{"id":627,"date":"2025-04-05T11:43:09","date_gmt":"2025-04-05T03:43:09","guid":{"rendered":"https:\/\/www.hyy.net\/?p=627"},"modified":"2025-04-05T11:43:09","modified_gmt":"2025-04-05T03:43:09","slug":"asp-net-core-in-action-28-adding-https-to-an-application","status":"publish","type":"post","link":"https:\/\/diji.net\/?p=627","title":{"rendered":"ASP.NET Core in Action 28 Adding HTTPS to an application"},"content":{"rendered":"

28 Adding HTTPS to an application
\n28 \u5c06 HTTPS \u6dfb\u52a0\u5230\u5e94\u7528\u7a0b\u5e8f<\/p>\n

This chapter covers
\n\u672c\u7ae0\u6db5\u76d6<\/p>\n

\u2022 Encrypting traffic between clients and your app using HTTPS
\n\u4f7f\u7528 HTTPS\u52a0\u5bc6\u5ba2\u6237\u7aef\u548c\u5e94\u7528\u7a0b\u5e8f\u4e4b\u95f4\u7684\u6d41\u91cf<\/p>\n

\u2022 Using the HTTPS development certificate for local development
\n\u4f7f\u7528 HTTPS \u5f00\u53d1\u8bc1\u4e66\u8fdb\u884c\u672c\u5730\u5f00\u53d1<\/p>\n

\u2022 Configuring Kestrel with a custom HTTPS certificate
\n\u4f7f\u7528\u81ea\u5b9a\u4e49 HTTPS \u8bc1\u4e66\u914d\u7f6e Kestrel<\/p>\n

\u2022 Enforcing HTTPS for your whole app
\n\u4e3a\u6574\u4e2a\u5e94\u7528\u7a0b\u5e8f\u5f3a\u5236\u5b9e\u65bd HTTPS<\/p>\n

Web application security is a hot topic at the moment. Practically every week another breach is reported, or confidential details are leaked. It may seem like the situation is hopeless, but the reality is that the vast majority of breaches could have been prevented with the smallest amount of effort.
\nWeb \u5e94\u7528\u7a0b\u5e8f\u5b89\u5168\u662f\u76ee\u524d\u7684\u4e00\u4e2a\u70ed\u95e8\u8bdd\u9898\u3002\u51e0\u4e4e\u6bcf\u5468\u90fd\u4f1a\u62a5\u544a\u53e6\u4e00\u8d77\u6570\u636e\u6cc4\u9732\u4e8b\u4ef6\uff0c\u6216\u6cc4\u9732\u673a\u5bc6\u7ec6\u8282\u3002\u60c5\u51b5\u4f3c\u4e4e\u6ca1\u6709\u5e0c\u671b\uff0c\u4f46\u73b0\u5b9e\u662f\uff0c\u7edd\u5927\u591a\u6570\u6570\u636e\u6cc4\u9732\u672c\u53ef\u4ee5\u901a\u8fc7\u6700\u5c0f\u7684\u52aa\u529b\u6765\u9884\u9632\u3002<\/p>\n

In chapter 29 we\u2019ll look at a range of common attacks and how to protect against them in your ASP.NET Core app. In this chapter we start by looking at one of the most basic security measures: encrypting the traffic between a client such as a browser and your application.
\n\u5728\u7b2c 29 \u7ae0\u4e2d\uff0c\u6211\u4eec\u5c06\u4ecb\u7ecd\u4e00\u7cfb\u5217\u5e38\u89c1\u653b\u51fb\uff0c\u4ee5\u53ca\u5982\u4f55\u5728 ASP.NET Core \u5e94\u7528\u7a0b\u5e8f\u4e2d\u9632\u8303\u8fd9\u4e9b\u653b\u51fb\u3002\u5728\u672c\u7ae0\u4e2d\uff0c\u6211\u4eec\u9996\u5148\u4ecb\u7ecd\u6700\u57fa\u672c\u7684\u5b89\u5168\u63aa\u65bd\u4e4b\u4e00\uff1a\u52a0\u5bc6\u5ba2\u6237\u7aef\uff08\u5982\u6d4f\u89c8\u5668\uff09\u548c\u5e94\u7528\u7a0b\u5e8f\u4e4b\u95f4\u7684\u6d41\u91cf\u3002<\/p>\n

Without HTTPS encryption, you risk third parties spying on or modifying the requests and responses as they travel over the internet. The risks associated with unencrypted traffic mean that HTTPS is effectively mandatory for production apps these days, and it is heavily encouraged by the makers of modern browsers such as Chrome and Firefox. In section 28.1 you\u2019ll learn more about these risks and some of the approaches you can take to protect your application.
\n\u5982\u679c\u6ca1\u6709 HTTPS \u52a0\u5bc6\uff0c\u5f53\u8bf7\u6c42\u548c\u54cd\u5e94\u901a\u8fc7 Internet \u4f20\u8f93\u65f6\uff0c\u60a8\u53ef\u80fd\u4f1a\u9762\u4e34\u7b2c\u4e09\u65b9\u76d1\u89c6\u6216\u4fee\u6539\u5b83\u4eec\u7684\u98ce\u9669\u3002\u4e0e\u672a\u52a0\u5bc6\u6d41\u91cf\u76f8\u5173\u7684\u98ce\u9669\u610f\u5473\u7740 HTTPS \u5982\u4eca\u5b9e\u9645\u4e0a\u662f\u751f\u4ea7\u5e94\u7528\u7a0b\u5e8f\u7684\u5f3a\u5236\u6027\u8981\u6c42\uff0c\u5e76\u4e14 Chrome \u548c Firefox \u7b49\u73b0\u4ee3\u6d4f\u89c8\u5668\u7684\u5236\u9020\u5546\u5f3a\u70c8\u9f13\u52b1 HTTPS\u3002\u5728 Section 28.1 \u4e2d\uff0c\u60a8\u5c06\u4e86\u89e3\u6709\u5173\u8fd9\u4e9b\u98ce\u9669\u7684\u66f4\u591a\u4fe1\u606f\u4ee5\u53ca\u60a8\u53ef\u4ee5\u91c7\u53d6\u7684\u4e00\u4e9b\u65b9\u6cd5\u6765\u4fdd\u62a4\u60a8\u7684\u5e94\u7528\u7a0b\u5e8f\u3002<\/p>\n

In section 28.2 you\u2019ll see how to get started with HTTPS locally using the ASP.NET Core development certificate. I describe what it is, how to trust it on your application, and what to do if it\u2019s not working as you expect.
\n\u5728 Section 28.2 \u4e2d\uff0c\u60a8\u5c06\u770b\u5230\u5982\u4f55\u4f7f\u7528 ASP.NET Core \u5f00\u53d1\u8bc1\u4e66\u5728\u672c\u5730\u5f00\u59cb\u4f7f\u7528 HTTPS\u3002\u6211\u5c06\u4ecb\u7ecd\u5b83\u662f\u4ec0\u4e48\uff0c\u5982\u4f55\u5728\u60a8\u7684\u5e94\u7528\u7a0b\u5e8f\u4e0a\u4fe1\u4efb\u5b83\uff0c\u4ee5\u53ca\u5982\u679c\u5b83\u6ca1\u6709\u6309\u9884\u671f\u5de5\u4f5c\u8be5\u600e\u4e48\u529e\u3002<\/p>\n

The development certificate is great for local work, but in production you\u2019ll need to configure a real, production certificate. I don\u2019t describe the process of obtaining a certificate in section 28.3, as that will vary by provider; instead, I show how to configure Kestrel to use a custom certificate you\u2019ve acquired.
\n\u5f00\u53d1\u8bc1\u4e66\u975e\u5e38\u9002\u5408\u672c\u5730\u5de5\u4f5c\uff0c\u4f46\u5728\u751f\u4ea7\u73af\u5883\u4e2d\uff0c\u60a8\u9700\u8981\u914d\u7f6e\u4e00\u4e2a\u771f\u5b9e\u7684\u751f\u4ea7\u8bc1\u4e66\u3002\u6211\u6ca1\u6709\u5728\u7b2c 28.3 \u8282\u4e2d\u63cf\u8ff0\u83b7\u53d6\u8bc1\u4e66\u7684\u8fc7\u7a0b\uff0c\u56e0\u4e3a\u8fd9\u4f1a\u56e0\u63d0\u4f9b\u5546\u800c\u5f02;\u76f8\u53cd\uff0c\u6211\u5c06\u4ecb\u7ecd\u5982\u4f55\u5c06 Kestrel \u914d\u7f6e\u4e3a\u4f7f\u7528\u60a8\u83b7\u53d6\u7684\u81ea\u5b9a\u4e49\u8bc1\u4e66\u3002<\/p>\n

In section 28.4 I describe some of the approaches to enforcing HTTPS in your application. Unfortunately, web browsers still expect apps to be available over HTTP by default, so you typically need to expose your application on both HTTP and HTTPS ports. Nevertheless, there are things you can do to push clients toward the HTTPS endpoint, which are considered security best practices these days.
\n\u5728 Section 28.4 \u4e2d\uff0c\u6211\u63cf\u8ff0\u4e86\u5728\u5e94\u7528\u7a0b\u5e8f\u4e2d\u5f3a\u5236\u6267\u884c HTTPS \u7684\u4e00\u4e9b\u65b9\u6cd5\u3002\u9057\u61be\u7684\u662f\uff0c\u9ed8\u8ba4\u60c5\u51b5\u4e0b\uff0cWeb \u6d4f\u89c8\u5668\u4ecd\u7136\u5e0c\u671b\u5e94\u7528\u7a0b\u5e8f\u901a\u8fc7 HTTP \u53ef\u7528\uff0c\u56e0\u6b64\u60a8\u901a\u5e38\u9700\u8981\u5728 HTTP \u548c HTTPS \u7aef\u53e3\u4e0a\u516c\u5f00\u60a8\u7684\u5e94\u7528\u7a0b\u5e8f\u3002\u4e0d\u8fc7\uff0c\u60a8\u53ef\u4ee5\u91c7\u53d6\u4e00\u4e9b\u63aa\u65bd\u6765\u5c06\u5ba2\u6237\u7aef\u63a8\u9001\u5230 HTTPS \u7ec8\u7aef\u8282\u70b9\uff0c\u8fd9\u5982\u4eca\u88ab\u8ba4\u4e3a\u662f\u5b89\u5168\u6700\u4f73\u5b9e\u8df5\u3002<\/p>\n

Before we look at HTTPS in ASP.NET Core specifically, we\u2019ll start by looking at HTTPS in general and why you should use it in all your applications.
\n\u5728\u6211\u4eec\u5177\u4f53\u7814\u7a76 ASP.NET Core \u4e2d\u7684 HTTPS \u4e4b\u524d\uff0c\u6211\u4eec\u9996\u5148\u4e00\u822c\u5730\u4e86\u89e3\u4e00\u4e0b HTTPS\uff0c\u4ee5\u53ca\u4e3a\u4ec0\u4e48\u60a8\u5e94\u8be5\u5728\u6240\u6709\u5e94\u7528\u7a0b\u5e8f\u4e2d\u4f7f\u7528\u5b83\u3002<\/p>\n

28.1 Why do I need HTTPS?<\/h2>\n

28.1 \u4e3a\u4ec0\u4e48\u6211\u9700\u8981 HTTPS\uff1f<\/p>\n

In this section you\u2019ll learn about HTTPS: what it is, and why you need to be aware of it for all your production applications. We\u2019re not going to go into details about the protocol or how certificates work at this point, instead focusing on why you need to use HTTPS. You\u2019ll see two approaches to adding HTTPS to your application: supporting HTTPS directly in your application and using SSL\/TLS-offloading with a reverse proxy.
\n\u5728\u672c\u8282\u4e2d\uff0c\u60a8\u5c06\u4e86\u89e3 HTTPS\uff1a\u5b83\u662f\u4ec0\u4e48\uff0c\u4ee5\u53ca\u4e3a\u4ec0\u4e48\u60a8\u9700\u8981\u5728\u6240\u6709\u751f\u4ea7\u5e94\u7528\u7a0b\u5e8f\u4e2d\u4e86\u89e3 HTTPS\u3002\u6b64\u65f6\uff0c\u6211\u4eec\u4e0d\u4f1a\u8be6\u7ec6\u4ecb\u7ecd\u534f\u8bae\u6216\u8bc1\u4e66\u7684\u5de5\u4f5c\u539f\u7406\uff0c\u800c\u662f\u91cd\u70b9\u4ecb\u7ecd\u4e3a\u4ec0\u4e48\u9700\u8981\u4f7f\u7528 HTTPS\u3002\u60a8\u5c06\u770b\u5230\u4e24\u79cd\u5c06 HTTPS \u6dfb\u52a0\u5230\u5e94\u7528\u7a0b\u5e8f\u7684\u65b9\u6cd5\uff1a\u76f4\u63a5\u5728\u5e94\u7528\u7a0b\u5e8f\u4e2d\u652f\u6301 HTTPS\uff0c\u4ee5\u53ca\u5c06 SSL\/TLS \u5378\u8f7d\u4e0e\u53cd\u5411\u4ee3\u7406\u4e00\u8d77\u4f7f\u7528\u3002<\/p>\n

So far in this book, I\u2019ve shown how the user\u2019s browser sends a request across the internet to your app using the HTTP protocol. We haven\u2019t looked too much into the details of that protocol other than to establish that it uses verbs to describe the type of request (such as GET and POST), that it contains headers with metadata about the request, and optionally includes a body payload of data.
\n\u5230\u76ee\u524d\u4e3a\u6b62\uff0c\u5728\u672c\u4e66\u4e2d\uff0c\u6211\u5df2\u7ecf\u5c55\u793a\u4e86\u7528\u6237\u7684\u6d4f\u89c8\u5668\u5982\u4f55\u4f7f\u7528 HTTP \u534f\u8bae\u901a\u8fc7 Internet \u5411\u60a8\u7684\u5e94\u7528\u7a0b\u5e8f\u53d1\u9001\u8bf7\u6c42\u3002\u6211\u4eec\u6ca1\u6709\u6df1\u5165\u7814\u7a76\u8be5\u534f\u8bae\u7684\u7ec6\u8282\uff0c\u53ea\u662f\u786e\u5b9a\u5b83\u4f7f\u7528\u52a8\u8bcd\u6765\u63cf\u8ff0\u8bf7\u6c42\u7c7b\u578b\uff08\u4f8b\u5982 GET \u548c POST\uff09\uff0c\u5b83\u5305\u542b\u5e26\u6709\u8bf7\u6c42\u5143\u6570\u636e\u7684\u6807\u5934\uff0c\u4ee5\u53ca\u53ef\u9009\u7684\u6570\u636e\u6b63\u6587\u6709\u6548\u8d1f\u8f7d\u3002<\/p>\n

By default, HTTP requests are unencrypted; they\u2019re plain-text files being sent over the internet. Anyone on the same network as a user (such as someone using the same public Wi-Fi in a coffee shop) can read the requests and responses sent back and forth. Attackers can even modify the requests or responses as they\u2019re in transit, as shown in figure 28.1.
\n\u9ed8\u8ba4\u60c5\u51b5\u4e0b\uff0cHTTP \u8bf7\u6c42\u672a\u52a0\u5bc6;\u5b83\u4eec\u662f\u901a\u8fc7 Internet \u53d1\u9001\u7684\u7eaf\u6587\u672c\u6587\u4ef6\u3002\u4e0e\u7528\u6237\u4f4d\u4e8e\u540c\u4e00\u7f51\u7edc\u4e0a\u7684\u4efb\u4f55\u4eba\uff08\u4f8b\u5982\u5728\u5496\u5561\u5e97\u4f7f\u7528\u540c\u4e00\u516c\u5171 Wi-Fi \u7684\u4eba\uff09\u90fd\u53ef\u4ee5\u9605\u8bfb\u6765\u56de\u53d1\u9001\u7684\u8bf7\u6c42\u548c\u54cd\u5e94\u3002\u653b\u51fb\u8005\u751a\u81f3\u53ef\u4ee5\u5728\u4f20\u8f93\u8fc7\u7a0b\u4e2d\u4fee\u6539\u8bf7\u6c42\u6216\u54cd\u5e94\uff0c\u5982\u56fe 28.1 \u6240\u793a\u3002<\/p>\n

\"alt<\/p>\n

Figure 28.1 Unencrypted HTTP requests can be read by users on the same network. Attackers can even intercept the request and response, reading or changing the data. HTTPS requests can\u2019t be read or manipulated by attackers.
\n\u56fe 28.1 \u540c\u4e00\u7f51\u7edc\u4e0a\u7684\u7528\u6237\u53ef\u4ee5\u8bfb\u53d6\u672a\u52a0\u5bc6\u7684 HTTP \u8bf7\u6c42\u3002\u653b\u51fb\u8005\u751a\u81f3\u53ef\u4ee5\u62e6\u622a\u8bf7\u6c42\u548c\u54cd\u5e94\uff0c\u8bfb\u53d6\u6216\u66f4\u6539\u6570\u636e\u3002\u653b\u51fb\u8005\u65e0\u6cd5\u8bfb\u53d6\u6216\u7eb5 HTTPS \u8bf7\u6c42\u3002<\/p>\n

Using unencrypted web apps in this way presents both a privacy and a security risk to your users. Attackers could read sensitive details such as passwords and personally identifiable information (PII), they could inject malicious code into your responses to attack users, or they could steal authentication cookies and impersonate the user on your app.
\n\u4ee5\u8fd9\u79cd\u65b9\u5f0f\u4f7f\u7528\u672a\u52a0\u5bc6\u7684 Web \u5e94\u7528\u7a0b\u5e8f\u4f1a\u7ed9\u7528\u6237\u5e26\u6765\u9690\u79c1\u548c\u5b89\u5168\u98ce\u9669\u3002\u653b\u51fb\u8005\u53ef\u4ee5\u8bfb\u53d6\u5bc6\u7801\u548c\u4e2a\u4eba\u8eab\u4efd\u4fe1\u606f \uff08PII\uff09 \u7b49\u654f\u611f\u8be6\u7ec6\u4fe1\u606f\uff0c\u4ed6\u4eec\u53ef\u80fd\u4f1a\u5c06\u6076\u610f\u4ee3\u7801\u6ce8\u5165\u60a8\u7684\u54cd\u5e94\u4e2d\u4ee5\u653b\u51fb\u7528\u6237\uff0c\u6216\u8005\u4ed6\u4eec\u53ef\u80fd\u4f1a\u7a83\u53d6\u8eab\u4efd\u9a8c\u8bc1 Cookie \u5e76\u5728\u60a8\u7684\u5e94\u7528\u7a0b\u5e8f\u4e0a\u5192\u5145\u7528\u6237\u3002<\/p>\n

