Nginx Reverse Proxy With SSL and Asp.NET Core API

Question

I am currently trying to build an API for a client interface-server interaction. I have decided to use ASP.NET Core for the API with Nginx as the hosting platform (On Ubuntu 18.04). Since ASP.NET uses Kestrel, we have set up a reverse proxy to forward requests from Nginx to Kestrel-- what is hosting the API. We have SSL set up on the NGINX server, however it is not set up on the Kestrel Server.

Simply put, I do not know how to set up SSL on the Kestrel Server with another layer of SSL on the NGINX side. How can I do this?

Model: Client --> GET Request over HTTPS --> NGINX with SSL --> HTTP Kestrel Server and vice versa

Output: SSL_PROTOCOL_ERROR

Temporary Solution: Use HTTP with port 5000 in the link.-- No error, however, data is not secure.

Optimal Solution: Use HTTPS without port 5000 in the link. Data is secure.

NGINX Config:

    if ($host = api.OURSITENAME.co) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    server_name api.OURSITENAME.co;
    return 301 https://$server_name$request_uri;


}

server {
    listen 443 ssl http2;
    include /etc/nginx/proxy_params;
    server_name api.OURSITENAME.co;
    access_log /var/log/nginx/api.access.log;
    error_log /var/log/nginx/api.error.log error;
    # SSL Configuration
    ssl_certificate /etc/letsencrypt/live/api.OURSITENAME.co/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/api.OURSITENAME.co/privkey.pem; # managed by Certbot
    proxy_http_version 1.1;
    proxy_cache_bypass $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_set_header Upgrade $http_upgrade;

    location / {
        proxy_pass         http://172.18.0.2:5000; <-- Docker Container. Can easily be switched out with localhost if we want to run on dotnet directly.
    }
}

Answer 1

As I understand the problem, when you use HTTP to access your application directly on port 5000 you get an SSL error. Even though you don't use HTTPS.

If you have app.UseHsts(); and/or app.UseHttpsRedirection(); in your Startup code then it will use HTTPS.

If you are letting nginx handle the SSL then you can remove code from your app Startup.cs

Typical startup code:

public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
        app.UseDatabaseErrorPage();
    }
    else // Production
    {
        app.UseExceptionHandler("/Error");
        // Remove to use HTTP only
        app.UseHsts(); // HTTPS Strict mode
    }

    // Remove to use HTTP only
    app.UseHttpsRedirection(); // Redirects HTTP to HTTPS
    app.UseStaticFiles();
    app.UseCookiePolicy();

    app.UseAuthentication();

    app.UseMvc();

}

Documentation on enforcing SSL in dotnet core