to clarify the setup process of ASP.NET Core app on Linux. I have Apache as a server and I want to use it as a reverse proxy. On my ASP.NET Core app, I have such a setup:

services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
services.Configure<ForwardedHeadersOptions>(options =>
{
    options.ForwardedHeaders =
        ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
});

app.UseForwardedHeaders(new ForwardedHeadersOptions
{
    ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
});

Forwarding headers - these were in documentation of "How to run ASP.NET Core on Linux".

And in Program.cs I have:

var host = WebHost.CreateDefaultBuilder(args)
    .UseKestrel()
    .UseUrls("https://*:5001")
    .UseIISIntegration()
    .UseStartup<Startup>()
    .Build();

Questions I have:

1. Do I need these Forwarded headers at all?
2. Do I need to add app.UseHttpsRedirection(); into my project?
3. Do I need to specify UseUrls("https://*:5001") https in this line or it can be http?
4. Do I need to have https in general on my Kestrel (my application), or if I have reverse proxy I can use http and Apache will take care of ssl?
5. Do I need to have any other code in my ASP.NET Core app to make it works with reverse proxy?

Answer 1

Do I need these Forwarded headers at all?

In general, yes. The way reverse proxies work is that they basically receive the request by the end user, and then forward the request to your app by making a new request. That new request from the reverse proxy has its own headers and for your app, it’s as if there never was a public request.

This means that your app only knows about the internal request and as such for example can also only generate internal URLs. In order to teach your app about the external URLs, you then use those forwarded headers which are supplied by the reverse proxy in order to allow your app to restore what the original request would have looked like. That way, your app is aware of the public request and can respond to it properly.

Do I need to add app.UseHttpsRedirection(); into my project?

Not necessarily. HTTPS redirection is basically a feature that will automatically respond requests to the HTTP with a redirect to HTTPS. Usually, the reverse proxy in front of your app takes care of this, so this functionality makes most sense when using it with Kestrel exposed directly.

But you can still use the functionality if you want to have this in your app, instead of inside of your reverse proxy. If your reverse proxy serves your app on both HTTP and HTTPS, and if it also forwards the scheme properly in a Forwarded header, then your app can detect this properly and redirect to HTTPS.

From a security point of view, it might be better (and possibly simpler) for your reverse proxy to not forward any HTTP requests to your app and just redirect to HTTPS on its own.

Do I need to specify UseUrls("https://*:5001") https in this line or it can be http?

That also depends on how you want to set up your app internally. Usually, since your reverse proxy is the one that is publicly visible, you don’t need to use HTTPS internally, and that will often also result in a better performance with less overhead (and it reduces configuration complexity with certificates). But there may be situations where you will want to use HTTPS even internally, to make your application more secure and to protect its transmitted data better. That’s totally up to you though.

I would generally recommend you not to use a UseUrl() call though and just use the ASPNETCORE_URLS environment variable to specify the internal hosting URL and port. That way, you are more flexible to environment changes and can just choose the port on the system as you deploy your app, and you don’t have to recompile your application just to switch the internal port.

Do I need to have https in general on my Kestrel (my application), or if I have reverse proxy I can use http and Apache will take care of ssl?

As said above, the setup is usually that your reverse proxy is hosted on HTTPS and the internal communication between the reverse proxy and your application can happen with HTTP. You can totally choose to use HTTPS internally too though.

Do I need to have any other code in my ASP.NET Core app to make it works with reverse proxy?

No, in order for the app to allow it to run behind a reverse proxy, all you will usually need is to activate the forwarded headers middleware (or IISIntegration if you are running behind an IIS). The rest of the setup happens on the reverse proxy where you will need to make sure that the forwarded headers are also properly set.