To protect your users, your app should encrypt the traffic between the user\u2019s browser and your app as it travels over the network by using the HTTPS protocol. This is similar to HTTP traffic, but it uses an SSL\/TLS certificate to encrypt requests and responses, so attackers cannot read or modify the contents.
\n\u4e3a\u4e86\u4fdd\u62a4\u60a8\u7684\u7528\u6237\uff0c\u60a8\u7684\u5e94\u7528\u5e94\u4f7f\u7528 HTTPS \u534f\u8bae\u52a0\u5bc6\u7528\u6237\u6d4f\u89c8\u5668\u548c\u60a8\u7684\u5e94\u7528\u4e4b\u95f4\u7684\u6d41\u91cf\u3002\u8fd9\u7c7b\u4f3c\u4e8e HTTP \u6d41\u91cf\uff0c\u4f46\u5b83\u4f7f\u7528 SSL\/TLS \u8bc1\u4e66\u6765\u52a0\u5bc6\u8bf7\u6c42\u548c\u54cd\u5e94\uff0c\u56e0\u6b64\u653b\u51fb\u8005\u65e0\u6cd5\u8bfb\u53d6\u6216\u4fee\u6539\u5185\u5bb9\u3002<\/p>\n

DEFINITION<\/b> Secure Sockets Layer (SSL) is an older standard that facilitates HTTPS. The SSL protocol has been superseded by Transport Layer Security (TLS), so I\u2019ll be using TLS preferentially throughout this chapter. Normally, if you hear someone talking about SSL or SSL certificates, they actually mean TLS. You can find the RFC for the latest version of the TLS protocol at https:\/\/www.rfc-editor.org\/rfc\/rfc8446<\/a>.
\n\u5b9a\u4e49:SSL\u662f\u4e00\u79cd\u4fc3\u8fdb HTTPS \u7684\u65e7\u6807\u51c6\u3002SSL \u534f\u8bae\u5df2\u88ab\u4f20\u8f93\u5c42\u5b89\u5168\u6027 \uff08TLS\uff09 \u53d6\u4ee3\uff0c\u56e0\u6b64\u5728\u672c\u7ae0\u4e2d\uff0c\u6211\u5c06\u4f18\u5148\u4f7f\u7528 TLS\u3002\u901a\u5e38\uff0c\u5982\u679c\u60a8\u542c\u5230\u6709\u4eba\u8c08\u8bba SSL \u6216 SSL \u8bc1\u4e66\uff0c\u4ed6\u4eec\u5b9e\u9645\u4e0a\u6307\u7684\u662f TLS\u3002\u60a8\u53ef\u4ee5\u5728 https:\/\/www.rfc-editor.org\/rfc\/rfc8446<\/a> \u4e2d\u627e\u5230\u6700\u65b0\u7248\u672c\u7684 TLS \u534f\u8bae\u7684 RFC\u3002<\/p>\n

In browsers, you can tell that a site is using HTTPS by the https:\/\/ prefix to URLs (notice the s), or sometimes by a padlock, as shown in figure 28.2. Most modern browsers these days deemphasize that a site is using HTTPS, as most sites use HTTPS, and instead highlight when you\u2019re on a site that isn\u2019t using HTTPS, flagging it as insecure.
\n\u5728\u6d4f\u89c8\u5668\u4e2d\uff0c\u60a8\u53ef\u4ee5\u901a\u8fc7 URL \u7684 https:\/\/ \u524d\u7f00\uff08\u6ce8\u610f s\uff09\u6216\u6709\u65f6\u901a\u8fc7\u6302\u9501\u6765\u5224\u65ad\u7ad9\u70b9\u6b63\u5728\u4f7f\u7528 HTTPS\uff0c\u5982\u56fe 28.2 \u6240\u793a\u3002\u5982\u4eca\uff0c\u5927\u591a\u6570\u73b0\u4ee3\u6d4f\u89c8\u5668\u90fd\u4e0d\u518d\u5f3a\u8c03\u7f51\u7ad9\u6b63\u5728\u4f7f\u7528 HTTPS\uff0c\u56e0\u4e3a\u5927\u591a\u6570\u7f51\u7ad9\u90fd\u4f7f\u7528 HTTPS\uff0c\u800c\u662f\u5728\u60a8\u8bbf\u95ee\u672a\u4f7f\u7528 HTTPS \u7684\u7f51\u7ad9\u4e0a\u65f6\u7a81\u51fa\u663e\u793a\uff0c\u5c06\u5176\u6807\u8bb0\u4e3a\u4e0d\u5b89\u5168\u3002<\/p>\n

\"alt<\/p>\n

Figure 28.2 Encrypted apps using HTTPS and unencrypted apps using HTTP in Edge. Using HTTPS protects your application from being viewed or tampered with by attackers.
\n\u56fe 28.2 Edge \u4e2d\u4f7f\u7528 HTTPS \u7684\u52a0\u5bc6\u5e94\u7528\u7a0b\u5e8f\u548c\u4f7f\u7528 HTTP \u7684\u672a\u52a0\u5bc6\u5e94\u7528\u7a0b\u5e8f\u3002\u4f7f\u7528 HTTPS \u53ef\u4ee5\u4fdd\u62a4\u60a8\u7684\u5e94\u7528\u7a0b\u5e8f\u4e0d\u88ab\u653b\u51fb\u8005\u67e5\u770b\u6216\u7be1\u6539\u3002<\/p>\n

The reality is that these days, you should always serve your production websites over HTTPS. The industry is pushing toward HTTPS by default, with most browsers marking HTTP sites as explicitly not secure. Skipping HTTPS will hurt the perception of your app in the long run, so even if you\u2019re not interested in the security benefits, it\u2019s in your best interest to set up HTTPS.
\n\u73b0\u5b9e\u60c5\u51b5\u662f\uff0c\u5982\u4eca\uff0c\u60a8\u5e94\u8be5\u59cb\u7ec8\u901a\u8fc7 HTTPS \u4e3a\u60a8\u7684\u751f\u4ea7\u7f51\u7ad9\u63d0\u4f9b\u670d\u52a1\u3002\u9ed8\u8ba4\u60c5\u51b5\u4e0b\uff0c\u8be5\u884c\u4e1a\u6b63\u5728\u63a8\u52a8 HTTPS\uff0c\u5927\u591a\u6570\u6d4f\u89c8\u5668\u5c06 HTTP \u7ad9\u70b9\u6807\u8bb0\u4e3a\u660e\u786e\u4e0d\u5b89\u5168\u3002\u4ece\u957f\u8fdc\u6765\u770b\uff0c\u8df3\u8fc7 HTTPS \u4f1a\u635f\u5bb3\u60a8\u7684\u5e94\u7528\u7a0b\u5e8f\u7684\u770b\u6cd5\uff0c\u56e0\u6b64\u5373\u4f7f\u60a8\u5bf9\u5b89\u5168\u4f18\u52bf\u4e0d\u611f\u5174\u8da3\uff0c\u8bbe\u7f6e HTTPS \u4e5f\u7b26\u5408\u60a8\u7684\u6700\u4f73\u5229\u76ca\u3002<\/p>\n

TIP<\/b> You can find a good cheat sheet for HTTPS by OWASP at http:\/\/mng.bz\/PzxY<\/a>. ASP.NET Core takes care of most of the points in this list for you, but there are some important ones in the Application section specifically.
\n\u63d0\u793a:\u60a8\u53ef\u4ee5\u5728 http:\/\/mng.bz\/PzxY<\/a> \u4e0a\u627e\u5230 OWASP \u7684 HTTPS \u4f18\u79c0\u5907\u5fd8\u5355\u3002ASP.NET Core \u4e3a\u60a8\u5904\u7406\u4e86\u6b64\u5217\u8868\u4e2d\u7684\u5927\u90e8\u5206\u8981\u70b9\uff0c\u4f46 Application \uff08\u5e94\u7528\u7a0b\u5e8f\uff09 \u90e8\u5206\u4e2d\u8fd8\u6709\u4e00\u4e9b\u91cd\u8981\u7684\u8981\u70b9\u3002<\/p>\n

Another reason to support HTTPS is that many browser features are available only when your site is served over HTTPS. Some of these features are JavaScript browser APIs, such as location APIs, microphone APIs, and storage APIs. These are available only over HTTPS to protect users from attackers that could modify insecure HTTP requests. Other features apply to server-side apps too, such as Brotli compression and HTTP\/2 support.
\n\u652f\u6301 HTTPS \u7684\u53e6\u4e00\u4e2a\u539f\u56e0\u662f\uff0c\u8bb8\u591a\u6d4f\u89c8\u5668\u529f\u80fd\u4ec5\u5728\u60a8\u7684\u7f51\u7ad9\u901a\u8fc7 HTTPS \u63d0\u4f9b\u670d\u52a1\u65f6\u53ef\u7528\u3002\u5176\u4e2d\u4e00\u4e9b\u529f\u80fd\u662f JavaScript \u6d4f\u89c8\u5668 API\uff0c\u4f8b\u5982\u4f4d\u7f6e API\u3001\u9ea6\u514b\u98ce API \u548c\u5b58\u50a8 API\u3002\u8fd9\u4e9b\u9009\u9879\u4ec5\u901a\u8fc7 HTTPS \u63d0\u4f9b\uff0c\u4ee5\u4fdd\u62a4\u7528\u6237\u514d\u53d7\u53ef\u80fd\u4fee\u6539\u4e0d\u5b89\u5168 HTTP \u8bf7\u6c42\u7684\u653b\u51fb\u8005\u7684\u653b\u51fb\u3002\u5176\u4ed6\u529f\u80fd\u4e5f\u9002\u7528\u4e8e\u670d\u52a1\u5668\u7aef\u5e94\u7528\u7a0b\u5e8f\uff0c\u4f8b\u5982 Brotli \u538b\u7f29\u548c HTTP\/2 \u652f\u6301\u3002<\/p>\n

TIP<\/b> For details on how the SSL\/TLS protocols work, see chapter 9 of Real-World Cryptography, by David Wong (Manning, 2021), http:\/\/mng.bz\/zxz1<\/a>.
\n\u63d0\u793a:\u6709\u5173 SSL\/TLS \u534f\u8bae\u5982\u4f55\u5de5\u4f5c\u7684\u8be6\u7ec6\u4fe1\u606f\uff0c\u8bf7\u53c2\u9605 David Wong \uff08Manning\uff0c 2021\uff09 http:\/\/mng.bz\/zxz1<\/a> \u5408\u8457\u7684\u300a\u771f\u5b9e\u4e16\u754c\u5bc6\u7801\u5b66\u300b\u7b2c 9 \u7ae0\u3002<\/p>\n

To enable HTTPS, you need to obtain and configure a TLS certificate for your server. Unfortunately, although that process is a lot easier than it used to be and is now essentially free thanks to Let\u2019s Encrypt (https:\/\/letsencrypt.org<\/a>), it\u2019s still far from simple in many cases. If you\u2019re setting up a production server, I recommend carefully following the tutorials on the Let\u2019s Encrypt site. It\u2019s easy to get it wrong, so take your time.
\n\u8981\u542f\u7528 HTTPS\uff0c\u60a8\u9700\u8981\u4e3a\u60a8\u7684\u670d\u52a1\u5668\u83b7\u53d6\u5e76\u914d\u7f6e TLS \u8bc1\u4e66\u3002\u4e0d\u5e78\u7684\u662f\uff0c\u5c3d\u7ba1\u8fd9\u4e2a\u8fc7\u7a0b\u6bd4\u4ee5\u524d\u5bb9\u6613\u5f97\u591a\uff0c\u5e76\u4e14\u73b0\u5728\u7531\u4e8e Let's Encrypt \uff08https:\/\/letsencrypt.org<\/a>\uff09 \u800c\u57fa\u672c\u4e0a\u662f\u514d\u8d39\u7684\uff0c\u4f46\u5728\u8bb8\u591a\u60c5\u51b5\u4e0b\uff0c\u5b83\u4ecd\u7136\u8fdc\u975e\u7b80\u5355\u3002\u5982\u679c\u60a8\u6b63\u5728\u8bbe\u7f6e\u751f\u4ea7\u670d\u52a1\u5668\uff0c\u6211\u5efa\u8bae\u60a8\u4ed4\u7ec6\u6309\u7167 Let's Encrypt \u7ad9\u70b9\u4e0a\u7684\u6559\u7a0b\u8fdb\u884c\u4f5c\u3002\u5f88\u5bb9\u6613\u51fa\u9519\uff0c\u6240\u4ee5\u8981\u6162\u6162\u6765\u3002<\/p>\n

TIP<\/b> If you\u2019re hosting your app in the cloud, most providers will provide one-click TLS certificates so that you don\u2019t have to manage certificates yourself. This is extremely useful, and I highly recommend it for everyone. You don\u2019t even have to host your application in the cloud to take advantage of this. Cloudflare (https:\/\/www.cloudflare.com<\/a>) provides a CDN service that you can add TLS to. You can even use it for free.
\n\u63d0\u793a:\u5982\u679c\u60a8\u5728\u4e91\u4e2d\u6258\u7ba1\u5e94\u7528\u7a0b\u5e8f\uff0c\u5927\u591a\u6570\u63d0\u4f9b\u5546\u5c06\u63d0\u4f9b\u4e00\u952e\u5f0f TLS \u8bc1\u4e66\uff0c\u8fd9\u6837\u60a8\u5c31\u4e0d\u5fc5\u81ea\u5df1\u7ba1\u7406\u8bc1\u4e66\u3002\u8fd9\u975e\u5e38\u6709\u7528\uff0c\u6211\u5f3a\u70c8\u63a8\u8350\u7ed9\u5927\u5bb6\u3002\u60a8\u751a\u81f3\u4e0d\u5fc5\u5728\u4e91\u4e2d\u6258\u7ba1\u60a8\u7684\u5e94\u7528\u7a0b\u5e8f\u5373\u53ef\u5229\u7528\u8fd9\u4e00\u70b9\u3002Cloudflare \uff08https:\/\/www.cloudflare.com<\/a>\uff09 \u63d0\u4f9b CDN \u670d\u52a1\uff0c\u60a8\u53ef\u4ee5\u5c06 TLS \u6dfb\u52a0\u5230\u8be5\u670d\u52a1\u4e2d\u3002\u60a8\u751a\u81f3\u53ef\u4ee5\u514d\u8d39\u4f7f\u7528\u5b83\u3002<\/p>\n

As an ASP.NET Core application developer, you can often get away without directly supporting HTTPS in your app by taking advantage of the reverse-proxy architecture, as shown in figure 28.3, in a process called SSL\/TLS offloading\/termination. This is generally standard in Platform as a Service (PaaS) cloud services, such as Azure App Service.
\n\u4f5c\u4e3a ASP.NET Core \u5e94\u7528\u7a0b\u5e8f\u5f00\u53d1\u4eba\u5458\uff0c\u60a8\u901a\u5e38\u53ef\u4ee5\u901a\u8fc7\u5229\u7528\u53cd\u5411\u4ee3\u7406\u67b6\u6784\uff08\u5982\u56fe 28.3 \u6240\u793a\uff09\u5728\u79f0\u4e3a SSL\/TLS \u5378\u8f7d\/\u7ec8\u6b62\u7684\u8fc7\u7a0b\u4e2d\uff0c\u65e0\u9700\u76f4\u63a5\u5728\u5e94\u7528\u7a0b\u5e8f\u4e2d\u652f\u6301 HTTPS\u3002\u8fd9\u901a\u5e38\u662f\u5e73\u53f0\u5373\u670d\u52a1 \uff08PaaS\uff09 \u4e91\u670d\u52a1\uff08\u5982 Azure \u5e94\u7528\u670d\u52a1\uff09\u4e2d\u7684\u6807\u51c6\u3002<\/p>\n

\"alt<\/p>\n

Figure 28.3 You have two options when using HTTPS with a reverse proxy: SSL\/TLS passthrough and SSL\/TLS offloading. In SSL\/TLS passthrough, the data is encrypted all the way to your ASP.NET Core app. For SSL\/TLS offloading, the reverse proxy handles decrypting the data, so your app doesn\u2019t have to.
\n\u56fe 28.3 \u5c06 HTTPS \u4e0e\u53cd\u5411\u4ee3\u7406\u4e00\u8d77\u4f7f\u7528\u65f6\uff0c\u60a8\u6709\u4e24\u4e2a\u9009\u9879\uff1aSSL\/TLS \u76f4\u901a\u548c SSL\/TLS \u5378\u8f7d\u3002\u5728 SSL\/TLS \u76f4\u901a\u4e2d\uff0c\u6570\u636e\u4f1a\u4e00\u76f4\u52a0\u5bc6\u5230 ASP.NET Core \u5e94\u7528\u7a0b\u5e8f\u3002\u5bf9\u4e8e SSL\/TLS \u5378\u8f7d\uff0c\u53cd\u5411\u4ee3\u7406\u4f1a\u5904\u7406\u89e3\u5bc6\u6570\u636e\uff0c\u56e0\u6b64\u60a8\u7684\u5e94\u7528\u4e0d\u5fc5\u8fd9\u6837\u505a\u3002<\/p>\n

With SSL\/TLS offloading, instead of your application handling requests using HTTPS directly, your app continues to use HTTP. The reverse proxy is responsible for encrypting and decrypting HTTPS traffic to the browser. This often gives you the best of both worlds: data is encrypted between the user\u2019s browser and the server, but you don\u2019t have to worry about configuring certificates in your application.
\n\u4f7f\u7528 SSL\/TLS \u5378\u8f7d\u65f6\uff0c\u60a8\u7684\u5e94\u7528\u5c06\u7ee7\u7eed\u4f7f\u7528 HTTP\uff0c\u800c\u4e0d\u662f\u76f4\u63a5\u4f7f\u7528 HTTPS \u5904\u7406\u8bf7\u6c42\u3002\u53cd\u5411\u4ee3\u7406\u8d1f\u8d23\u52a0\u5bc6\u548c\u89e3\u5bc6\u5230\u6d4f\u89c8\u5668\u7684 HTTPS \u6d41\u91cf\u3002\u8fd9\u901a\u5e38\u53ef\u4ee5\u4e3a\u60a8\u63d0\u4f9b\u4e24\u5168\u5176\u7f8e\u7684\u6548\u679c\uff1a\u6570\u636e\u5728\u7528\u6237\u7684\u6d4f\u89c8\u5668\u548c\u670d\u52a1\u5668\u4e4b\u95f4\u52a0\u5bc6\uff0c\u4f46\u60a8\u4e0d\u5fc5\u62c5\u5fc3\u5728\u5e94\u7528\u7a0b\u5e8f\u4e2d\u914d\u7f6e\u8bc1\u4e66\u3002<\/p>\n

NOTE<\/b> If you\u2019re concerned that the traffic is unencrypted between the reverse proxy and your app, I recommend reading Troy Hunt\u2019s post \u201cCloudFlare, SSL and unhealthy security absolutism\u201d: http:\/\/mng.bz\/eHCi<\/a>. It discusses the pros and cons of the problem as it relates to decrypting on the reverse proxy and why you must consider the most likely attacks on your website, in a process called threat modeling.
\n\u6ce8\u610f:\u5982\u679c\u60a8\u62c5\u5fc3\u53cd\u5411\u4ee3\u7406\u548c\u60a8\u7684\u5e94\u7528\u7a0b\u5e8f\u4e4b\u95f4\u7684\u6d41\u91cf\u672a\u52a0\u5bc6\uff0c\u6211\u5efa\u8bae\u60a8\u9605\u8bfb Troy Hunt \u7684\u535a\u6587\u201cCloudFlare\u3001SSL \u548c\u4e0d\u5065\u5eb7\u7684\u5b89\u5168\u7edd\u5bf9\u4e3b\u4e49\u201d\uff1ahttp:\/\/mng.bz\/eHCi\u3002\u5b83\u8ba8\u8bba\u4e86\u4e0e\u53cd\u5411\u4ee3\u7406\u89e3\u5bc6\u76f8\u5173\u7684\u95ee\u9898\u7684\u5229\u5f0a\uff0c\u4ee5\u53ca\u4e3a\u4ec0\u4e48\u60a8\u5fc5\u987b\u5728\u79f0\u4e3a\u5a01\u80c1\u5efa\u6a21\u7684\u8fc7\u7a0b\u4e2d\u8003\u8651\u6700\u6709\u53ef\u80fd\u5bf9\u60a8\u7f51\u7ad9\u7684\u653b\u51fb<\/a>\u3002<\/p>\n

Depending on the specific infrastructure where you\u2019re hosting your app, SSL\/TLS could be offloaded to a dedicated device on your network, a third-party service like Cloudflare, or a reverse proxy (such as Internet Information Services [IIS], NGINX, or HAProxy) running on the same or a different server. Nevertheless, in some situations, you may need to handle SSL\/TLS directly in your app:
\n\u6839\u636e\u60a8\u6258\u7ba1\u5e94\u7528\u7a0b\u5e8f\u7684\u7279\u5b9a\u57fa\u7840\u8bbe\u65bd\uff0cSSL\/TLS \u53ef\u4ee5\u5378\u8f7d\u5230\u60a8\u7f51\u7edc\u4e0a\u7684\u4e13\u7528\u8bbe\u5907\u3001\u7b2c\u4e09\u65b9\u670d\u52a1\uff08\u5982 Cloudflare\uff09\u6216\u53cd\u5411\u4ee3\u7406\uff08\u5982 Internet Information Services [IIS]\u3001NGINX \u6216 HAProxy\uff09\u5728\u76f8\u540c\u6216\u4e0d\u540c\u7684\u670d\u52a1\u5668\u4e0a\u8fd0\u884c\u3002\u4e0d\u8fc7\uff0c\u5728\u67d0\u4e9b\u60c5\u51b5\u4e0b\uff0c\u60a8\u53ef\u80fd\u9700\u8981\u76f4\u63a5\u5728\u5e94\u7528\u7a0b\u5e8f\u4e2d\u5904\u7406 SSL\/TLS\uff1a<\/p>\n

\u2022 If you\u2019re exposing Kestrel to the internet directly, without a reverse proxy\u2014This is a supported approach since ASP.NET Core 3.0, and can give high performance. It is also often the case when you\u2019re developing your app locally.
\n\u5982\u679c\u60a8\u5c06 Kestrel \u76f4\u63a5\u66b4\u9732\u5728 Internet \u4e0a\uff0c\u800c\u4e0d\u4f7f\u7528\u53cd\u5411\u4ee3\u7406 - \u8fd9\u662f\u81ea ASP.NET Core 3.0 \u4ee5\u6765\u53d7\u652f\u6301\u7684\u65b9\u6cd5\uff0c\u5e76\u4e14\u53ef\u4ee5\u63d0\u4f9b\u9ad8\u6027\u80fd\u3002\u5728\u672c\u5730\u5f00\u53d1\u5e94\u7528\u7a0b\u5e8f\u65f6\uff0c\u4e5f\u7ecf\u5e38\u4f1a\u51fa\u73b0\u8fd9\u79cd\u60c5\u51b5\u3002<\/p>\n

\u2022 If having HTTP between the reverse proxy and your app is not acceptable\u2014While securing traffic inside your network is less critical compared with external traffic, it is undoubtedly more secure to use HTTPS for internal traffic too. This may be a hard requirement for some applications or sectors.
\n\u5982\u679c\u4e0d\u80fd\u63a5\u53d7\u5728\u53cd\u5411\u4ee3\u7406\u548c\u5e94\u7528\u7a0b\u5e8f\u4e4b\u95f4\u4f7f\u7528 HTTP \u2013 \u867d\u7136\u4e0e\u5916\u90e8\u6d41\u91cf\u76f8\u6bd4\uff0c\u4fdd\u62a4\u7f51\u7edc\u5185\u90e8\u6d41\u91cf\u4e0d\u90a3\u4e48\u91cd\u8981\uff0c\u4f46\u5bf9\u5185\u90e8\u6d41\u91cf\u4f7f\u7528 HTTPS \u65e0\u7591\u4e5f\u66f4\u5b89\u5168\u3002\u5bf9\u4e8e\u67d0\u4e9b\u5e94\u7528\u7a0b\u5e8f\u6216\u90e8\u95e8\u6765\u8bf4\uff0c\u8fd9\u53ef\u80fd\u662f\u4e00\u4e2a\u786c\u6027\u8981\u6c42\u3002<\/p>\n

\u2022 If you\u2019re using technology that requires HTTPS\u2014Some newer network protocols, such as gRPC and HTTP\/2, generally require an end-to-end HTTPS connection.
\n\u5982\u679c\u4f7f\u7528\u9700\u8981 HTTPS \u7684\u6280\u672f - \u67d0\u4e9b\u8f83\u65b0\u7684\u7f51\u7edc\u534f\u8bae \uff08\u5982 gRPC \u548c HTTP\/2\uff09 \u901a\u5e38\u9700\u8981\u7aef\u5230\u7aef HTTPS \u8fde\u63a5\u3002<\/p>\n

In each of these scenarios, you\u2019ll need to configure a TLS certificate for your application so Kestrel can receive HTTPS traffic. In section 28.2 you\u2019ll see the easiest way to get started with HTTPS when developing locally, using the ASP.NET Core development certificate.
\n\u5728\u4e0a\u8ff0\u6bcf\u79cd\u60c5\u51b5\u4e0b\uff0c\u60a8\u90fd\u9700\u8981\u4e3a\u5e94\u7528\u7a0b\u5e8f\u914d\u7f6e TLS \u8bc1\u4e66\uff0c\u4ee5\u4fbf Kestrel \u53ef\u4ee5\u63a5\u6536 HTTPS \u6d41\u91cf\u3002\u5728 Section 28.2 \u4e2d\uff0c\u60a8\u5c06\u770b\u5230\u5728\u672c\u5730\u5f00\u53d1\u65f6\u4f7f\u7528 ASP.NET Core \u5f00\u53d1\u8bc1\u4e66\u5f00\u59cb\u4f7f\u7528 HTTPS \u7684\u6700\u7b80\u5355\u65b9\u6cd5\u3002<\/p>\n

28.2 Using the ASP.NET Core HTTPS development certificates<\/h2>\n

28.2 \u4f7f\u7528 ASP.NET Core HTTPS \u5f00\u53d1\u8bc1\u4e66<\/p>\n

Working with HTTPS certificates is easier than it used to be, but unfortunately it can still be a confusing topic, especially if you\u2019re a newcomer to the web. In this section you\u2019ll learn how the .NET software development kit (SDK), Visual Studio, and IIS Express try to improve this experience by handling a lot of the grunt work for you, and what to do when things go wrong.
\n\u4f7f\u7528 HTTPS \u8bc1\u4e66\u6bd4\u4ee5\u524d\u66f4\u5bb9\u6613\uff0c\u4f46\u4e0d\u5e78\u7684\u662f\uff0c\u5b83\u4ecd\u7136\u662f\u4e00\u4e2a\u4ee4\u4eba\u56f0\u60d1\u7684\u8bdd\u9898\uff0c\u5c24\u5176\u662f\u5982\u679c\u60a8\u662f Web \u65b0\u624b\u3002\u5728\u672c\u8282\u4e2d\uff0c\u60a8\u5c06\u4e86\u89e3 .NET \u8f6f\u4ef6\u5f00\u53d1\u5de5\u5177\u5305 \uff08SDK\uff09\u3001Visual Studio \u548c IIS Express \u5982\u4f55\u901a\u8fc7\u4e3a\u60a8\u5904\u7406\u5927\u91cf\u7e41\u91cd\u7684\u5de5\u4f5c\u6765\u5c1d\u8bd5\u6539\u5584\u8fd9\u79cd\u4f53\u9a8c\uff0c\u4ee5\u53ca\u51fa\u73b0\u95ee\u9898\u65f6\u8be5\u600e\u4e48\u505a\u3002<\/p>\n

The first time you run a dotnet command using the .NET SDK, the SDK installs an HTTPS development certificate on your machine. Any ASP.NET Core application you create using the default templates (or for which you don\u2019t explicitly configure certificates) will use this development certificate to handle HTTPS traffic. However, the development certificate is not trusted by default. If you access a site that\u2019s using an untrusted certificate, you\u2019ll get a browser warning, as shown in figure 28.4.
\n\u9996\u6b21\u4f7f\u7528 .NET SDK \u8fd0\u884c dotnet \u547d\u4ee4\u65f6\uff0cSDK \u4f1a\u5728\u8ba1\u7b97\u673a\u4e0a\u5b89\u88c5 HTTPS \u5f00\u53d1\u8bc1\u4e66\u3002\u60a8\u4f7f\u7528\u9ed8\u8ba4\u6a21\u677f\uff08\u6216\u672a\u4e3a\u5176\u660e\u786e\u914d\u7f6e\u8bc1\u4e66\uff09\u521b\u5efa\u7684\u4efb\u4f55 ASP.NET Core \u5e94\u7528\u7a0b\u5e8f\u90fd\u5c06\u4f7f\u7528\u6b64\u5f00\u53d1\u8bc1\u4e66\u6765\u5904\u7406 HTTPS \u6d41\u91cf\u3002\u4f46\u662f\uff0c\u9ed8\u8ba4\u60c5\u51b5\u4e0b\uff0c\u5f00\u53d1\u8bc1\u4e66\u4e0d\u53d7\u4fe1\u4efb\u3002\u5982\u679c\u60a8\u8bbf\u95ee\u7684\u7ad9\u70b9\u4f7f\u7528\u4e0d\u53d7\u4fe1\u4efb\u7684\u8bc1\u4e66\uff0c\u60a8\u5c06\u6536\u5230\u6d4f\u89c8\u5668\u8b66\u544a\uff0c\u5982\u56fe 28.4 \u6240\u793a\u3002<\/p>\n

\"alt<\/p>\n

Figure 28.4 The developer certificate is not trusted by default, so apps serving HTTPS traffic using it will be marked as insecure by browsers. Although you can bypass the warnings if necessary, you should instead update the certificate to be trusted.
\n\u56fe 28.4 \u9ed8\u8ba4\u60c5\u51b5\u4e0b\uff0c\u5f00\u53d1\u8005\u8bc1\u4e66\u4e0d\u53d7\u4fe1\u4efb\uff0c\u56e0\u6b64\u4f7f\u7528\u8be5\u8bc1\u4e66\u63d0\u4f9b HTTPS \u6d41\u91cf\u7684\u5e94\u7528\u7a0b\u5e8f\u5c06\u88ab\u6d4f\u89c8\u5668\u6807\u8bb0\u4e3a\u4e0d\u5b89\u5168\u3002\u5c3d\u7ba1\u60a8\u53ef\u4ee5\u6839\u636e\u9700\u8981\u7ed5\u8fc7\u8b66\u544a\uff0c\u4f46\u60a8\u5e94\u8be5\u66f4\u65b0\u8981\u4fe1\u4efb\u7684\u8bc1\u4e66\u3002<\/p>\n

\n

A brief primer on certificates and signing
\n\u8bc1\u4e66\u548c\u7b7e\u540d<\/p>\n

HTTPS uses public key cryptography as part of the data-encryption process. This uses two keys: a public key that anyone can see and a private key that only your server can see. Anything encrypted with the public key can be decrypted only with the private key. That way, a browser can encrypt something with your server\u2019s public key, and only your server can decrypt it. A complete TLS certificate consists of both the public and private parts.
\nHTTPS \u7684\u7b80\u8981\u5165\u95e8\u4f7f\u7528\u516c\u94a5\u52a0\u5bc6\u4f5c\u4e3a\u6570\u636e\u52a0\u5bc6\u8fc7\u7a0b\u7684\u4e00\u90e8\u5206\u3002\u8fd9\u4f7f\u7528\u4e24\u4e2a\u5bc6\u94a5\uff1a\u4efb\u4f55\u4eba\u90fd\u53ef\u4ee5\u770b\u5230\u7684\u516c\u94a5\u548c\u53ea\u6709\u60a8\u7684\u670d\u52a1\u5668\u53ef\u4ee5\u770b\u5230\u7684\u79c1\u94a5\u3002\u4f7f\u7528\u516c\u94a5\u52a0\u5bc6\u7684\u4efb\u4f55\u5185\u5bb9\u90fd\u53ea\u80fd\u4f7f\u7528\u79c1\u94a5\u89e3\u5bc6\u3002\u8fd9\u6837\uff0c\u6d4f\u89c8\u5668\u53ef\u4ee5\u4f7f\u7528\u60a8\u670d\u52a1\u5668\u7684\u516c\u94a5\u52a0\u5bc6\u67d0\u4e9b\u5185\u5bb9\uff0c\u5e76\u4e14\u53ea\u6709\u60a8\u7684\u670d\u52a1\u5668\u53ef\u4ee5\u89e3\u5bc6\u5b83\u3002\u5b8c\u6574\u7684 TLS \u8bc1\u4e66\u7531\u516c\u6709\u90e8\u5206\u548c\u79c1\u6709\u90e8\u5206\u7ec4\u6210\u3002<\/p>\n

When a browser connects to your app, the server sends the public key part of the TLS certificate. But how does the browser know that it was definitely your server that sent the certificate? To achieve this, your TLS certificate contains additional certificates, including one or more certificates from a third party, a certificate authority (CA). At the end of the certificate chain is the root certificate.
\n\u5f53\u6d4f\u89c8\u5668\u8fde\u63a5\u5230\u60a8\u7684\u5e94\u7528\u65f6\uff0c\u670d\u52a1\u5668\u4f1a\u53d1\u9001 TLS \u8bc1\u4e66\u7684\u516c\u94a5\u90e8\u5206\u3002\u4f46\u662f\u6d4f\u89c8\u5668\u5982\u4f55\u77e5\u9053\u53d1\u9001\u8bc1\u4e66\u7684\u7edd\u5bf9\u662f\u60a8\u7684\u670d\u52a1\u5668\u5462\uff1f\u4e3a\u6b64\uff0c\u60a8\u7684 TLS \u8bc1\u4e66\u5305\u542b\u5176\u4ed6\u8bc1\u4e66\uff0c\u5305\u62ec\u6765\u81ea\u7b2c\u4e09\u65b9\uff08\u8bc1\u4e66\u9881\u53d1\u673a\u6784 \uff08CA\uff09\uff09\u7684\u4e00\u4e2a\u6216\u591a\u4e2a\u8bc1\u4e66\u3002\u8bc1\u4e66\u94fe\u7684\u672b\u5c3e\u662f\u6839\u8bc1\u4e66\u3002<\/p>\n

CAs are special trusted entities, and browsers are hardcoded to trust specific root certificates. For the TLS certificate for your app to be trusted, it must contain (or be signed by) a trusted root certificate. Browsers periodically update their internal list of root certificates and revoke root certificates that can no longer be trusted.
\nCA \u662f\u7279\u6b8a\u7684\u53d7\u4fe1\u4efb\u5b9e\u4f53\uff0c\u6d4f\u89c8\u5668\u88ab\u786c\u7f16\u7801\u4e3a\u4fe1\u4efb\u7279\u5b9a\u7684\u6839\u8bc1\u4e66\u3002\u8981\u4f7f\u5e94\u7528\u7684 TLS \u8bc1\u4e66\u53d7\u4fe1\u4efb\uff0c\u5b83\u5fc5\u987b\u5305\u542b\u53d7\u4fe1\u4efb\u7684\u6839\u8bc1\u4e66\uff08\u6216\u7531\u5176\u7b7e\u540d\uff09\u3002\u6d4f\u89c8\u5668\u4f1a\u5b9a\u671f\u66f4\u65b0\u5176\u5185\u90e8\u6839\u8bc1\u4e66\u5217\u8868\uff0c\u5e76\u540a\u9500\u4e0d\u518d\u53d7\u4fe1\u4efb\u7684\u6839\u8bc1\u4e66\u3002<\/p>\n

When you use the ASP.NET Core development certificate, or if you create your own self-signed certificate, your site\u2019s HTTPS is missing that trusted root certificate. That means browsers won\u2019t trust your certificate and won\u2019t connect to your server by default. To get around this, you need to tell your development machine to explicitly trust the certificate.
\n\u5f53\u60a8\u4f7f\u7528 ASP.NET Core \u5f00\u53d1\u8bc1\u4e66\u65f6\uff0c\u6216\u8005\u5982\u679c\u60a8\u521b\u5efa\u81ea\u5df1\u7684\u81ea\u7b7e\u540d\u8bc1\u4e66\uff0c\u5219\u7ad9\u70b9\u7684 HTTPS \u7f3a\u5c11\u8be5\u53d7\u4fe1\u4efb\u7684\u6839\u8bc1\u4e66\u3002\u8fd9\u610f\u5473\u7740\u6d4f\u89c8\u5668\u4e0d\u4f1a\u4fe1\u4efb\u60a8\u7684\u8bc1\u4e66\uff0c\u9ed8\u8ba4\u60c5\u51b5\u4e0b\u4e0d\u4f1a\u8fde\u63a5\u5230\u60a8\u7684\u670d\u52a1\u5668\u3002\u8981\u89e3\u51b3\u6b64\u95ee\u9898\uff0c\u60a8\u9700\u8981\u544a\u8bc9\u5f00\u53d1\u8ba1\u7b97\u673a\u663e\u5f0f\u4fe1\u4efb\u8be5\u8bc1\u4e66\u3002<\/p>\n

