HTTPS redirection changes for IIS OutOfProcess in 2.2 and 3.0

[Tratcher]

HTTPS redirection changes for IIS OutOfProcess in 2.2 and 3.0

The new AspNetCoreModule for hosting via IIS OutOfProcess lights up an existing HTTPS redirection feature for both 3.0 and 2.2 applications.

For discussion see dotnet/aspnetcore#15243.

Version introduced

ASP.NET Core 3.0
AspNetCoreModule 13.0.19218.0

Old behavior

The 2.1 project template first introduced support for HTTPS tools like UseHttpsRedirection and UseHsts. Https redirection required configuration to enable since apps in development do not use the default port 443. Hsts is only active if the request is already HTTPS, and skips localhost by default.

New behavior

In 3.0 the IIS HTTPS scenario was enhanced so that the application could discover the server HTTPS ports and make UseHttpsRedirection work by default. InProcess did this via the IServerAddresses feature, which only affects 3.0 applications because the InProcess library is versioned with the framework. OutOfProcess changed to automatically add the ASPNETCORE_HTTPS_PORT environment variable which affected both 2.2 and 3.0 applications because the OutOfProcess component is shared globally. 2.1 apps are not affected because they use a prior version of AspNetCoreModule by default.

The 3.0 version of AspNetCoreModule was recently deployed to Azure Web Sites and some users noticed the that this did affect their 2.2 applications as described above.

Reason for change

Improved 3.0 functionality.

Recommended action

If you want all clients to use HTTPS then no action is required. If you want to allow some clients to use HTTP then take one of the following steps:

A) Remove UseHttpsRedirection and UseHsts from your application's Startup.cs file and redeploy the application.

Or B) Add the environment variable ASPNETCORE_HTTPS_PORT with an empty value to your web.config file. This can be done directly on the server without redeploying the application.

      <aspNetCore processPath="dotnet" arguments=".\WebApplication3.dll" stdoutLogEnabled="false" stdoutLogFile="\\?\%home%\LogFiles\stdout" >
          <environmentVariables>
            <environmentVariable name="ASPNETCORE_HTTPS_PORT" value="" />
          </environmentVariables>
      </aspNetCore>

Category

ASP.NET

Affected APIs

UseHttpsRedirection

---

Issue metadata

• Issue type: breaking-change

[Tratcher]

Update: This behavior is being modified in 3.0.1 and 3.1.0-preview3 to reverse the behavior changes in 2.x. These changes only affect IIS out-of-process applications.

As detailed above, installing 3.0.0 had the side effect of also activating the UseHttpsRedirection middleware in 2.x applications. A change is being made to AspNetCoreModule in 3.0.1 and 3.1.0-preview3 such that installing them will no longer have this effect on 2.x applications. The ASPNETCORE_HTTPS_PORT environment variable that AspNetCoreModule populated in 3.0.0 is being changed to ASPNETCORE_ANCM_HTTPS_PORT in 3.0.1 and 3.1.0-preview3. UseHttpsRedirection is also being updated in these releases to understand both the new and old variables. 2.x will not be updated and as a result will revert to its prior behavior (off by default).

UseHttpsRedirection can still be activated manually in 2.x by setting the ASPNETCORE_HTTPS_PORT variable with the appropriate value (443 in most production scenarios). UseHttpsRedirection can also still be deactivated in 3.x by defining ASPNETCORE_ANCM_HTTPS_PORT with an empty value similar to the example given above.

Note that machines running 3.0.0 applications should install 3.0.1 ASP.NET Core runtime before installing the 3.1.0-preview3 AspNetCoreModule to ensure that UseHttpsRedirection continues to operate as expected for the 3.0 applications.

In Azure App Service AspNetCoreModule deploys on a separate schedule from the runtime due to its global nature. AspNetCoreModule will be deployed to Azure with these changes after 3.0.1 and 3.1.0 are deployed.