AppHarbor的应用程序位于NGINX负载均衡器后面.因此,所有访问客户端应用程序的请求都将通过HTTP传递,因为SSL将由此前端处理.
ASP.NET MVC的OAuth 2 OAuthAuthorizationServerOptions具有将令牌请求的访问限制为仅使用HTTPS的选项.问题是,与Controller或ApiController不同,当我指定AllowInsecureHttp = false时,我不知道如何允许这些转发请求.
具体来说,在app startup/config中:
app.UseOAuthBearerTokens(new OAuthAuthorizationServerOptions { AllowInsecureHttp = true, });
需要以某种方式在内部进行此检查,如果是真的,请将其视为SSL:
HttpContext.Request.Headers["X-Forwarded-Proto"] == "https"
以下是我通过应用自定义过滤器属性使用MVC Controller的方法:https: //gist.github.com/runesoerensen/915869
您可以尝试注册一些可以根据nginx转发的标头修改请求的中间件.您可能还希望将远程IP地址设置为X-Forwarded-For
标头的值.
这样的东西应该工作(未经测试):
public class AppHarborMiddleware : OwinMiddleware { public AppHarborMiddleware(OwinMiddleware next) : base(next) { } public override Task Invoke(IOwinContext context) { if (string.Equals(context.Request.Headers["X-Forwarded-Proto"], "https", StringComparison.InvariantCultureIgnoreCase)) { context.Request.Scheme = "https"; } var forwardedForHeader = context.Request.Headers["X-Forwarded-For"]; if (!string.IsNullOrEmpty(forwardedForHeader)) { context.Request.RemoteIpAddress = forwardedForHeader; } return Next.Invoke(context); } }
确保在配置身份验证中间件之前添加它:
app.Use<AppHarborMiddleware>(); app.UseOAuthBearerTokens(new OAuthAuthorizationServerOptions { AllowInsecureHttp = false, });