In production, you can\u2019t use a development or self-signed certificate, as a user\u2019s browser won\u2019t trust it. Instead, you need to obtain a signed HTTPS certificate from a service like Let\u2019s Encrypt or from a cloud provider like AWS, Azure, or Cloudflare. These certificates are already signed by a trusted CA, so they are automatically trusted by browsers.
\n\u5728\u751f\u4ea7\u73af\u5883\u4e2d\uff0c\u60a8\u4e0d\u80fd\u4f7f\u7528\u5f00\u53d1\u8bc1\u4e66\u6216\u81ea\u7b7e\u540d\u8bc1\u4e66\uff0c\u56e0\u4e3a\u7528\u6237\u7684\u6d4f\u89c8\u5668\u4e0d\u4f1a\u4fe1\u4efb\u5b83\u3002\u76f8\u53cd\uff0c\u60a8\u9700\u8981\u4ece Let's Encrypt \u7b49\u670d\u52a1\u6216 AWS\u3001Azure \u6216 Cloudflare \u7b49\u4e91\u63d0\u4f9b\u5546\u5904\u83b7\u53d6\u7b7e\u540d\u7684 HTTPS \u8bc1\u4e66\u3002\u8fd9\u4e9b\u8bc1\u4e66\u5df2\u7531\u53d7\u4fe1\u4efb\u7684 CA \u7b7e\u540d\uff0c\u56e0\u6b64\u6d4f\u89c8\u5668\u4f1a\u81ea\u52a8\u4fe1\u4efb\u5b83\u4eec\u3002<\/p>\n<\/blockquote>\n

To solve these browser warnings, you need to trust the certificate. Trusting a certificate is a sensitive operation; it\u2019s saying \u201cI know this certificate doesn\u2019t look quite right, but ignore that,\u201d so it\u2019s hard to do automatically. If you\u2019re running on Windows or macOS, you can trust the development certificate by running
\n\u8981\u89e3\u51b3\u8fd9\u4e9b\u6d4f\u89c8\u5668\u8b66\u544a\uff0c\u60a8\u9700\u8981\u4fe1\u4efb\u8be5\u8bc1\u4e66\u3002\u4fe1\u4efb\u8bc1\u4e66\u662f\u4e00\u9879\u654f\u611f\u4f5c;\u5b83\u8bf4\u201c\u6211\u77e5\u9053\u8fd9\u4e2a\u8bc1\u4e66\u770b\u8d77\u6765\u4e0d\u592a\u5bf9\u52b2\uff0c\u4f46\u8bf7\u5ffd\u7565\u5b83\u201d\uff0c\u6240\u4ee5\u5f88\u96be\u81ea\u52a8\u5b8c\u6210\u3002\u5982\u679c\u60a8\u5728 Windows \u6216 macOS \u4e0a\u8fd0\u884c\uff0c\u5219\u53ef\u4ee5\u901a\u8fc7\u5728 Windows \u6216 macOS \u4e0a\u8fd0\u884c<\/p>\n

