Search code examples
c#nginxasp.net-coreidentityserver4

Configure IdentityServer4 behind nginx reverse-proxy

I have WebApi protected by IdentityServer4 behind nginx reverse-proxy. Proxy pass config:

    location /api/ {
        proxy_pass http://127.0.0.1:3110/;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_redirect off;
        proxy_buffering off;
        expires           0;
    }

If go to https://www.example.com/api/.well-known/openid-configuration it returns me this configuration:

{
    "issuer": "http://www.example.com",
    "jwks_uri": "http://www.example.com/.well-known/openid-configuration/jwks",
    "authorization_endpoint": "http://www.example.com/connect/authorize",
    "token_endpoint": "http://www.example.com/connect/token",
    "userinfo_endpoint": "http://www.example.com/connect/userinfo",
    "end_session_endpoint": "http://www.example.com/connect/endsession",
    "check_session_iframe": "http://www.example.com/connect/checksession",
    "revocation_endpoint": "http://www.example.com/connect/revocation",
    "introspection_endpoint": "http://www.example.com/connect/introspect",
    "frontchannel_logout_supported": true,
    "frontchannel_logout_session_supported": true,
    "scopes_supported": [
        "openid",
        "profile",
        "roles",
        "WebAPI",
        "offline_access"
    ],
    "claims_supported": [
        "sub",
        "name",
        "family_name",
        "given_name",
        "middle_name",
        "nickname",
        "preferred_username",
        "profile",
        "picture",
        "website",
        "gender",
        "birthdate",
        "zoneinfo",
        "locale",
        "updated_at",
        "role",
        "firm"
    ],
    "grant_types_supported": [
        "authorization_code",
        "client_credentials",
        "refresh_token",
        "implicit",
        "password"
    ],
    "response_types_supported": [
        "code",
        "token",
        "id_token",
        "id_token token",
        "code id_token",
        "code token",
        "code id_token token"
    ],
    "response_modes_supported": [
        "form_post",
        "query",
        "fragment"
    ],
    "token_endpoint_auth_methods_supported": [
        "client_secret_basic",
        "client_secret_post"
    ],
    "subject_types_supported": [
        "public"
    ],
    "id_token_signing_alg_values_supported": [
        "RS256"
    ],
    "code_challenge_methods_supported": [
        "plain",
        "S256"
    ]
}

But I expect that all urls should start from https://www.example.com/api/ How to configure it right?

Solution

  • @Rem

    If you used Nginx then follow steps below

    location /api/ {
    proxy_pass http://localhost:3110;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection keep-alive;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_cache_bypass $http_upgrade;
}

    And put the middleware in your code

    var fordwardedHeaderOptions = new ForwardedHeadersOptions
{
    ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
};
fordwardedHeaderOptions.KnownNetworks.Clear();
fordwardedHeaderOptions.KnownProxies.Clear();

app.UseForwardedHeaders(fordwardedHeaderOptions);

    Hope this help.