In asp.net core https is enabled by default. The HttpsRedirection middleware class provides the necessary functionality to enforce redirection from http to https. The UseHttpsRedirection extension method in startup is used to enforce this. This extension method issues a 307 temporary redirect response by default. It then uses the configured https port to specify the redirection endpoint. If the https port is not specified in code , this class will get the https port from HTTPS_PORT environment variable or the IServerAddress feature. If either of them are not specified then the middleware will log a warning and will not redirect.
To enable the use of HTTPS in the development environment , .net core provides a global tool that creates a self signed certificate on the local environment. This tool can be installed by the following command
dotnet tool install –global dotnet-dev-certs
The tool can now be used to generate self signed certificates with the following command. The -ep flag signifies the export path where the certificate will be exported and the -p flag signifies the password required to generate the certificate. We can use the –trust option to trust the certificate generated.
dotnet dev-certs https -ep <path_to_certficate>/certificate.pfx -p <certificate_password>
dotnet dev-certs https –trust
On Linux/Mac OS we can use OpenSSL to generate the certificate for the local environment. Trusting the certificate is however a much more involved process depending on the version and flavor of the Linux OS.
openssl req -new -x509 -newkey rsa:2048 -keyout dev-certificate.key -out dev-certificate.cer -days 365 -subj /CN=localhost
openssl pkcs12 -export -out dev-certificate.pfx -inkey dev-certificate.key -in dev-certificate.cer
The certificate path can be specified using the envrionmental variable ASPNETCORE_Kestrel__Certificates__Default__Path & the password using environment variable ASPNETCORE_Kestrel__Certificates__Default__Password
When Kestrel is deployed as a public facing edge server it can be configured to use https and a specific certificate and port using the below code
If a reverse proxy such as IIS or NGNIX is used then the forwarded headers middleware should be configured and setup before calling the Https redirection middleware. The forwarded headers middleware should set the X-Forwarded-Proto to https. This will enable https offloading at the proxy and a plain http call to the web application with a guarantee that the original call was made over a secure https channel. See the code below to configure the forwarded headers middleware
In a containerized environment an option is to generate the certificates as part of container creation or startup and specify the same in the docker compose file. The environment files can then be used to configure the necessary environment variables as below
The corresponding environment files to specify the necessary environment variables are below
In summary .net core provides a lot of ways to configure https for web applications with Kestrel as an edge server or through ssl offloading/tls termination. It also provides for options to configure the same through code or through configuration or using a docker compose file.