dotnet dev-certs https --trust<\/code><\/pre>\n
This command trusts the certificate by registering it in the operating system\u2019s certificate store. After you run this command, you should be able to access your websites without seeing any warnings or \u201cnot secure\u201d labels, as shown in figure 28.5.
\n\u6b64\u547d\u4ee4\u901a\u8fc7\u5728\u4f5c\u7cfb\u7edf\u7684\u8bc1\u4e66\u5b58\u50a8\u4e2d\u6ce8\u518c\u8bc1\u4e66\u6765\u4fe1\u4efb\u8bc1\u4e66\u3002\u8fd0\u884c\u6b64\u547d\u4ee4\u540e\uff0c\u60a8\u5e94\u8be5\u80fd\u591f\u8bbf\u95ee\u60a8\u7684\u7f51\u7ad9\uff0c\u800c\u4e0d\u4f1a\u770b\u5230\u4efb\u4f55\u8b66\u544a\u6216 \u201cnot secure\u201d \u6807\u7b7e\uff0c\u5982\u56fe 28.5 \u6240\u793a\u3002<\/p>\n
\"alt<\/p>\n
Figure 28.5 Once the development certificate is trusted, you will no longer see browser warnings about the connection.
\n\u56fe 28.5 \u4e00\u65e6\u5f00\u53d1\u8bc1\u4e66\u88ab\u4fe1\u4efb\uff0c\u60a8\u5c06\u4e0d\u518d\u770b\u5230\u6709\u5173\u8fde\u63a5\u7684\u6d4f\u89c8\u5668\u8b66\u544a\u3002<\/p>\n
TIP<\/b> You may need to close your browser after trusting the certificate to clear the browser\u2019s cache.
\n\u63d0\u793a:\u60a8\u53ef\u80fd\u9700\u8981\u5728\u4fe1\u4efb\u8bc1\u4e66\u540e\u5173\u95ed\u6d4f\u89c8\u5668\u4ee5\u6e05\u9664\u6d4f\u89c8\u5668\u7684\u7f13\u5b58\u3002<\/p>\n
If you\u2019re using Windows, Visual Studio, and IIS Express for development, then you might not need to explicitly trust the development certificate. IIS Express acts as a reverse proxy when you\u2019re developing locally, so it handles the SSL\/TLS setup itself. On top of that, Visual Studio should trust the IIS development certificate as part of installation, so you may never see the browser warnings at all.
\n\u5982\u679c\u60a8\u4f7f\u7528 Windows\u3001Visual Studio \u548c IIS Express \u8fdb\u884c\u5f00\u53d1\uff0c\u5219\u53ef\u80fd\u4e0d\u9700\u8981\u663e\u5f0f\u4fe1\u4efb\u5f00\u53d1\u8bc1\u4e66\u3002\u5728\u672c\u5730\u5f00\u53d1\u65f6\uff0cIIS Express \u5145\u5f53\u53cd\u5411\u4ee3\u7406\uff0c\u56e0\u6b64\u5b83\u4f1a\u81ea\u884c\u5904\u7406 SSL\/TLS \u8bbe\u7f6e\u3002\u6700\u91cd\u8981\u7684\u662f\uff0cVisual Studio \u5e94\u8be5\u4fe1\u4efb IIS \u5f00\u53d1\u8bc1\u4e66\u4f5c\u4e3a\u5b89\u88c5\u7684\u4e00\u90e8\u5206\uff0c\u56e0\u6b64\u60a8\u53ef\u80fd\u6839\u672c\u770b\u4e0d\u5230\u6d4f\u89c8\u5668\u8b66\u544a\u3002<\/p>\n
TIP<\/b> In macOS, before .NET 7, you would have to retrust the developer certificate repeatedly for every new app. In .NET 7, the process is a lot smoother, so you shouldn\u2019t have to retrust it anything like as often!
\n\u63d0\u793a:\u5728 macOS \u4e2d\uff0c\u5728 .NET 7 \u4e4b\u524d\uff0c\u60a8\u5fc5\u987b\u4e3a\u6bcf\u4e2a\u65b0\u5e94\u7528\u7a0b\u5e8f\u53cd\u590d\u91cd\u65b0\u4fe1\u4efb\u5f00\u53d1\u4eba\u5458\u8bc1\u4e66\u3002\u5728 .NET 7 \u4e2d\uff0c\u8be5\u8fc7\u7a0b\u8981\u987a\u7545\u5f97\u591a\uff0c\u56e0\u6b64\u60a8\u4e0d\u5fc5\u50cf\u4ee5\u524d\u90a3\u6837\u7ecf\u5e38\u91cd\u65b0\u4fe1\u4efb\u5b83\uff01<\/p>\n
Trusting the developer certificate works smoothly in Windows and macOS, in most cases. Unfortunately, trusting the certificate in Linux is a little trickier and depends on the specific flavor of Linux you\u2019re using. On top of that, software in Linux often uses its own certificate store, so you\u2019ll probably need to add the certificate directly to your favorite browser. If you\u2019re using any of the following scenarios, you\u2019ll need to do more work:
\n\u5728\u5927\u591a\u6570\u60c5\u51b5\u4e0b\uff0c\u4fe1\u4efb\u5f00\u53d1\u4eba\u5458\u8bc1\u4e66\u5728 Windows \u548c macOS \u4e2d\u53ef\u4ee5\u987a\u5229\u8fd0\u884c\u3002\u4e0d\u5e78\u7684\u662f\uff0c\u5728 Linux \u4e2d\u4fe1\u4efb\u8bc1\u4e66\u6709\u70b9\u68d8\u624b\uff0c\u5177\u4f53\u53d6\u51b3\u4e8e\u60a8\u4f7f\u7528\u7684 Linux \u7684\u7279\u5b9a\u98ce\u683c\u3002\u6700\u91cd\u8981\u7684\u662f\uff0cLinux \u4e2d\u7684\u8f6f\u4ef6\u901a\u5e38\u4f7f\u7528\u81ea\u5df1\u7684\u8bc1\u4e66\u5b58\u50a8\uff0c\u56e0\u6b64\u60a8\u53ef\u80fd\u9700\u8981\u5c06\u8bc1\u4e66\u76f4\u63a5\u6dfb\u52a0\u5230\u60a8\u6700\u559c\u6b22\u7684\u6d4f\u89c8\u5668\u4e2d\u3002\u5982\u679c\u60a8\u4f7f\u7528\u7684\u662f\u4ee5\u4e0b\u4efb\u4f55\u65b9\u6848\uff0c\u5219\u9700\u8981\u6267\u884c\u66f4\u591a\u5de5\u4f5c\uff1a<\/p>\n
\u2022  Firefox browser in Windows, macOS, or Linux
\n\u2022  Edge or Chrome browsers in Linux
\n\u2022  API-to-API communication in Linux
\n\u2022  An app running in Windows Subsystem for Linux (WSL)
\n\u2022  Running applications in Docker<\/p>\n
Each of these scenarios requires a slightly different approach. In many cases it\u2019s one or two commands, so I suggest following the documentation for your scenario carefully at http:\/\/mng.bz\/JglK<\/a>.
\n\u8fd9\u4e9b\u65b9\u6848\u4e2d\u7684\u6bcf\u4e00\u79cd\u90fd\u9700\u8981\u7565\u6709\u4e0d\u540c\u7684\u65b9\u6cd5\u3002\u5728\u8bb8\u591a\u60c5\u51b5\u4e0b\uff0c\u5b83\u53ea\u6709\u4e00\u4e2a\u6216\u4e24\u4e2a\u547d\u4ee4\uff0c\u56e0\u6b64\u6211\u5efa\u8bae\u60a8\u5728 http:\/\/mng.bz\/JglK<\/a> \u4e2d\u4ed4\u7ec6\u9075\u5faa\u9002\u7528\u4e8e\u60a8\u7684\u65b9\u6848\u7684\u6587\u6863\u3002<\/p>\n
TIP<\/b> If you\u2019ve tried trusting the certificate, and your app is still giving errors, try closing all your browser windows and running dotnet dev-certs https --clean followed by dotnet dev-certs https --trust. Browsers cache certificate trust, so the close and open step is important!
\n\u63d0\u793a:\u5982\u679c\u5df2\u5c1d\u8bd5\u4fe1\u4efb\u8bc1\u4e66\uff0c\u4f46\u5e94\u7528\u4ecd\u7136\u63d0\u4f9b\u9519\u8bef\uff0c\u8bf7\u5c1d\u8bd5\u5173\u95ed\u6240\u6709\u6d4f\u89c8\u5668\u7a97\u53e3\u5e76\u8fd0\u884c dotnet dev-certs https --clean\uff0c\u7136\u540e\u8fd0\u884c dotnet dev-certs https --trust\u3002\u6d4f\u89c8\u5668\u4f1a\u7f13\u5b58\u8bc1\u4e66\u4fe1\u4efb\uff0c\u56e0\u6b64\u5173\u95ed\u548c\u6253\u5f00\u6b65\u9aa4\u5f88\u91cd\u8981\uff01<\/p>\n
The ASP.NET Core and IIS development certificates make it easy to use Kestrel with HTTPS locally, but those certificates won\u2019t help once you move to production. In the next section I show how to configure Kestrel to use a production TLS certificate.
\nASP.NET Core \u548c IIS \u5f00\u53d1\u8bc1\u4e66\u4f7f\u5728\u672c\u5730\u4f7f\u7528 Kestrel \u548c HTTPS \u53d8\u5f97\u5bb9\u6613\uff0c\u4f46\u4e00\u65e6\u60a8\u8fc1\u79fb\u5230\u751f\u4ea7\u73af\u5883\uff0c\u8fd9\u4e9b\u8bc1\u4e66\u5c06\u65e0\u6d4e\u4e8e\u4e8b\u3002\u5728\u4e0b\u4e00\u8282\u4e2d\uff0c\u6211\u5c06\u4ecb\u7ecd\u5982\u4f55\u914d\u7f6e Kestrel \u4ee5\u4f7f\u7528\u751f\u4ea7 TLS \u8bc1\u4e66\u3002<\/p>\n
28.3 Configuring Kestrel with a production HTTPS certificate<\/h2>\n
28.3 \u4f7f\u7528\u751f\u4ea7 HTTPS \u8bc1\u4e66\u914d\u7f6e Kestrel<\/p>\n
Creating a TLS certificate for production is often a laborious process, as it requires proving to a third-party CA that you own the domain you\u2019re creating the certificate for. This is an important step in the trust process and ensures that attackers can\u2019t impersonate your servers. The result of the process is one or more files, which is the HTTPS certificate you need to configure for your app.
\n\u521b\u5efa\u7528\u4e8e\u751f\u4ea7\u7684 TLS \u8bc1\u4e66\u901a\u5e38\u662f\u4e00\u4e2a\u8d39\u529b\u7684\u8fc7\u7a0b\uff0c\u56e0\u4e3a\u5b83\u9700\u8981\u5411\u7b2c\u4e09\u65b9 CA \u8bc1\u660e\u60a8\u62e5\u6709\u8981\u4e3a\u5176\u521b\u5efa\u8bc1\u4e66\u7684\u57df\u3002\u8fd9\u662f\u4fe1\u4efb\u8fc7\u7a0b\u4e2d\u7684\u4e00\u4e2a\u91cd\u8981\u6b65\u9aa4\uff0c\u53ef\u786e\u4fdd\u653b\u51fb\u8005\u65e0\u6cd5\u6a21\u62df\u60a8\u7684\u670d\u52a1\u5668\u3002\u8be5\u8fc7\u7a0b\u7684\u7ed3\u679c\u662f\u4e00\u4e2a\u6216\u591a\u4e2a\u6587\u4ef6\uff0c\u8fd9\u662f\u60a8\u9700\u8981\u4e3a\u5e94\u7528\u7a0b\u5e8f\u914d\u7f6e\u7684 HTTPS \u8bc1\u4e66\u3002<\/p>\n
TIP<\/b> The specifics of how to obtain a certificate vary by provider and by your OS platform, so follow your provider\u2019s documentation carefully. The vagaries and complexities of this process are one of the reasons I strongly favor the SSL\/TLS-offloading or \u201cone-click\u201d approaches described previously. Those approaches mean my apps don\u2019t need to deal with certificates, and I don\u2019t need to use the approaches described in this section; I delegate that responsibility to another piece of the network, or to the underlying platform.
\n\u63d0\u793a:\u5982\u4f55\u83b7\u53d6\u8bc1\u4e66\u7684\u5177\u4f53\u5185\u5bb9\u56e0\u63d0\u4f9b\u5546\u548c OS \u5e73\u53f0\u800c\u5f02\uff0c\u56e0\u6b64\u8bf7\u4ed4\u7ec6\u9075\u5faa\u63d0\u4f9b\u5546\u7684\u6587\u6863\u3002\u6b64\u8fc7\u7a0b\u7684\u53d8\u5e7b\u83ab\u6d4b\u548c\u590d\u6742\u6027\u662f\u6211\u5f3a\u70c8\u652f\u6301\u524d\u9762\u63cf\u8ff0\u7684 SSL\/TLS \u5378\u8f7d\u6216\u201c\u4e00\u952e\u5f0f\u201d\u65b9\u6cd5\u7684\u539f\u56e0\u4e4b\u4e00\u3002\u8fd9\u4e9b\u65b9\u6cd5\u610f\u5473\u7740\u6211\u7684\u5e94\u7528\u7a0b\u5e8f\u4e0d\u9700\u8981\u5904\u7406\u8bc1\u4e66\uff0c\u4e5f\u4e0d\u9700\u8981\u4f7f\u7528\u672c\u8282\u4e2d\u63cf\u8ff0\u7684\u65b9\u6cd5;\u6211\u5c06\u8be5\u8d23\u4efb\u59d4\u6258\u7ed9\u7f51\u7edc\u7684\u53e6\u4e00\u4e2a\u90e8\u5206\u6216\u5e95\u5c42\u5e73\u53f0\u3002<\/p>\n
Once you have a certificate, you need to configure Kestrel to use it to serve HTTPS traffic. In chapter 27 you saw how to set the port your application listens on with the ASPNETCORE_URLS environment variable or via the command line, and you saw that you could provide an HTTPS URL. As you didn\u2019t provide any certificate configuration, Kestrel used the development certificate by default. In production you need to tell Kestrel which certificate to use.
\n\u83b7\u5f97\u8bc1\u4e66\u540e\uff0c\u60a8\u9700\u8981\u914d\u7f6e Kestrel \u4ee5\u4f7f\u7528\u5b83\u6765\u63d0\u4f9b HTTPS \u6d41\u91cf\u3002\u5728\u7b2c 27 \u7ae0\u4e2d\uff0c\u60a8\u4e86\u89e3\u4e86\u5982\u4f55\u4f7f\u7528 ASPNETCORE_URLS \u73af\u5883\u53d8\u91cf\u6216\u901a\u8fc7\u547d\u4ee4\u884c\u8bbe\u7f6e\u5e94\u7528\u7a0b\u5e8f\u4fa6\u542c\u7684\u7aef\u53e3\uff0c\u5e76\u4e14\u60a8\u8fd8\u4e86\u89e3\u4e86\u53ef\u4ee5\u63d0\u4f9b HTTPS URL\u3002\u7531\u4e8e\u60a8\u672a\u63d0\u4f9b\u4efb\u4f55\u8bc1\u4e66\u914d\u7f6e\uff0c\u56e0\u6b64 Kestrel \u9ed8\u8ba4\u4f7f\u7528\u5f00\u53d1\u8bc1\u4e66\u3002\u5728\u751f\u4ea7\u73af\u5883\u4e2d\uff0c\u60a8\u9700\u8981\u544a\u8bc9 Kestrel \u8981\u4f7f\u7528\u54ea\u4e2a\u8bc1\u4e66\u3002<\/p>\n
You can configure the certificates Kestrel uses in multiple ways. For a start, you can load the certificate from multiple locations: from a .pfx file, from .pem\/.crt and .key files, or from the OS certificate store. You can also use different certificates for different ports, use a different configuration for each URL endpoint you expose, or configure Server Name Indication (SNI). For full details, see the \u201cReplace the default certificate from configuration\u201d section of Microsoft\u2019s \u201cConfigure endpoints for the ASP.NET Core Kestrel web server\u201d documentation: http:\/\/mng.bz\/wvv2<\/a>.
\n\u60a8\u53ef\u4ee5\u901a\u8fc7\u591a\u79cd\u65b9\u5f0f\u914d\u7f6e Kestrel \u4f7f\u7528\u7684\u8bc1\u4e66\u3002\u9996\u5148\uff0c\u60a8\u53ef\u4ee5\u4ece\u591a\u4e2a\u4f4d\u7f6e\u52a0\u8f7d\u8bc1\u4e66\uff1a\u4ece .pfx \u6587\u4ef6\u3001\u4ece .pem\/.crt \u548c .key \u6587\u4ef6\u6216\u4ece OS \u8bc1\u4e66\u5b58\u50a8\u3002\u60a8\u8fd8\u53ef\u4ee5\u5bf9\u4e0d\u540c\u7684\u7aef\u53e3\u4f7f\u7528\u4e0d\u540c\u7684\u8bc1\u4e66\uff0c\u5bf9\u60a8\u516c\u5f00\u7684\u6bcf\u4e2a URL \u7ec8\u7aef\u8282\u70b9\u4f7f\u7528\u4e0d\u540c\u7684\u914d\u7f6e\uff0c\u6216\u914d\u7f6e\u670d\u52a1\u5668\u540d\u79f0\u6307\u793a \uff08SNI\uff09\u3002\u6709\u5173\u5b8c\u6574\u8be6\u7ec6\u4fe1\u606f\uff0c\u8bf7\u53c2\u9605 Microsoft \u7684\u201c\u4e3a ASP.NET Core Kestrel Web \u670d\u52a1\u5668\u914d\u7f6e\u7aef\u70b9\u201d\u6587\u6863\u7684\u201c\u4ece\u914d\u7f6e\u4e2d\u66ff\u6362\u9ed8\u8ba4\u8bc1\u4e66\u201d\u90e8\u5206\uff1ahttp:\/\/mng.bz\/wvv2<\/a>\u3002<\/p>\n
The following listing shows one possible way to set a custom HTTPS certificate for your production app by configuring the default certificate Kestrel uses for HTTPS connections. You can add the \u201cKestrel:Certificates:Default\u201d section to your appsettings.json file (or use any other configuration source, as described in chapter 10) to define the .pfx file of the certificate to use. You must also provide the password for accessing the certificate.
\n\u4ee5\u4e0b\u6e05\u5355\u663e\u793a\u4e86\u4e00\u79cd\u53ef\u80fd\u7684\u65b9\u6cd5\uff0c\u5373\u901a\u8fc7\u914d\u7f6e Kestrel \u7528\u4e8e HTTPS \u8fde\u63a5\u7684\u9ed8\u8ba4\u8bc1\u4e66\u6765\u4e3a\u751f\u4ea7\u5e94\u7528\u7a0b\u5e8f\u8bbe\u7f6e\u81ea\u5b9a\u4e49 HTTPS \u8bc1\u4e66\u3002\u60a8\u53ef\u4ee5\u5c06 \u201cKestrel\uff1aCertificates\uff1aDefault\u201d \u90e8\u5206\u6dfb\u52a0\u5230\u60a8\u7684 appsettings.json \u6587\u4ef6\u4e2d\uff08\u6216\u4f7f\u7528\u4efb\u4f55\u5176\u4ed6\u914d\u7f6e\u6e90\uff0c\u5982\u7b2c 10 \u7ae0\u6240\u8ff0\uff09\u6765\u5b9a\u4e49\u8981\u4f7f\u7528\u7684\u8bc1\u4e66\u7684 .pfx \u6587\u4ef6\u3002\u60a8\u8fd8\u5fc5\u987b\u63d0\u4f9b\u7528\u4e8e\u8bbf\u95ee\u8bc1\u4e66\u7684\u5bc6\u7801\u3002<\/p>\n
Listing 28.1 Configuring the default HTTPS certificate for Kestrel using a .pfx file
\n\u6e05\u5355 28.1 \u4f7f\u7528 .pfx \u6587\u4ef6\u4e3a Kestrel \u914d\u7f6e\u9ed8\u8ba4 HTTPS \u8bc1\u4e66<\/p>\n
{\n  \u201cKestrel\u201d: {             #A\n    \u201cCertificates\u201d: {      #A\n      \u201cDefault\u201d: {         #A\n        \u201cPath\u201d: \u201clocalhost.pfx\u201d,     #B\n        \u201cPassword\u201d: \u201ctestpassword\u201d   #C\n      }\n    }\n  }\n}<\/code><\/pre>\n
\u2776 Creates a configuration section at Kestrel:Certificates:Default
\n\u5728 Kestrel\u521b\u5efa\u914d\u7f6e\u90e8\u5206\uff1aCertificates\uff1aDefault<\/p>\n
\u2777 The relative or absolute path to the certificate
\n\u8bc1\u4e66\u7684\u76f8\u5bf9\u6216\u7edd\u5bf9\u8def\u5f84<\/p>\n
\u2778 The password for opening the certificate
\n\u6253\u5f00\u8bc1\u4e66\u7684\u5bc6\u7801<\/p>\n
The preceding example is the simplest way to replace the HTTPS certificate, as it doesn\u2019t require changing any of Kestrel\u2019s defaults. You can use a similar approach to load the HTTPS certificate from the OS certificate store (Windows or macOS), as shown in the \u201cReplace the default certificate from configuration\u201d documentation mentioned previously (http:\/\/mng.bz\/wvv2<\/a>).
\n\u524d\u9762\u7684\u793a\u4f8b\u662f\u66ff\u6362 HTTPS \u8bc1\u4e66\u7684\u6700\u7b80\u5355\u65b9\u6cd5\uff0c\u56e0\u4e3a\u5b83\u4e0d\u9700\u8981\u66f4\u6539 Kestrel \u7684\u4efb\u4f55\u9ed8\u8ba4\u503c\u3002\u60a8\u53ef\u4ee5\u4f7f\u7528\u7c7b\u4f3c\u7684\u65b9\u6cd5\u4ece\u4f5c\u7cfb\u7edf\u8bc1\u4e66\u5b58\u50a8\u533a\uff08Windows \u6216 macOS\uff09\u52a0\u8f7d HTTPS \u8bc1\u4e66\uff0c\u5982\u524d\u9762\u63d0\u5230\u7684\u201c\u4ece\u914d\u7f6e\u4e2d\u66ff\u6362\u9ed8\u8ba4\u8bc1\u4e66\u201d\u6587\u6863 \uff08http:\/\/mng.bz\/wvv2<\/a>\uff09 \u4e2d\u6240\u793a\u3002<\/p>\n
