I have a YARP reverse proxy setup with very basic configuration that passes requests straight through to an nginx reverse proxy container (where modsecurity rules are validated) before passing onto the web app. They all reside in Azure.
The reason for including YARP as an additional reverse proxy is simply to provide a public static IP which allows the nginx container and its volume mounted resources to live safely in a virtual network which doesn't allow for a public IP address.
The web app is a legacy .Net 4 webforms app with identity. It all works except for when a user tries to directly access a page which requires authorization. The usual behaviour is to redirect to the login page before returning them to the page they were trying to access. The issue is that in this situation it tries to load the page with the proxy host:
Going to https://targethost.com/restrictedpage redirects to https://nginxhost.com/login.aspx?returnUrl=/restrictedpage instead of https://targethost.com/login.aspx?returnUrl=/restrictedpage
If I login first by going to https://targethost.com/login.aspx it works and then I can go to https://targethost.com/restricted
Here's the basic route config in YARP:
"AllowedHosts": "*",
"ReverseProxy": {
"Routes": {
"route1": {
"ClusterId": "cluster1",
"Match": {
"Path": "{**catch-all}",
"Hosts": [ "targethost.com" ]
},
}
},
"Clusters": {
"cluster1": {
"Destinations": {
"destination1": {
"Address": "http://nginxproxy.com:80/"
}
}
}
}
}
The nginx proxy config is as follows:
server {
listen 80 default_server;
server_name nginxproxy.com;
set $upstream https://webapp.com;
set $always_redirect off;
location / { ...
proxy_set_header Host $host;
proxy_set_header Proxy "";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-REAL-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
proxy_pass_header Authorization;
proxy_pass $upstream;
set_real_ip_from 10.5.3.254;
set_real_ip_from 127.0.0.1;
real_ip_header X-REAL-IP;
real_ip_recursive on;.
Here is the config in the web app that handles it:
app.UseCookieAuthentication(New CookieAuthenticationOptions() With {
.ExpireTimeSpan = TimeSpan.FromMinutes(5),
.SlidingExpiration = True,
.AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
.Provider = New CookieAuthenticationProvider() With {
.OnValidateIdentity = SecurityStampValidator.OnValidateIdentity(Of ApplicationUserManager, ApplicationUser)(
validateInterval:=TimeSpan.FromMinutes(30),
regenerateIdentity:=Function(manager, user) user.GenerateUserIdentityAsync(manager))},
.LoginPath = New PathString("/Account/Login")})
Considering that it all works as expected without the redirect to login, I'm guessing it has to do with how the redirect to login works, and what host it uses. I'd like to be able to override the redirect to login process if that's where the issue lies.
Any on what might be causing this or how to fix it?
UPDATE 1
Here is the code in the web app start up that configures OWIN middleware and the login page to redirect unauthenticated users to:
Public Sub Configuration(app As IAppBuilder)
Dim c = New CookieAuthenticationOptions
c.AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie
c.
c.LoginPath = New PathString("/account/login")
app.UseCookieAuthentication(c)
According to the documentation (This is the .net core doco. I'm assuming nothing has changed), The LoginPath property is used by the handler for the redirection target when handling ChallengeAsync. The current url which is added to the LoginPath as a query string parameter named by the ReturnUrlParameter. Once a request to the LoginPath grants a new SignIn identity, the ReturnUrlParameter value is used to redirect the browser back to the original url.