Open Closed

ABP Tiered Behind Application Gateway or Load Balancer #1986


User avatar
0
cfd000 created
  • ABP Framework version: v4.4.3
  • UI type: MVC / Blazor
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): yes
  • Exception message and stack trace:
  • Steps to reproduce the issue:"

When deploying a tiered application in containers behind an application gateway, what is the recommended configuration? The main web interface and API Host seem to work fine by configuring the "/" path to reoute to the "Web" and "/swagger" and "/api" to route to the HTTPAPI server, but routing "/Account" to the identity server causes problems (such as resources not being found).

  • Should it be configured similar to a virtual directory, where all URLs have a specific path (something like "/Identity/Account/Login" instead of the current behavior of just "/Account/Login")?
    • If so, how do I configure JUST the IdentityServer project to expect a path beyond the base URL (trying to put http://localhost/Identity" in the appsettings.json seems to ignore the "/Identity" part)
  • Is there a different way to make the 3 separate containers work properly? We do not want to go to the full microservice template if possible.

6 Answer(s)
  • User Avatar
    0
    gterdem created
    Senior .NET Developer

    To clarify, do you want to deploy all your applications (Http.Api.Host, Web and IdentityServer) to same domain with sub folders? Web is running on: mydomain Http.Api.Host on: mydomain.com/api IdentityServer on: mydomain.com/account

    If so, you will need to write Rewrite rule in load balancer (nginx i suppose) to redirect to /account

    You can check deployment configurations docs. Also official identityserver4 deployment docs.

    If you have already deployed identityserver, you can also share its link.

  • User Avatar
    0
    cfd000 created

    To clarify, do you want to deploy all your applications (Http.Api.Host, Web and IdentityServer) to same domain with sub folders? Web is running on: mydomain Http.Api.Host on: mydomain.com/api IdentityServer on: mydomain.com/account

    If so, you will need to write Rewrite rule in load balancer (nginx i suppose) to redirect to /account

    You can check deployment configurations docs. Also official identityserver4 deployment docs.

    If you have already deployed identityserver, you can also share its link.

    Correct. I have the rules configured and working, but the interactions aren't correct.

    For RemoteServices__Default__BaseUrl I am using the internal name of the HTTP-API service. For AuthServer__Authority I cannot use the internal name because the redirect to the login page does not work externally. When I put the FQDN of the Identity-Server (with /Account at the end), and click the Login button, I am redirected to my url.com/?handler=Login which does not load.

    1. Should the Identity server external URL be configured for AuthServer__Authority?
    2. How do I get the Login button to redirect to url.com/Account/Login (or, is there another way to get that redirection to work properly behind the load balancer?)
  • User Avatar
    0
    cfd000 created

    UPDATE

    I was able to get Idenity Server working better by modifying the Startup.cs: public void Configure(IApplicationBuilder app) { app.UseStaticFiles("/IdentityServer"); app.UsePathBase("/IdentityServer"); app.InitializeApplication(); }

    and modifying the ...Module.cs to include (ABOVE the app.UseIdentityServer(); line!):

                var forwardOptions = new ForwardedHeadersOptions
                {
                    ForwardedHeaders = Microsoft.AspNetCore.HttpOverrides.ForwardedHeaders.XForwardedFor | Microsoft.AspNetCore.HttpOverrides.ForwardedHeaders.XForwardedProto,
                    RequireHeaderSymmetry = false
                };
    
                forwardOptions.KnownNetworks.Clear();
                forwardOptions.KnownProxies.Clear();
    
                // ref: https://github.com/aspnet/Docs/issues/2384
                app.UseForwardedHeaders(forwardOptions);
    
    

    This allows the LOGIN button to redirect to the Identity login page. Now if I go directly to the /IdentityServer/ URL (which redirects me to /IdentityServer/Account/Login), I can login successfully. The problem is:

    If I go to the MVC Index page and click the Login button the Request URL header has this:

    https://url.com/IdentityServer/connect/authorize?client_id=ABPWeb_Web&redirect_uri=http://url.com/signin-oidc&response_type=code id_token&scope=openid
    

    When this happens, the /IdentityServer/Account/Login page redirects to a 500 error page with a message "Invalid redirect_uri"

    Where does the redirect_uri come from? I am running HTTPS up to the load balancer, and HTTP behind it.

  • User Avatar
    0
    gterdem created
    Senior .NET Developer

    Redirect_uri's are declared when client is created. See https://support.abp.io/QA/Questions/1951/500-Internal-Server-Error-Invalid-redirecturi#answer-99adb092-2a26-5dbb-6bac-39ff6bc7b817

  • User Avatar
    0
    cfd000 created

    It turns out that the problem was that it is necessary to put the ForwardedHeadersOptions code into EACH PROJECT, simply adding it to IdentityServer is not enough. In hindisght this makes sense, as the MVC project is what generates the headers with the redirect URL in them.

  • User Avatar
    0
    alper created
    Support Team Director

    closing the issue. you can reopen anytime.

Made with ❤️ on ABP v9.1.0-preview. Updated on December 10, 2024, 06:38