WARNING<\/b> Listing 28.1 hardcoded the certificate filename and password for demonstration, but you should never do this in production. Either load these from a configuration store like user-secrets, as you saw in chapter 10, or load the certificate from the local store. Never put production passwords in your appsettings.json files.
\n\u8b66\u544a:Listing 28.1 \u5bf9\u8bc1\u4e66\u6587\u4ef6\u540d\u548c\u5bc6\u7801\u8fdb\u884c\u4e86\u786c\u7f16\u7801\u4ee5\u8fdb\u884c\u6f14\u793a\uff0c\u4f46\u662f\u60a8\u6c38\u8fdc\u4e0d\u5e94\u8be5\u5728 production \u4e2d\u8fd9\u6837\u505a\u3002\u5982\u7b2c 10 \u7ae0\u6240\u793a\uff0c\u4ece\u914d\u7f6e\u5b58\u50a8\uff08\u5982 user-secrets\uff09\u52a0\u8f7d\u8fd9\u4e9b\u8bc1\u4e66\uff0c\u6216\u8005\u4ece\u672c\u5730\u5b58\u50a8\u52a0\u8f7d\u8bc1\u4e66\u3002\u5207\u52ff\u5c06\u751f\u4ea7\u5bc6\u7801\u653e\u5165 appsettings.json \u6587\u4ef6\u4e2d\u3002<\/p>\n
All the default ASP.NET Core templates configure your application to serve both HTTP and HTTPS traffic, and with the configuration you\u2019ve seen so far, you can ensure that your application can handle both HTTP and HTTPS in development and in production.
\n\u6240\u6709\u9ed8\u8ba4\u7684 ASP.NET Core \u6a21\u677f\u90fd\u5c06\u60a8\u7684\u5e94\u7528\u7a0b\u5e8f\u914d\u7f6e\u4e3a\u540c\u65f6\u63d0\u4f9b HTTP \u548c HTTPS \u6d41\u91cf\uff0c\u5e76\u4e14\u4f7f\u7528\u60a8\u76ee\u524d\u770b\u5230\u7684\u914d\u7f6e\uff0c\u60a8\u53ef\u4ee5\u786e\u4fdd\u60a8\u7684\u5e94\u7528\u7a0b\u5e8f\u53ef\u4ee5\u5728\u5f00\u53d1\u548c\u751f\u4ea7\u4e2d\u540c\u65f6\u5904\u7406 HTTP \u548c HTTPS\u3002<\/p>\n
However, whether you use HTTP or HTTPS may depend on the URL users click when they first browse to your app. For example, imagine you have an app that listens using the default ASP.NET Core URLs: http:\/\/localhost:5000<\/a> for HTTP traffic and https:\/\/localhost:5001<\/a> for HTTPS traffic. The HTTPS endpoint is available, but if a user doesn\u2019t know that and uses the HTTP URL (the default option in browsers), their traffic is unencrypted. Seeing as you\u2019ve gone to all the trouble to set up HTTPS, it\u2019s probably best that you force users to use it.
\n\u4f46\u662f\uff0c\u60a8\u4f7f\u7528\u7684\u662f HTTP \u8fd8\u662f HTTPS \u53ef\u80fd\u53d6\u51b3\u4e8e\u7528\u6237\u9996\u6b21\u6d4f\u89c8\u5230\u60a8\u7684\u5e94\u7528\u7a0b\u5e8f\u65f6\u5355\u51fb\u7684 URL\u3002\u4f8b\u5982\uff0c\u5047\u8bbe\u60a8\u6709\u4e00\u4e2a\u5e94\u7528\u7a0b\u5e8f\u4f7f\u7528\u9ed8\u8ba4\u7684 ASP.NET \u6838\u5fc3\u7f51\u5740\u8fdb\u884c\u76d1\u542c\uff1ahttp:\/\/localhost:5000<\/a> \u7528\u4e8e HTTP \u6d41\u91cf\uff0chttps:\/\/localhost:5001<\/a> \u7528\u4e8e HTTPS \u6d41\u91cf\u3002HTTPS \u7ec8\u7aef\u8282\u70b9\u53ef\u7528\uff0c\u4f46\u5982\u679c\u7528\u6237\u4e0d\u77e5\u9053\u5e76\u4f7f\u7528 HTTP URL\uff08\u6d4f\u89c8\u5668\u4e2d\u7684\u9ed8\u8ba4\u9009\u9879\uff09\uff0c\u5219\u5176\u6d41\u91cf\u5c06\u672a\u52a0\u5bc6\u3002\u9274\u4e8e\u60a8\u5df2\u7ecf\u8d39\u5c3d\u5fc3\u601d\u8bbe\u7f6e HTTPS\uff0c\u6700\u597d\u5f3a\u5236\u7528\u6237\u4f7f\u7528\u5b83\u3002<\/p>\n
28.4 Enforcing HTTPS for your whole app<\/h2>\n
28.4 \u4e3a\u6574\u4e2a\u5e94\u7528\u7a0b\u5e8f\u5f3a\u5236\u6267\u884c HTTPS<\/p>\n
Enforcing HTTPS across your whole website is practically required these days. Browsers are beginning to explicitly label HTTP pages as insecure; for security reasons, you must use TLS any time you\u2019re transmitting sensitive data across the internet. Additionally, thanks to HTTP\/2 (and the upcoming HTTP\/3), adding TLS can improve your app\u2019s performance. In this section you\u2019ll learn three techniques for enforcing HTTPS in your application.
\n\u5982\u4eca\uff0c\u5728\u6574\u4e2a\u7f51\u7ad9\u4e0a\u5f3a\u5236\u5b9e\u65bd HTTPS \u5b9e\u9645\u4e0a\u662f\u5fc5\u8981\u7684\u3002\u6d4f\u89c8\u5668\u5f00\u59cb\u660e\u786e\u5730\u5c06 HTTP \u9875\u9762\u6807\u8bb0\u4e3a\u4e0d\u5b89\u5168;\u51fa\u4e8e\u5b89\u5168\u539f\u56e0\uff0c\u60a8\u5728\u901a\u8fc7 Internet \u4f20\u8f93\u654f\u611f\u6570\u636e\u65f6\u5fc5\u987b\u4f7f\u7528 TLS\u3002\u6b64\u5916\uff0c\u5f97\u76ca\u4e8e HTTP\/2\uff08\u4ee5\u53ca\u5373\u5c06\u63a8\u51fa\u7684 HTTP\/3\uff09\uff0c\u6dfb\u52a0 TLS \u53ef\u4ee5\u63d0\u9ad8\u5e94\u7528\u7a0b\u5e8f\u7684\u6027\u80fd\u3002\u5728\u672c\u8282\u4e2d\uff0c\u60a8\u5c06\u5b66\u4e60\u5728\u5e94\u7528\u7a0b\u5e8f\u4e2d\u5f3a\u5236\u5b9e\u65bd HTTPS \u7684\u4e09\u79cd\u6280\u672f\u3002<\/p>\n
TIP<\/b> HTTP\/2 offers many performance improvements over HTTP\/1.x, and all modern browsers require HTTPS to enable it. For a great introduction to HTTP\/2, see Google\u2019s \u201cIntroduction to HTTP\/2\u201d at http:\/\/mng.bz\/9M8j<\/a>. ASP.NET Core even includes support for HTTP\/3, the next version of the protocol! You can read about HTTP\/3 at http:\/\/mng.bz\/qrrJ<\/a>.
\n\u63d0\u793aHTTP\/2 \u63d0\u4f9b\u4e86\u8bb8\u591a\u4f18\u4e8e HTTP\/1.x \u7684\u6027\u80fd\u6539\u8fdb\uff0c\u6240\u6709\u73b0\u4ee3\u6d4f\u89c8\u5668\u90fd\u9700\u8981 HTTPS \u624d\u80fd\u542f\u7528\u5b83\u3002\u6709\u5173 HTTP\/2 \u7684\u7cbe\u5f69\u4ecb\u7ecd\uff0c\u8bf7\u53c2\u9605 Google \u7684\u201cHTTP\/2 \u7b80\u4ecb\u201d\uff0c\u7f51\u5740\u4e3a http:\/\/mng.bz\/9M8j\u3002ASP.NET<\/a> Core \u751a\u81f3\u5305\u62ec\u5bf9 HTTP\/3 \u7684\u652f\u6301\uff0c\u8fd9\u662f\u8be5\u534f\u8bae\u7684\u4e0b\u4e00\u4e2a\u7248\u672c\uff01\u60a8\u53ef\u4ee5\u5728 http:\/\/mng.bz\/qrrJ<\/a> \u4e0a\u9605\u8bfb\u6709\u5173 HTTP\/3 \u7684\u4fe1\u606f\u3002<\/p>\n
There are multiple approaches to enforcing HTTPS for your application. If you\u2019re using a reverse proxy with SSL\/TLS-offloading, it might be handled for you anyway, without your having to worry about it within your apps. If that\u2019s the case, you may be able to disregard some of the steps in this section.
\n\u6709\u591a\u79cd\u65b9\u6cd5\u53ef\u4ee5\u4e3a\u60a8\u7684\u5e94\u7528\u7a0b\u5e8f\u5f3a\u5236\u5b9e\u65bd HTTPS\u3002\u5982\u679c\u60a8\u4f7f\u7528\u7684\u662f\u5177\u6709 SSL\/TLS \u5378\u8f7d\u529f\u80fd\u7684\u53cd\u5411\u4ee3\u7406\uff0c\u5219\u5b83\u53ef\u80fd\u65e0\u8bba\u5982\u4f55\u90fd\u4f1a\u4e3a\u60a8\u5904\u7406\uff0c\u800c\u65e0\u9700\u60a8\u5728\u5e94\u7528\u7a0b\u5e8f\u4e2d\u62c5\u5fc3\u5b83\u3002\u5982\u679c\u662f\u8fd9\u79cd\u60c5\u51b5\uff0c\u60a8\u53ef\u4ee5\u5ffd\u7565\u672c\u8282\u4e2d\u7684\u67d0\u4e9b\u6b65\u9aa4\u3002<\/p>\n
WARNING<\/b> If you\u2019re building a web API rather than a Razor Pages app, it\u2019s common to reject insecure HTTP requests entirely. You\u2019ll see this approach in section 28.4.3.
\n\u8b66\u544a:\u5982\u679c\u8981\u6784\u5efa Web API \u800c\u4e0d\u662f Razor Pages \u5e94\u7528\uff0c\u5219\u901a\u5e38\u4f1a\u5b8c\u5168\u62d2\u7edd\u4e0d\u5b89\u5168\u7684 HTTP \u8bf7\u6c42\u3002\u60a8\u5c06\u5728 Section 28.4.3 \u4e2d\u770b\u5230\u8fd9\u79cd\u65b9\u6cd5\u3002<\/p>\n
One approach to improving the security of your app is to use HTTP security headers. These are HTTP headers sent as part of your HTTP response that tell the browser how it should behave. There are many headers available, most of which restrict the features your app can use in exchange for increased security. In chapter 30 you\u2019ll see how to add your own custom headers to your HTTP responses by creating custom middleware.
\n\u63d0\u9ad8\u5e94\u7528\u7a0b\u5e8f\u5b89\u5168\u6027\u7684\u4e00\u79cd\u65b9\u6cd5\u662f\u4f7f\u7528 HTTP \u5b89\u5168\u6807\u5934\u3002\u8fd9\u4e9b\u662f\u4f5c\u4e3a HTTP \u54cd\u5e94\u7684\u4e00\u90e8\u5206\u53d1\u9001\u7684 HTTP \u6807\u5934\uff0c\u7528\u4e8e\u544a\u8bc9\u6d4f\u89c8\u5668\u5b83\u5e94\u8be5\u5982\u4f55\u8fd0\u884c\u3002\u6709\u8bb8\u591a\u53ef\u7528\u7684\u6807\u5934\uff0c\u5176\u4e2d\u5927\u591a\u6570\u90fd\u9650\u5236\u4e86\u60a8\u7684\u5e94\u7528\u7a0b\u5e8f\u53ef\u4ee5\u4f7f\u7528\u7684\u529f\u80fd\uff0c\u4ee5\u6362\u53d6\u66f4\u9ad8\u7684\u5b89\u5168\u6027\u3002\u5728\u7b2c 30 \u7ae0\u4e2d\uff0c\u60a8\u5c06\u770b\u5230\u5982\u4f55\u901a\u8fc7\u521b\u5efa\u81ea\u5b9a\u4e49\u4e2d\u95f4\u4ef6\u5c06\u81ea\u5df1\u7684\u81ea\u5b9a\u4e49\u6807\u5934\u6dfb\u52a0\u5230 HTTP \u54cd\u5e94\u4e2d\u3002<\/p>\n
TIP<\/b> Scott Helme has some great guidance on this and other security headers you can add to your site, such as the Content Security Policy (CSP) header. See \u201cHardening your HTTP response headers\u201d on his website at http:\/\/mng.bz\/7DDe<\/a>.
\n\u63d0\u793a:Scott Helme \u5bf9\u6b64\u6807\u5934\u4ee5\u53ca\u60a8\u53ef\u4ee5\u6dfb\u52a0\u5230\u7ad9\u70b9\u4e2d\u7684\u5176\u4ed6\u5b89\u5168\u6807\u5934\u63d0\u4f9b\u4e86\u4e00\u4e9b\u5f88\u597d\u7684\u6307\u5bfc\uff0c\u4f8b\u5982\u5185\u5bb9\u5b89\u5168\u7b56\u7565 \uff08CSP\uff09 \u6807\u5934\u3002\u8bf7\u53c2\u9605\u5176\u7f51\u7ad9\u4e0a\u7684\u201c\u5f3a\u5316 HTTP \u54cd\u5e94\u6807\u5934\u201d\uff0c\u7f51\u5740\u4e3a http:\/\/mng.bz\/7DDe<\/a>\u3002<\/p>\n
One of these security headers, the HTTP Strict Transport Security (HSTS) header, can help ensure that browsers use HTTPS where it\u2019s available instead of defaulting to HTTP.
\n\u5176\u4e2d\u4e00\u4e2a\u5b89\u5168\u6807\u5934\uff0c\u5373 HTTP \u4e25\u683c\u4f20\u8f93\u5b89\u5168 \uff08HSTS\uff09 \u6807\u5934\uff0c\u53ef\u4ee5\u5e2e\u52a9\u786e\u4fdd\u6d4f\u89c8\u5668\u5728\u53ef\u7528\u7684\u60c5\u51b5\u4e0b\u4f7f\u7528 HTTPS\uff0c\u800c\u4e0d\u662f\u9ed8\u8ba4\u4f7f\u7528 HTTP\u3002<\/p>\n
28.4.1 Enforcing HTTPS with HTTP Strict Transport Security headers<\/h3>\n
28.4.1 \u4f7f\u7528 HTTP \u4e25\u683c\u4f20\u8f93\u5b89\u5168\u6807\u5934\u5f3a\u5236\u6267\u884c HTTPS<\/p>\n
It\u2019s unfortunate, but by default, browsers load apps over HTTP unless otherwise specified. That means your apps must typically support both HTTP and HTTPS, even if you don\u2019t want to serve any traffic over HTTP, as shown in figure 28.6. On top of that, if the initial request is over HTTP, the browser may end up sending subsequent requests over HTTP too.
\n\u5f88\u9057\u61be\uff0c\u4f46\u9ed8\u8ba4\u60c5\u51b5\u4e0b\uff0c\u9664\u975e\u53e6\u6709\u8bf4\u660e\uff0c\u5426\u5219\u6d4f\u89c8\u5668\u4f1a\u901a\u8fc7 HTTP \u52a0\u8f7d\u5e94\u7528\u7a0b\u5e8f\u3002\u8fd9\u610f\u5473\u7740\u60a8\u7684\u5e94\u7528\u7a0b\u5e8f\u901a\u5e38\u5fc5\u987b\u540c\u65f6\u652f\u6301 HTTP \u548c HTTPS\uff0c\u5373\u4f7f\u60a8\u4e0d\u60f3\u901a\u8fc7 HTTP \u63d0\u4f9b\u4efb\u4f55\u6d41\u91cf\uff0c\u5982\u56fe 28.6 \u6240\u793a\u3002\u6700\u91cd\u8981\u7684\u662f\uff0c\u5982\u679c\u521d\u59cb\u8bf7\u6c42\u662f\u901a\u8fc7 HTTP \u53d1\u9001\u7684\uff0c\u6d4f\u89c8\u5668\u6700\u7ec8\u4e5f\u53ef\u80fd\u901a\u8fc7 HTTP \u53d1\u9001\u540e\u7eed\u8bf7\u6c42\u3002<\/p>\n
\"alt<\/p>\n
Figure 28.6 When you type in a URL, browsers load the app over HTTP by default. Depending on the links returned by your app or the URLs entered, the browser may make HTTP or HTTPS requests.
\n\u56fe 28.6 \u5f53\u60a8\u952e\u5165 URL \u65f6\uff0c\u6d4f\u89c8\u5668\u9ed8\u8ba4\u901a\u8fc7 HTTP \u52a0\u8f7d\u5e94\u7528\u7a0b\u5e8f\u3002\u6839\u636e\u5e94\u7528\u7a0b\u5e8f\u8fd4\u56de\u7684\u94fe\u63a5\u6216\u8f93\u5165\u7684 URL\uff0c\u6d4f\u89c8\u5668\u53ef\u80fd\u4f1a\u53d1\u51fa HTTP \u6216 HTTPS \u8bf7\u6c42\u3002<\/p>\n
One partial mitigation (and a security best practice) is to add HTTP Strict Transport Security headers to your responses.
\n\u4e00\u79cd\u90e8\u5206\u7f13\u89e3\u63aa\u65bd\uff08\u4e5f\u662f\u5b89\u5168\u6700\u4f73\u5b9e\u8df5\uff09\u662f\u5c06 HTTP Strict Transport Security \u6807\u5934\u6dfb\u52a0\u5230\u60a8\u7684\u54cd\u5e94\u4e2d\u3002<\/p>\n
DEFINITION<\/b> HTTP Strict Transport Security (HSTS) is a specification (https:\/\/www.rfc-editor.org\/rfc\/rfc6797<\/a>) for the Strict-Transport-Security header that instructs the browser to use HTTPS for all subsequent requests to your application. The HSTS header can be sent only with responses to HTTPS requests. It is also relevant only for requests originating from a browser; it has no effect on server-to-server communication or on mobile apps.
\n\u5b9a\u4e49:HTTP \u4e25\u683c\u4f20\u8f93\u5b89\u5168 \uff08HSTS\uff09 \u662f Strict-Transport-Security \u6807\u5934\u7684\u89c4\u8303 \uff08https:\/\/www.rfc-editor.org\/rfc\/rfc6797\uff09\uff0c\u5b83\u6307\u793a\u6d4f\u89c8\u5668\u5bf9\u5e94\u7528\u7a0b\u5e8f\u7684\u6240\u6709\u540e\u7eed\u8bf7\u6c42\u4f7f\u7528<\/a> HTTPS\u3002HSTS \u6807\u5934\u53ea\u80fd\u4e0e\u5bf9 HTTPS \u8bf7\u6c42\u7684\u54cd\u5e94\u4e00\u8d77\u53d1\u9001\u3002\u5b83\u4e5f\u4ec5\u4e0e\u6765\u81ea\u6d4f\u89c8\u5668\u7684\u8bf7\u6c42\u76f8\u5173;\u5b83\u5bf9\u670d\u52a1\u5668\u5230\u670d\u52a1\u5668\u7684\u901a\u4fe1\u6216\u79fb\u52a8\u5e94\u7528\u7a0b\u5e8f\u6ca1\u6709\u5f71\u54cd\u3002<\/p>\n
After a browser receives a valid HSTS header, the browser stops sending HTTP requests to your app and uses only HTTPS instead, as shown in figure 28.7. Even if your app has an http:\/\/ link or the user enters http:\/\/ in the URL bar of the app, the browser automatically replaces the request with an https:\/\/ version.
\n\u5728\u6d4f\u89c8\u5668\u6536\u5230\u6709\u6548\u7684 HSTS \u6807\u5934\u540e\uff0c\u6d4f\u89c8\u5668\u5c06\u505c\u6b62\u5411\u60a8\u7684\u5e94\u7528\u7a0b\u5e8f\u53d1\u9001 HTTP \u8bf7\u6c42\uff0c\u5e76\u4ec5\u4f7f\u7528 HTTPS\uff0c\u5982\u56fe 28.7 \u6240\u793a\u3002\u5373\u4f7f\u60a8\u7684\u5e94\u7528\u7a0b\u5e8f\u5177\u6709 http:\/\/ \u94fe\u63a5\u6216\u7528\u6237\u5728\u5e94\u7528\u7a0b\u5e8f\u7684 URL \u680f\u4e2d\u8f93\u5165 http:\/\/\uff0c\u6d4f\u89c8\u5668\u4e5f\u4f1a\u81ea\u52a8\u5c06\u8bf7\u6c42\u66ff\u6362\u4e3a<\/a> https:\/\/ \u7248\u672c\u3002<\/p>\n
\"alt<\/p>\n
Figure 28.7 After a browser sends an HTTPS request, the app returns an HSTS header, instructing the browser to always send requests over HTTPS. The next time the user attempts to make an http:\/\/ request, the browser aborts the request and makes an https:\/\/ request instead.
\n\u56fe 28.7 \u6d4f\u89c8\u5668\u53d1\u9001 HTTPS \u8bf7\u6c42\u540e\uff0c\u5e94\u7528\u7a0b\u5e8f\u8fd4\u56de HSTS \u6807\u5934\uff0c\u6307\u793a\u6d4f\u89c8\u5668\u59cb\u7ec8\u901a\u8fc7 HTTPS \u53d1\u9001\u8bf7\u6c42\u3002\u4e0b\u6b21\u7528\u6237\u5c1d\u8bd5\u53d1\u51fa http:\/\/ \u8bf7\u6c42\u65f6\uff0c\u6d4f\u89c8\u5668\u4f1a\u4e2d\u6b62\u8be5\u8bf7\u6c42\u5e76\u6539\u4e3a\u53d1\u51fa https:\/\/ \u8bf7\u6c42\u3002<\/p>\n
TIP<\/b> You can achieve a similar upgrading of HTTP to HTTPS requests using the Upgrade-Insecure-Requests directive in the Content-Security-Policy (CSP) header. This provides fewer protections than the HSTS header but can be used in combination with it. For more details on this directive and CSP in general, see http:\/\/mng.bz\/mVV4<\/a>.
