-
Notifications
You must be signed in to change notification settings - Fork 423
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Aspire apps and HTTPS #2453
Comments
@DamianEdwards, just to confirm
This is referring to the localhost/dev inner loop correct? Currently if configured with an https endpoint to a remote resource server this works as expected. |
I think this got put into dashboard by the bot, it's templates, and service discovery and app model. |
Ah thanks :) . I think there were refrerences to DashboardServiceHost code in the request. So confirming. Adding the other areas as well in the path. |
@kvenkatrajan you're right, there's dashboard work in here as well. |
@DamianEdwards there's nothing in here about deployment. |
@davidfowl what kind of things are you expecting to see about deployment here? The only thing I can think of is ensuring that service discovery configuration between projects/services is properly configured with https addresses if the manifest contained https. And of course ensuring gRPC works. |
That ACA works with https and gRPC and the implications with allow insecure (we turn that on today by default) |
OK added a bullet for it, thanks. |
I'm assuming we want this done for P5. Do we have tracking issues for the work that needs to happen in each of the areas? (templates, app model, dashboard, SD) If so we can also update the top post to also include a list with all of these to be able to track the progress. |
Not yet, other than those already linked to (like the SD work). This issue is about figuring out what other work is needed and then tracking it. |
Regarding deployment to ACA, I verified that AspireShop updated for HTTPS fully works when deployed to ACA by AZD after the following adjustments:
Code is at: https://github.com/dotnet/aspire-samples/tree/damianedwards/healthchecksui/samples/AspireShop |
@DamianEdwards and @davidfowl I just wanted to link this issue to a separate issue I just created documenting how we can use a single port (with HTTPS) for both the OTLP receiver and Dashboard app UI. Yes we should always use HTTPS for both OTLP and the dashboard UI. When deploying to a service such as the Azure App Service, it is so much easier to have that single port (configured by default to use HTTPS). Here is the issue describing how to set this up: I am successfully using the Aspire Dashboard as a nice OTLP receiver/viewer in one of our cloud dev environments. Note that I also added Entra ID login plus added verification of a HTTP Header key for the inbound telemetry. |
* Enable HTTPS in templates Contributes to #2453 * Update Program.cs * Update Program.cs * Update template.json * Remove trailing comma from launchSettings.json * PR feedback
Closing this as the major change to enable the HTTPS experience are complete now. We can log individual issues for any follow up items. |
Today, new Aspire projects are configured to run locally with HTTP communication only (i.e. there is no HTTPS configuration or launch profiles). This was done back in preview.1 as we identified some experience issues with HTTPS that we need to revisit and address before GA:
dotnet run
vs. Visual Studio. In VS, if a profile named "https" is defined, it will be selected by default. Indotnet run
, the first launch profile defined is used by default. ASP.NET Core templates define two launch profiles by default: "http" and "https", in that order, so VS users get HTTPS by default but CLI users get HTTP by default as the experience for setting up and trusting the dev certificate is more complicated for CLI users.auto://localhost
) so that the code doesn't have to hard-code the scheme name, allowing the project to run successfully whether it was launched with configuration for HTTP or HTTPS. Of course the code can be changed by the user to hard-code HTTPS as the scheme (which would likely be a documented recommendation). This will enable the template to work in all scenarios."applicationUrls"
property setup with an HTTPS address, it will end up being flowed to the dashboard for the UI endpoint. The gRPC resource server endpoint however currently doesn't consider HTTP vs. HTTPS in its default which will likely have to be changed, e.g. to set the scheme to HTTPS if the URL supplied for the dashboard UI (viaASPNETCORE_URLS
) is HTTPS.Aspire.Hosting
should configure ASP.NET Core resources when published to enable forwarded headers by default (Enable forwarded headers when publishing projects by default #290). This is required to ensure the incoming URL scheme and host name are preserved through the ingress proxy.The text was updated successfully, but these errors were encountered: