Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Change Kestrel's HTTPS endpoint defaults to improve developer experience #42016

Closed
3 tasks done
Tracked by #41990
DamianEdwards opened this issue Jun 3, 2022 · 3 comments
Closed
3 tasks done
Tracked by #41990
Assignees
Labels
area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions breaking-change This issue / pr will introduce a breaking change, when resolved / merged. feature-kestrel
Milestone

Comments

@DamianEdwards
Copy link
Member

DamianEdwards commented Jun 3, 2022

Related to [EPIC] Revisiting HTTPS defaults in ASP.NET Core

Background

Today, when Kestrel is starting, if no endpoint configuration is provided, e.g. via the ASPNETCORE_URLS env (docs), then Kestrel will fallback to a set of default endpoint configuration. These defaults are "http://localhost:5000" and "https://localhost:5001".

In the case of the default HTTPS binding (https://localhost:5001) Kestrel will eagerly bind using the ASP.NET Core HTTPS developer certificate if it's found in the default personal certificate store. This occurs without regard to the configured environment and can lead to experience issues on developer machines when the certificate has not yet been trusted (i.e. trusted as root cert authority because it's self-signed). Clients often produce poor UX when hitting an HTTPS endpoint with an untrusted certificate, e.g. silent failure, scary error/warning screen, etc.

Example flow that can lead to experience issues:

  1. Create a new web project: MyApp$ dotnet new webapp
  2. Build the project: MyApp$ dotnet build
  3. Execute the produced app executable: MyApp$ ./bin/Debug/net7.0/MyApp
  4. In another prompt issue a curl request to the http endpoint: $ curl http://localhost:5000
  5. Result is an empty response as curl does not follow redirects by default and the default template is setup to redirect from HTTP to HTTPS

Changes

  • Change Kestrel to no longer bind to https://localhost:5001 as a default endpoint
  • Log a warning when Kestrel does bind to a localhost HTTPS address (due to configured URLs, e.g. via the launchSettings.json in the project templates) and the developer certificate is used, and the developer certificate is not trusted as a root authority
  • Update relevant docs (example)

These changes will not impact the experience when using dev inner-loop focused launch tools like VS or dotnet run as they utilize the URLs configuration in the launchSettings.json file.

It's likely this behavior change could break some of our tests that assume the app will be launched at https://localhost:5001 and emit a message to console out, e.g. example.

@davidfowl @Tratcher @javiercn

@adityamandaleeka
Copy link
Member

Moving to preview 7 for the remainder of the work.

@adityamandaleeka
Copy link
Member

I mean RC 1 😄

@Tratcher
Copy link
Member

Tratcher commented Aug 9, 2022

Fixed by #42621

@Tratcher Tratcher closed this as completed Aug 9, 2022
@ghost ghost locked as resolved and limited conversation to collaborators Sep 9, 2022
@amcasey amcasey added area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions and removed area-runtime labels Jun 2, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions breaking-change This issue / pr will introduce a breaking change, when resolved / merged. feature-kestrel
Projects
None yet
Development

No branches or pull requests

5 participants