\n\u63d0\u793a:\u60a8\u53ef\u4ee5\u4f7f\u7528 Content-Security-Policy \uff08CSP\uff09 \u6807\u5934\u4e2d\u7684 Upgrade-Insecure-Requests \u6307\u4ee4\u5b9e\u73b0\u4ece HTTP \u5230 HTTPS \u8bf7\u6c42\u7684\u7c7b\u4f3c\u5347\u7ea7\u3002\u8fd9\u63d0\u4f9b\u7684\u4fdd\u62a4\u6bd4 HSTS \u6807\u5934\u5c11\uff0c\u4f46\u53ef\u4ee5\u4e0e\u4e4b\u7ed3\u5408\u4f7f\u7528\u3002\u6709\u5173\u6b64\u6307\u4ee4\u548c CSP \u7684\u66f4\u591a\u8be6\u7ec6\u4fe1\u606f\uff0c\u8bf7\u53c2\u9605 http:\/\/mng.bz\/mVV4<\/a>\u3002<\/p>\n
HSTS headers are strongly recommended for production apps. You generally don\u2019t want to enable them for local development, as that would mean you could never run a non-HTTPS app locally. In a similar fashion, you should use HSTS only on sites for which you always intend to use HTTPS, as it\u2019s hard (sometimes impossible) to turn off HTTPS once it\u2019s enforced with HSTS.
\n\u5f3a\u70c8\u5efa\u8bae\u5c06 HSTS \u6807\u5934\u7528\u4e8e\u751f\u4ea7\u5e94\u7528\u7a0b\u5e8f\u3002\u60a8\u901a\u5e38\u4e0d\u5e0c\u671b\u4e3a\u672c\u5730\u5f00\u53d1\u542f\u7528\u5b83\u4eec\uff0c\u56e0\u4e3a\u8fd9\u610f\u5473\u7740\u60a8\u6c38\u8fdc\u65e0\u6cd5\u5728\u672c\u5730\u8fd0\u884c\u975e HTTPS \u5e94\u7528\u7a0b\u5e8f\u3002\u4ee5\u7c7b\u4f3c\u7684\u65b9\u5f0f\uff0c\u60a8\u5e94\u8be5\u4ec5\u5728\u60a8\u59cb\u7ec8\u6253\u7b97\u4f7f\u7528 HTTPS \u7684\u7ad9\u70b9\u4e0a\u4f7f\u7528 HSTS\uff0c\u56e0\u4e3a\u4e00\u65e6\u4f7f\u7528 HSTS \u5f3a\u5236\u5b9e\u65bd HTTPS\uff0c\u5c31\u5f88\u96be\uff08\u6709\u65f6\u4e0d\u53ef\u80fd\uff09\u5173\u95ed HTTPS\u3002<\/p>\n
ASP.NET Core comes with built-in middleware for setting HSTS headers, which is included in some of the default templates automatically. The following listing shows how you can configure the HSTS headers for your application using the HstsMiddleware in Program.cs.
\nASP.NET Core \u9644\u5e26\u7528\u4e8e\u8bbe\u7f6e HSTS \u6807\u5934\u7684\u5185\u7f6e\u4e2d\u95f4\u4ef6\uff0c\u8be5\u4e2d\u95f4\u4ef6\u81ea\u52a8\u5305\u542b\u5728\u4e00\u4e9b\u9ed8\u8ba4\u6a21\u677f\u4e2d\u3002\u4e0b\u9762\u7684\u6e05\u5355\u663e\u793a\u4e86\u5982\u4f55\u4f7f\u7528 Program.cs \u4e2d\u7684 HstsMiddleware \u4e3a\u5e94\u7528\u7a0b\u5e8f\u914d\u7f6e HSTS \u5934\u6587\u4ef6\u3002<\/p>\n
Listing 28.2 Using HstsMiddleware to add HSTS headers to an application
\nListing 28.2 \u4f7f\u7528 HstsMiddleware \u5411\u5e94\u7528\u7a0b\u5e8f\u6dfb\u52a0 HSTS \u5934\u6587\u4ef6<\/p>\n
WebApplicationBuilder builder = WebApplication.CreateBuilder(args);\n\nbuilder.Services.AddRazorPages();\nbuilder.Services.AddHsts(options =>    #A\n{    #A\n    options.MaxAge = TimeSpan.FromHours(1);    #A\n});    #A\n\nWebApplication app = builder.Build();\n\nif(app.Environment.IsProduction())  #B\n{\n    app.UseHsts();    #C\n}\n\napp.UseStaticFiles();\napp.UseRouting();\n\napp.MapRazorPages();\n\napp.Run();<\/code><\/pre>\n
\u2776 Configures your HSTS header settings and changes the MaxAge from the default of 30 days
\n\u914d\u7f6e\u60a8\u7684 HSTS \u6807\u5934\u8bbe\u7f6e\u5e76\u5c06 MaxAge \u4ece\u9ed8\u8ba4\u7684\u66f4\u6539\u4e3a 30 \u5929<\/p>\n
\u2777 You shouldn\u2019t use HSTS in local environments.
\n\u60a8\u4e0d\u5e94\u5728\u672c\u5730\u73af\u5883\u4e2d\u4f7f\u7528 HSTS\u3002<\/p>\n
\u2778 Adds the HstsMiddleware
\n\u65b0\u589e HstsMiddleware<\/p>\n
The preceding example shows how to change the MaxAge sent in the HSTS header. It\u2019s a good idea to start with a small value initially. Once you\u2019re sure your app\u2019s HTTPS is functioning correctly, you can increase the age for greater security. A typical value for production deployments is one year.
\n\u524d\u9762\u7684\u793a\u4f8b\u663e\u793a\u4e86\u5982\u4f55\u66f4\u6539 HSTS \u6807\u5934\u4e2d\u53d1\u9001\u7684 MaxAge\u3002\u6700\u597d\u5148\u4ece\u8f83\u5c0f\u7684\u503c\u5f00\u59cb\u3002\u786e\u5b9a\u5e94\u7528\u7684 HTTPS \u6b63\u5e38\u8fd0\u884c\u540e\uff0c\u60a8\u53ef\u4ee5\u63d0\u9ad8\u4f7f\u7528\u671f\u9650\u4ee5\u63d0\u9ad8\u5b89\u5168\u6027\u3002\u751f\u4ea7\u90e8\u7f72\u7684\u5178\u578b\u503c\u4e3a\u4e00\u5e74\u3002<\/p>\n
WARNING<\/b> Once client browsers have received the HSTS header, browsers will default to using HTTPS for all requests to your application. That means you must commit to always using HTTPS for as long as you set MaxAge. If you disable HTTPS, browsers will not revert to using HTTP until this duration has expired, so your application may be inaccessible until then if you aren\u2019t listening on HTTPS! You can notify the browser that your app no longer supports HSTS by setting MaxAge to 0.
\n\u8b66\u544a:\u5ba2\u6237\u7aef\u6d4f\u89c8\u5668\u6536\u5230 HSTS \u6807\u5934\u540e\uff0c\u6d4f\u89c8\u5668\u5c06\u9ed8\u8ba4\u5bf9\u5e94\u7528\u7a0b\u5e8f\u7684\u6240\u6709\u8bf7\u6c42\u4f7f\u7528 HTTPS\u3002\u8fd9\u610f\u5473\u7740\uff0c\u53ea\u8981\u60a8\u8bbe\u7f6e\u4e86 MaxAge\uff0c\u5c31\u5fc5\u987b\u627f\u8bfa\u59cb\u7ec8\u4f7f\u7528 HTTPS\u3002\u5982\u679c\u60a8\u7981\u7528 HTTPS\uff0c\u6d4f\u89c8\u5668\u5728\u6b64\u6301\u7eed\u65f6\u95f4\u5230\u671f\u4e4b\u524d\u4e0d\u4f1a\u6062\u590d\u4e3a\u4f7f\u7528 HTTP\uff0c\u56e0\u6b64\u5982\u679c\u60a8\u4e0d\u76d1\u542c HTTPS\uff0c\u60a8\u7684\u5e94\u7528\u7a0b\u5e8f\u5728\u6b64\u4e4b\u524d\u53ef\u80fd\u65e0\u6cd5\u8bbf\u95ee\uff01\u60a8\u53ef\u4ee5\u901a\u8fc7\u5c06 MaxAge \u8bbe\u7f6e\u4e3a 0 \u6765\u901a\u77e5\u6d4f\u89c8\u5668\u60a8\u7684\u5e94\u7528\u7a0b\u5e8f\u4e0d\u518d\u652f\u6301 HSTS\u3002<\/p>\n
One limitation with the HSTS header is that you must make an initial request over HTTPS before you can receive the header. If the browser makes only HTTP requests, the app never has a chance to send the HSTS header, so the browser never knows to use HTTPS. One potential solution is called HSTS preload.
\nHSTS \u6807\u5934\u7684\u4e00\u4e2a\u9650\u5236\u662f\uff0c\u5fc5\u987b\u5148\u901a\u8fc7 HTTPS \u53d1\u51fa\u521d\u59cb\u8bf7\u6c42\uff0c\u7136\u540e\u624d\u80fd\u63a5\u6536\u6807\u5934\u3002\u5982\u679c\u6d4f\u89c8\u5668\u4ec5\u53d1\u51fa HTTP \u8bf7\u6c42\uff0c\u5219\u5e94\u7528\u7a0b\u5e8f\u6c38\u8fdc\u6ca1\u6709\u673a\u4f1a\u53d1\u9001 HSTS \u6807\u5934\uff0c\u56e0\u6b64\u6d4f\u89c8\u5668\u6c38\u8fdc\u4e0d\u77e5\u9053\u4f7f\u7528 HTTPS\u3002\u4e00\u79cd\u53ef\u80fd\u7684\u89e3\u51b3\u65b9\u6848\u79f0\u4e3a HSTS \u9884\u52a0\u8f7d\u3002<\/p>\n
HSTS preload isn\u2019t part of the HSTS specification, but it\u2019s supported by all modern browsers. Preload bakes your HSTS header into the browser so that the browser knows it should make only HTTPS requests to your site. That removes the \u201cfirst request\u201d problem entirely, but be aware that HSTS preload commits you to HTTPS forever, as it can\u2019t easily be undone.
\nHSTS \u9884\u52a0\u8f7d\u4e0d\u662f HSTS \u89c4\u8303\u7684\u4e00\u90e8\u5206\uff0c\u4f46\u6240\u6709\u73b0\u4ee3\u6d4f\u89c8\u5668\u90fd\u652f\u6301\u5b83\u3002Preload \u5c06\u60a8\u7684 HSTS \u6807\u5934\u70d8\u7119\u5230\u6d4f\u89c8\u5668\u4e2d\uff0c\u4ee5\u4fbf\u6d4f\u89c8\u5668\u77e5\u9053\u5b83\u5e94\u8be5\u53ea\u5411\u60a8\u7684\u7f51\u7ad9\u53d1\u51fa HTTPS \u8bf7\u6c42\u3002\u8fd9\u5b8c\u5168\u6d88\u9664\u4e86\u201c\u7b2c\u4e00\u4e2a\u8bf7\u6c42\u201d\u95ee\u9898\uff0c\u4f46\u8bf7\u6ce8\u610f\uff0cHSTS \u9884\u52a0\u8f7d\u4f1a\u6c38\u4e45\u63d0\u4ea4\u60a8\u5230 HTTPS\uff0c\u56e0\u4e3a\u5b83\u4e0d\u80fd\u8f7b\u6613\u64a4\u6d88\u3002<\/p>\n
Once you\u2019re comfortable with your application\u2019s HTTPS configuration, you can prepare your app for HSTS preload by configuring an HSTS header that
\n\u4e00\u65e6\u60a8\u5bf9\u5e94\u7528\u7a0b\u5e8f\u7684 HTTPS \u914d\u7f6e\u611f\u5230\u6ee1\u610f\uff0c\u5c31\u53ef\u4ee5\u901a\u8fc7\u914d\u7f6e HSTS \u6807\u5934\u6765\u4e3a HSTS \u9884\u52a0\u8f7d\u51c6\u5907\u5e94\u7528\u7a0b\u5e8f\uff0c\u8be5\u6807\u5934<\/p>\n
\u2022  Has a MaxAge of at least one year, though two years are recommended
\nMaxAge \u81f3\u5c11\u4e3a\u4e00\u5e74\uff0c\u4f46\u5efa\u8bae\u4e3a\u4e24\u5e74<\/p>\n
\u2022  Has the includeSubDomains directive
\n\u5177\u6709 includeSubDomains \u6307\u4ee4<\/p>\n
\u2022  Has the preload directive
\n\u5177\u6709 preload \u6307\u4ee4<\/p>\n
Listing 28.3 shows how you can configure these directives in your app. The listing also shows how to exclude the domain never-https.com so that if you host your app at this domain, HSTS headers won\u2019t be sent. This can be useful for testing purposes.
\n\u6e05\u5355 28.3 \u5c55\u793a\u4e86\u5982\u4f55\u5728\u5e94\u7528\u7a0b\u5e8f\u4e2d\u914d\u7f6e\u8fd9\u4e9b\u6307\u4ee4\u3002\u8be5\u6e05\u5355\u8fd8\u663e\u793a\u4e86\u5982\u4f55\u6392\u9664\u57df never-https.com\uff0c\u4ee5\u4fbf\u5728\u6b64\u57df\u4e2d\u6258\u7ba1\u5e94\u7528\u7a0b\u5e8f\u65f6\uff0c\u4e0d\u4f1a\u53d1\u9001 HSTS \u6807\u5934\u3002\u8fd9\u5bf9\u4e8e\u6d4b\u8bd5\u76ee\u7684\u975e\u5e38\u6709\u7528\u3002<\/p>\n
Listing 28.3 Configuring the application HSTS header for preload
\n\u6e05\u5355 28.3 \u914d\u7f6e\u5e94\u7528\u7a0b\u5e8f HSTS \u5934\u6587\u4ef6\u4ee5\u8fdb\u884c\u9884\u52a0\u8f7d<\/p>\n
builder.Services.AddHsts(options =>\n{\n    options.Preload = true;    #A\n    options.IncludeSubDomains = true;    #B\n    options.MaxAge = TimeSpan.FromDays(365);    #C\n    options.ExcludedHosts.Add("never-https.com");    #D\n});<\/code><\/pre>\n
\u2776 Sends the preload directive
\n\u53d1\u9001 preload \u6307\u4ee4<\/p>\n
\u2777 Sends the includeSubDomains directive
\n\u53d1\u9001 includeSubDomains \u6307\u4ee4<\/p>\n
\u2778 You must use a max-age directive of at least one year.
\n\u60a8\u5fc5\u987b\u4f7f\u7528\u81f3\u5c11\u4e00\u5e74\u7684 max-age \u6307\u4ee4\u3002<\/p>\n
\u2779 Don\u2019t send the HSTS header in responses to requests for this domain.
\n\u4e0d\u8981\u53d1\u9001 HSTS \u6807\u5934\u6765\u54cd\u5e94\u6b64\u57df\u7684\u8bf7\u6c42\u3002<\/p>\n
Once you\u2019ve prepared your application for HSTS preload, you can submit your app for inclusion in the HSTS preload list that ships with modern browsers. Visit the site https:\/\/hstspreload.org<\/a>, confirm that your application meets the requirements, and submit your domain. If all goes well, your domain will be included in a future release of all modern browsers!
\n\u4e3a HSTS \u9884\u52a0\u8f7d\u51c6\u5907\u5e94\u7528\u7a0b\u5e8f\u540e\uff0c\u60a8\u53ef\u4ee5\u63d0\u4ea4\u5e94\u7528\u7a0b\u5e8f\u4ee5\u5305\u542b\u5728\u73b0\u4ee3\u6d4f\u89c8\u5668\u9644\u5e26\u7684 HSTS \u9884\u52a0\u8f7d\u5217\u8868\u4e2d\u3002https:\/\/hstspreload.org<\/a> \u8bbf\u95ee\u7f51\u7ad9\uff0c\u786e\u8ba4\u60a8\u7684\u7533\u8bf7\u7b26\u5408\u8981\u6c42\uff0c\u7136\u540e\u63d0\u4ea4\u60a8\u7684\u57df\u3002\u5982\u679c\u4e00\u5207\u987a\u5229\uff0c\u60a8\u7684\u57df\u5c06\u5305\u542b\u5728\u6240\u6709\u73b0\u4ee3\u6d4f\u89c8\u5668\u7684\u672a\u6765\u7248\u672c\u4e2d\uff01<\/p>\n
TIP<\/b> For more details on HSTS and attacks it can mitigate, see Scott Helme\u2019s article \u201cHSTS\u2014The missing link in Transport Layer Security,\u201d at http:\/\/mng.bz\/5wwa<\/a>.
\n\u63d0\u793a\u6709\u5173 HSTS \u53ca\u5176\u53ef\u7f13\u89e3\u7684\u653b\u51fb\u7684\u66f4\u591a\u8be6\u7ec6\u4fe1\u606f\uff0c\u8bf7\u53c2\u9605 Scott Helme \u7684\u6587\u7ae0\u201cHSTS \u2014 \u4f20\u8f93\u5c42\u5b89\u5168\u6027\u4e2d\u7f3a\u5931\u7684\u73af\u8282\u201d\uff0c\u7b2c http:\/\/mng.bz\/5wwa<\/a> \u9875\u3002<\/p>\n
HSTS is a great option for forcing users to use HTTPS on your website, and if you can use HSTS preload, you can ensure that modern clients never send requests over HTTP. Nevertheless, HSTS preload can take months to enforce, and you won\u2019t always want to take that approach. In the meantime, if a browser makes an initial request over HTTP, it won\u2019t receive the HSTS header and may stay on HTTP! That\u2019s unfortunate, but you can mitigate the problem by redirecting insecure requests to HTTPS immediately.
\nHSTS \u662f\u5f3a\u5236\u7528\u6237\u5728\u60a8\u7684\u7f51\u7ad9\u4e0a\u4f7f\u7528 HTTPS \u7684\u7edd\u4f73\u9009\u62e9\uff0c\u5982\u679c\u60a8\u53ef\u4ee5\u4f7f\u7528 HSTS \u9884\u52a0\u8f7d\uff0c\u5219\u53ef\u4ee5\u786e\u4fdd\u73b0\u4ee3\u5ba2\u6237\u7aef\u6c38\u8fdc\u4e0d\u4f1a\u901a\u8fc7 HTTP \u53d1\u9001\u8bf7\u6c42\u3002\u5c3d\u7ba1\u5982\u6b64\uff0cHSTS \u9884\u52a0\u8f7d\u53ef\u80fd\u9700\u8981\u51e0\u4e2a\u6708\u7684\u65f6\u95f4\u624d\u80fd\u6267\u884c\uff0c\u5e76\u4e14\u60a8\u5e76\u4e0d\u603b\u662f\u5e0c\u671b\u91c7\u7528\u8fd9\u79cd\u65b9\u6cd5\u3002\u540c\u65f6\uff0c\u5982\u679c\u6d4f\u89c8\u5668\u901a\u8fc7 HTTP \u53d1\u51fa\u521d\u59cb\u8bf7\u6c42\uff0c\u5b83\u5c06\u4e0d\u4f1a\u6536\u5230 HSTS \u6807\u5934\uff0c\u5e76\u4e14\u53ef\u80fd\u4f1a\u505c\u7559\u5728 HTTP\uff01\u8fd9\u5f88\u9057\u61be\uff0c\u4f46\u60a8\u53ef\u4ee5\u901a\u8fc7\u7acb\u5373\u5c06\u4e0d\u5b89\u5168\u7684\u8bf7\u6c42\u91cd\u5b9a\u5411\u5230 HTTPS \u6765\u7f13\u89e3\u95ee\u9898\u3002<\/p>\n
28.4.2 Redirecting from HTTP to HTTPS with HTTPS redirection middleware<\/h3>\n
28.4.2 \u4f7f\u7528 HTTPS \u91cd\u5b9a\u5411\u4e2d\u95f4\u4ef6\u4ece HTTP \u91cd\u5b9a\u5411\u5230 HTTPS<\/p>\n
The HstsMiddleware should always be used in conjunction with middleware that redirects all HTTP requests to HTTPS.
\nHstsMiddleware \u5e94\u59cb\u7ec8\u4e0e\u5c06\u6240\u6709 HTTP \u8bf7\u6c42\u91cd\u5b9a\u5411\u5230 HTTPS \u7684\u4e2d\u95f4\u4ef6\u7ed3\u5408\u4f7f\u7528\u3002<\/p>\n
TIP<\/b> It\u2019s possible to apply HTTPS redirection only to specific parts of your application, such as to specific Razor Pages, but I don\u2019t recommend that, as it\u2019s too easy to open a security hole in your application.
\n\u63d0\u793a:\u53ef\u4ee5\u4ec5\u5c06 HTTPS \u91cd\u5b9a\u5411\u5e94\u7528\u4e8e\u5e94\u7528\u7a0b\u5e8f\u7684\u7279\u5b9a\u90e8\u5206\uff0c\u4f8b\u5982\u7279\u5b9a\u7684 Razor Pages\uff0c\u4f46\u6211\u4e0d\u5efa\u8bae\u8fd9\u6837\u505a\uff0c\u56e0\u4e3a\u5f88\u5bb9\u6613\u5728\u5e94\u7528\u7a0b\u5e8f\u4e2d\u6253\u5f00\u5b89\u5168\u6f0f\u6d1e\u3002<\/p>\n
ASP.NET Core comes with HttpsRedirectionMiddleware, which you can use to enforce HTTPS across your whole app. You add it to the middleware pipeline in Program.cs, and it ensures that any requests that pass through it are secure. If an HTTP request reaches the HttpsRedirectionMiddleware, the middleware immediately short-circuits the pipeline with a redirect to the HTTPS version of the request. The browser then repeats the request using HTTPS instead of HTTP, as shown in figure 28.8.
\nASP.NET Core \u9644\u5e26 HttpsRedirectionMiddleware\uff0c\u53ef\u7528\u4e8e\u5728\u6574\u4e2a\u5e94\u7528\u7a0b\u5e8f\u4e2d\u5f3a\u5236\u5b9e\u65bd HTTPS\u3002\u60a8\u53ef\u4ee5\u5c06\u5176\u6dfb\u52a0\u5230 Program.cs \u4e2d\u7684\u4e2d\u95f4\u4ef6\u7ba1\u9053\u4e2d\uff0c\u5e76\u786e\u4fdd\u901a\u8fc7\u5b83\u7684\u4efb\u4f55\u8bf7\u6c42\u90fd\u662f\u5b89\u5168\u7684\u3002\u5982\u679c HTTP \u8bf7\u6c42\u5230\u8fbe HttpsRedirectionMiddleware\uff0c\u4e2d\u95f4\u4ef6\u4f1a\u7acb\u5373\u901a\u8fc7\u91cd\u5b9a\u5411\u5230\u8bf7\u6c42\u7684 HTTPS \u7248\u672c\u6765\u4f7f\u7ba1\u9053\u77ed\u8def\u3002\u7136\u540e\uff0c\u6d4f\u89c8\u5668\u4f7f\u7528 HTTPS \u800c\u4e0d\u662f HTTP \u91cd\u590d\u8bf7\u6c42\uff0c\u5982\u56fe 28.8 \u6240\u793a\u3002<\/p>\n
\"alt<\/p>\n
Figure 28.8 The HttpsRedirectionMiddleware works with the HstsMiddleware to ensure that all requests after the initial request are always sent over HTTPS.
\n\u56fe 28.8 HttpsRedirectionMiddleware \u4e0e HstsMiddleware \u914d\u5408\u4f7f\u7528\uff0c\u4ee5\u786e\u4fdd\u521d\u59cb\u8bf7\u6c42\u4e4b\u540e\u7684\u6240\u6709\u8bf7\u6c42\u59cb\u7ec8\u901a\u8fc7 HTTPS \u53d1\u9001\u3002<\/p>\n
NOTE<\/b> Even with HSTS and the HTTPS redirection middleware, there is still an inherent weakness: by default, browsers always make an initial insecure request over HTTP to your app. The only way to prevent this is with HSTS preload, which tells browsers to always use HTTPS.
\n\u6ce8\u610f:\u5373\u4f7f\u4f7f\u7528 HSTS \u548c HTTPS \u91cd\u5b9a\u5411\u4e2d\u95f4\u4ef6\uff0c\u4ecd\u7136\u5b58\u5728\u4e00\u4e2a\u56fa\u6709\u7684\u5f31\u70b9\uff1a\u9ed8\u8ba4\u60c5\u51b5\u4e0b\uff0c\u6d4f\u89c8\u5668\u603b\u662f\u901a\u8fc7 HTTP \u5411\u60a8\u7684\u5e94\u7528\u7a0b\u5e8f\u53d1\u51fa\u521d\u59cb\u4e0d\u5b89\u5168\u7684\u8bf7\u6c42\u3002\u9632\u6b62\u8fd9\u79cd\u60c5\u51b5\u7684\u552f\u4e00\u65b9\u6cd5\u662f\u4f7f\u7528 HSTS \u9884\u52a0\u8f7d\uff0c\u5b83\u544a\u8bc9\u6d4f\u89c8\u5668\u59cb\u7ec8\u4f7f\u7528 HTTPS\u3002<\/p>\n
The HttpsRedirectionMiddleware is added in some of the default ASP.NET Core templates. It is typically placed after the error handling and HstsMiddleware, as shown in the following listing. By default, the middleware redirects all HTTP requests to the secure endpoint, using an HTTP 307 Temporary Redirect status code.
\nHttpsRedirectionMiddleware \u5df2\u6dfb\u52a0\u5230\u4e00\u4e9b\u9ed8\u8ba4\u7684 ASP.NET Core \u6a21\u677f\u4e2d\u3002\u5b83\u901a\u5e38\u653e\u5728 error handling \u548c HstsMiddleware \u4e4b\u540e\uff0c\u5982\u4e0b\u9762\u7684\u6e05\u5355\u6240\u793a\u3002\u9ed8\u8ba4\u60c5\u51b5\u4e0b\uff0c\u4e2d\u95f4\u4ef6\u4f7f\u7528 HTTP 307 \u4e34\u65f6\u91cd\u5b9a\u5411\u72b6\u6001\u4ee3\u7801\u5c06\u6240\u6709 HTTP \u8bf7\u6c42\u91cd\u5b9a\u5411\u5230\u5b89\u5168\u7ec8\u7aef\u8282\u70b9\u3002<\/p>\n
Listing 28.4 Using HttpsRedirectionMiddleware to enforce HTTPS for an application
\n\u5217\u8868 28.4 \u4f7f\u7528 HttpsRedirectionMiddleware \u4e3a\u5e94\u7528\u7a0b\u5e8f\u5f3a\u5236\u6267\u884c HTTPS<\/p>\n
WebApplicationBuilder builder = WebApplication.CreateBuilder(args);\n\nbuilder.Services.AddRazorPages();\nbuilder.Services.AddHsts(o => options.MaxAge = TimeSpan.FromHours(1));\n\nWebApplication app = builder.Build();\n\nif(app.Environment.IsProduction())\n{\n    app.UseHsts();\n}\n\napp.UseHttpsRedirection();     #A\n\napp.UseStaticFiles();\napp.UseRouting();\n\napp.MapRazorPages();\n\napp.Run();<\/code><\/pre>\n
\u2776 Adds the HttpsRedirectionMiddleware to the pipeline and redirects all HTTP requests to HTTPS
\n\u5c06 HttpsRedirectionMiddleware \u6dfb\u52a0\u5230\u7ba1\u9053\u5e76\u5c06\u6240\u6709 HTTP \u8bf7\u6c42\u91cd\u5b9a\u5411\u5230 HTTPS<\/p>\n
The HttpsRedirectionMiddleware automatically redirects HTTP requests to the first configured HTTPS endpoint for your application. If your application isn\u2019t configured for HTTPS, the middleware won\u2019t redirect and instead logs a warning:
\nHttpsRedirectionMiddleware \u4f1a\u81ea\u52a8\u5c06 HTTP \u8bf7\u6c42\u91cd\u5b9a\u5411\u5230\u5e94\u7528\u7a0b\u5e8f\u7684\u7b2c\u4e00\u4e2a\u914d\u7f6e\u7684 HTTPS \u7ec8\u7ed3\u70b9\u3002\u5982\u679c\u60a8\u7684\u5e94\u7528\u7a0b\u5e8f\u672a\u914d\u7f6e HTTPS\uff0c\u5219\u4e2d\u95f4\u4ef6\u4e0d\u4f1a\u91cd\u5b9a\u5411\uff0c\u800c\u662f\u4f1a\u8bb0\u5f55\u8b66\u544a\uff1a<\/p>\n
warn: Microsoft.AspNetCore.HttpsPolicy.HttpsRedirectionMiddleware[3]\n      Failed to determine the https port for redirect.<\/code><\/pre>\n
If you want the middleware to redirect to a different port than Kestrel knows about, you can configure that by setting the ASPNETCORE_HTTPS_PORT environment variable. This is sometimes necessary if you\u2019re using a reverse proxy, and it can be set in alternative ways, as described in Microsoft\u2019s \u201cEnforce HTTPS in ASP.NET Core\u201d documentation: http:\/\/mng.bz\/6DDA<\/a>.
\n\u5982\u679c\u60a8\u5e0c\u671b\u4e2d\u95f4\u4ef6\u91cd\u5b9a\u5411\u5230 Kestrel \u6240\u77e5\u9053\u7684\u4e0d\u540c\u7aef\u53e3\uff0c\u60a8\u53ef\u4ee5\u901a\u8fc7\u8bbe\u7f6e ASPNETCORE_HTTPS_PORT \u73af\u5883\u53d8\u91cf\u6765\u914d\u7f6e\u5b83\u3002\u5982\u679c\u60a8\u4f7f\u7528\u7684\u662f\u53cd\u5411\u4ee3\u7406\uff0c\u8fd9\u6709\u65f6\u662f\u5fc5\u9700\u7684\uff0c\u5e76\u4e14\u53ef\u4ee5\u4ee5\u5176\u4ed6\u65b9\u5f0f\u8fdb\u884c\u8bbe\u7f6e\uff0c\u5982 Microsoft \u7684\u201c\u5728 ASP.NET Core \u4e2d\u5f3a\u5236\u5b9e\u65bd HTTPS\u201d\u6587\u6863\u4e2d\u6240\u8ff0\uff1ahttp:\/\/mng.bz\/6DDA<\/a>\u3002<\/p>\n
\n
SSL\/TLS offloading, header forwarding, and detecting secure requests
\nSSL\/TLS \u5378\u8f7d\u3001\u6807\u5934\u8f6c\u53d1\u548c\u68c0\u6d4b\u5b89\u5168\u8bf7\u6c42<\/p>\n
At the start of section 28.1 I encouraged you to consider terminating HTTPS requests at a reverse proxy. That way, the user uses HTTPS to talk to the reverse proxy, and the reverse proxy talks to your app using HTTP. With this setup, your users are protected, but your app doesn\u2019t have to deal with TLS certificates itself.
\n\u5728\u7b2c 28.1 \u8282\u5f00\u59cb\u65f6\uff0c\u6211\u9f13\u52b1\u60a8\u8003\u8651\u5728\u53cd\u5411\u4ee3\u7406\u4e0a\u7ec8\u6b62 HTTPS \u8bf7\u6c42\u3002\u8fd9\u6837\uff0c\u7528\u6237\u4f7f\u7528 HTTPS \u4e0e\u53cd\u5411\u4ee3\u7406\u901a\u4fe1\uff0c\u800c\u53cd\u5411\u4ee3\u7406\u4f7f\u7528 HTTP \u4e0e\u4f60\u7684\u5e94\u7528\u901a\u4fe1\u3002\u901a\u8fc7\u6b64\u8bbe\u7f6e\uff0c\u60a8\u7684\u7528\u6237\u4f1a\u53d7\u5230\u4fdd\u62a4\uff0c\u4f46\u60a8\u7684\u5e94\u7528\u7a0b\u5e8f\u4e0d\u5fc5\u81ea\u884c\u5904\u7406 TLS \u8bc1\u4e66\u3002<\/p>\n
For the HttpsRedirectionMiddleware to work correctly, Kestrel needs some way of knowing whether the original request that the reverse proxy received was over HTTP or HTTPS. The reverse proxy communicates to your app over HTTP, so Kestrel can\u2019t figure that out without extra help.
\n\u4e3a\u4e86\u4f7f HttpsRedirectionMiddleware \u6b63\u5e38\u5de5\u4f5c\uff0cKestrel \u9700\u8981\u67d0\u79cd\u65b9\u5f0f\u6765\u4e86\u89e3\u53cd\u5411\u4ee3\u7406\u6536\u5230\u7684\u539f\u59cb\u8bf7\u6c42\u662f\u901a\u8fc7 HTTP \u8fd8\u662f HTTPS\u3002\u53cd\u5411\u4ee3\u7406\u901a\u8fc7 HTTP \u4e0e\u60a8\u7684\u5e94\u7528\u7a0b\u5e8f\u901a\u4fe1\uff0c\u56e0\u6b64\u5982\u679c\u6ca1\u6709\u989d\u5916\u7684\u5e2e\u52a9\uff0cKestrel \u65e0\u6cd5\u89e3\u51b3\u8fd9\u4e2a\u95ee\u9898\u3002<\/p>\n
The standard approach used by most reverse proxies (such as IIS, NGINX, and HAProxy) is to add headers to the request before forwarding it to your app. Specifically, a header called X-Forwarded-Proto is added, indicating whether the original request protocol was HTTP or HTTPS.
\n\u5927\u591a\u6570\u53cd\u5411\u4ee3\u7406\uff08\u4f8b\u5982 IIS\u3001NGINX \u548c HAProxy\uff09\u4f7f\u7528\u7684\u6807\u51c6\u65b9\u6cd5\u662f\u5728\u5c06\u8bf7\u6c42\u8f6c\u53d1\u5230\u5e94\u7528\u7a0b\u5e8f\u4e4b\u524d\u5411\u8bf7\u6c42\u6dfb\u52a0\u6807\u5934\u3002\u5177\u4f53\u6765\u8bf4\uff0c\u6dfb\u52a0\u4e86\u4e00\u4e2a\u540d\u4e3a X-Forwarded-Proto \u7684\u6807\u5934\uff0c\u6307\u793a\u539f\u59cb\u8bf7\u6c42\u534f\u8bae\u662f HTTP \u8fd8\u662f HTTPS\u3002<\/p>\n
ASP.NET Core includes ForwardedHeadersMiddleware to look for this header (and others) and update the request accordingly, so your app treats a request that was originally secured by HTTPS as secure for all intents and purposes.
\nASP.NET Core \u5305\u542b ForwardedHeadersMiddleware \u6765\u67e5\u627e\u6b64\u6807\u5934\uff08\u548c\u5176\u4ed6\u6807\u5934\uff09\u5e76\u76f8\u5e94\u5730\u66f4\u65b0\u8bf7\u6c42\uff0c\u56e0\u6b64\u60a8\u7684\u5e94\u7528\u4f1a\u5c06\u6700\u521d\u7531 HTTPS \u4fdd\u62a4\u7684\u8bf7\u6c42\u89c6\u4e3a\u5bf9\u6240\u6709 intent \u548c\u76ee\u7684\u90fd\u662f\u5b89\u5168\u7684\u3002<\/p>\n
If you\u2019re using IIS with the UseIisIntegration() extension, the header forwarding is handled for you automatically. If you\u2019re using a different reverse proxy, such as NGINX or HAProxy, you can enable the middleware by setting the environment variable ASPNETCORE_FORWARDEDHEADERS_ENABLED=true, as you saw in chapter 27. Alternatively, you can add the middleware to your application manually, as shown in section 27.3.2.
\n\u5982\u679c\u5c06 IIS \u4e0e UseIisIntegration\uff08\uff09 \u6269\u5c55\u4e00\u8d77\u4f7f\u7528\uff0c\u5219\u4f1a\u81ea\u52a8\u5904\u7406\u6807\u5934\u8f6c\u53d1\u3002\u5982\u679c\u4f60\u6b63\u5728\u4f7f\u7528\u4e0d\u540c\u7684\u53cd\u5411\u4ee3\u7406\uff0c\u6bd4\u5982 NGINX \u6216 HAProxy\uff0c\u4f60\u53ef\u4ee5\u901a\u8fc7\u8bbe\u7f6e\u73af\u5883\u53d8\u91cf ASPNETCORE_FORWARDEDHEADERS_ENABLED=true \u6765\u542f\u7528\u4e2d\u95f4\u4ef6\uff0c\u5c31\u50cf\u4f60\u5728\u7b2c 27 \u7ae0\u4e2d\u770b\u5230\u7684\u90a3\u6837\u3002\u6216\u8005\uff0c\u60a8\u53ef\u4ee5\u624b\u52a8\u5c06\u4e2d\u95f4\u4ef6\u6dfb\u52a0\u5230\u5e94\u7528\u7a0b\u5e8f\u4e2d\uff0c\u5982 Section 27.3.2 \u6240\u793a\u3002<\/p>\n
When the reverse proxy forwards a request, the ForwardedHeadersMiddleware looks for the X-Forwarded-Proto header and updates the request details as appropriate. For all subsequent middleware, the request is considered secure. When adding the middleware manually, it\u2019s important that you place ForwardedHeadersMiddleware before the call to UseHsts() or UseHttpsRedirection() so that the forwarded headers are read and the request is marked secure, as appropriate.
\n\u5f53\u53cd\u5411\u4ee3\u7406\u8f6c\u53d1\u8bf7\u6c42\u65f6\uff0cForwardedHeadersMiddleware \u4f1a\u67e5\u627e X-Forwarded-Proto \u6807\u5934\u5e76\u6839\u636e\u9700\u8981\u66f4\u65b0\u8bf7\u6c42\u8be6\u7ec6\u4fe1\u606f\u3002\u5bf9\u4e8e\u6240\u6709\u540e\u7eed\u4e2d\u95f4\u4ef6\uff0c\u8be5\u8bf7\u6c42\u90fd\u88ab\u89c6\u4e3a\u5b89\u5168\u8bf7\u6c42\u3002\u624b\u52a8\u6dfb\u52a0\u4e2d\u95f4\u4ef6\u65f6\uff0c\u8bf7\u52a1\u5fc5\u5c06 ForwardedHeadersMiddleware \u653e\u5728\u8c03\u7528 UseHsts\uff08\uff09 \u6216 UseHttpsRedirection\uff08\uff09 \u4e4b\u524d\uff0c\u4ee5\u4fbf\u8bfb\u53d6\u8f6c\u53d1\u7684\u6807\u5934\u5e76\u6839\u636e\u9700\u8981\u5c06\u8bf7\u6c42\u6807\u8bb0\u4e3a\u5b89\u5168\u3002<\/p>\n<\/blockquote>\n
Using the HSTS and HTTPS redirection middleware is best practice when you\u2019re building a server-side application such as a Razor Pages app that will always be accessed in the browser. If you\u2019re building an API application. however, a better approach is to not listen for insecure HTTP requests at all!
\n\u5728\u6784\u5efa\u59cb\u7ec8\u5728\u6d4f\u89c8\u5668\u4e2d\u8bbf\u95ee\u7684\u670d\u52a1\u5668\u7aef\u5e94\u7528\u7a0b\u5e8f\uff08\u5982 Razor Pages \u5e94\u7528\uff09\u65f6\uff0c\u6700\u4f73\u505a\u6cd5\u662f\u4f7f\u7528 HSTS \u548c HTTPS \u91cd\u5b9a\u5411\u4e2d\u95f4\u4ef6\u3002\u5982\u679c\u60a8\u6b63\u5728\u6784\u5efa API \u5e94\u7528\u7a0b\u5e8f\u3002\u4f46\u662f\uff0c\u66f4\u597d\u7684\u65b9\u6cd5\u662f\u6839\u672c\u4e0d\u76d1\u542c\u4e0d\u5b89\u5168\u7684 HTTP \u8bf7\u6c42\uff01<\/p>\n
28.4.3 Rejecting HTTP requests in API applications<\/h3>\n
28.4.3 \u5728 API \u5e94\u7528\u7a0b\u5e8f\u4e2d\u62d2\u7edd HTTP \u8bf7\u6c42<\/p>\n
Browsers have been adding more and more protections, such as the HSTS header, to try to protect users from using insecure HTTP requests. But not all clients are using a web browser. In this section you\u2019ll learn why API applications should generally disable HTTP entirely.
\n\u6d4f\u89c8\u5668\u4e00\u76f4\u5728\u6dfb\u52a0\u8d8a\u6765\u8d8a\u591a\u7684\u4fdd\u62a4\u63aa\u65bd\uff0c\u4f8b\u5982 HSTS \u6807\u5934\uff0c\u4ee5\u5c1d\u8bd5\u4fdd\u62a4\u7528\u6237\u514d\u53d7\u4f7f\u7528\u4e0d\u5b89\u5168\u7684 HTTP \u8bf7\u6c42\u7684\u4fb5\u5bb3\u3002\u4f46\u5e76\u975e\u6240\u6709\u5ba2\u6237\u7aef\u90fd\u4f7f\u7528 Web \u6d4f\u89c8\u5668\u3002\u5728\u672c\u8282\u4e2d\uff0c\u60a8\u5c06\u4e86\u89e3\u4e3a\u4ec0\u4e48 API \u5e94\u7528\u7a0b\u5e8f\u901a\u5e38\u5e94\u8be5\u5b8c\u5168\u7981\u7528 HTTP\u3002<\/p>\n
If you\u2019re building an API application, you often can\u2019t rely on requests coming from a browser. Your API application may primarily serve a client-side framework in the browser, but it may also serve mobile applications or provide an API to other backend services. That means you can\u2019t rely on the protections built into web browsers to use HTTPS for your API apps.
\n\u5982\u679c\u60a8\u6b63\u5728\u6784\u5efa API \u5e94\u7528\u7a0b\u5e8f\uff0c\u5219\u901a\u5e38\u4e0d\u80fd\u4f9d\u8d56\u6765\u81ea\u6d4f\u89c8\u5668\u7684\u8bf7\u6c42\u3002\u60a8\u7684 API \u5e94\u7528\u7a0b\u5e8f\u53ef\u80fd\u4e3b\u8981\u5728\u6d4f\u89c8\u5668\u4e2d\u63d0\u4f9b\u5ba2\u6237\u7aef\u6846\u67b6\uff0c\u4f46\u5b83\u4e5f\u53ef\u80fd\u63d0\u4f9b\u79fb\u52a8\u5e94\u7528\u7a0b\u5e8f\u6216\u4e3a\u5176\u4ed6\u540e\u7aef\u670d\u52a1\u63d0\u4f9b API\u3002\u8fd9\u610f\u5473\u7740\u60a8\u4e0d\u80fd\u4f9d\u8d56 Web \u6d4f\u89c8\u5668\u4e2d\u5185\u7f6e\u7684\u4fdd\u62a4\u63aa\u65bd\u6765\u5c06 HTTPS \u7528\u4e8e API \u5e94\u7528\u7a0b\u5e8f\u3002<\/p>\n
On top of that, even if you know all your users are using a browser, the only way to prevent sending all requests over HTTP is to use HSTS preload, as you saw in section 28.4.2. Sending even one request over HTTP can compromise a user, so the safest approach is to listen only for HTTPS requests, not HTTP requests. This is the best option for API apps.
\n\u6700\u91cd\u8981\u7684\u662f\uff0c\u5373\u4f7f\u60a8\u77e5\u9053\u6240\u6709\u7528\u6237\u90fd\u5728\u4f7f\u7528\u6d4f\u89c8\u5668\uff0c\u9632\u6b62\u901a\u8fc7 HTTP \u53d1\u9001\u6240\u6709\u8bf7\u6c42\u7684\u552f\u4e00\u65b9\u6cd5\u662f\u4f7f\u7528 HSTS \u9884\u52a0\u8f7d\uff0c\u5982\u60a8\u5728 Section 28.4.2 \u4e2d\u770b\u5230\u7684\u90a3\u6837\u3002\u5373\u4f7f\u901a\u8fc7 HTTP \u53d1\u9001\u4e00\u4e2a\u8bf7\u6c42\u4e5f\u53ef\u80fd\u5371\u53ca\u7528\u6237\uff0c\u56e0\u6b64\u6700\u5b89\u5168\u7684\u65b9\u6cd5\u662f\u4ec5\u4fa6\u542c HTTPS \u8bf7\u6c42\uff0c\u800c\u4e0d\u662f HTTP \u8bf7\u6c42\u3002\u8fd9\u662f API \u5e94\u7528\u7a0b\u5e8f\u7684\u6700\u4f73\u9009\u62e9\u3002<\/p>\n
NOTE<\/b> It would be safest to take this same approach for your browser apps, but unfortunately, browsers currently default to the HTTP versions of apps by default.
\n\u6ce8\u610f:\u5bf9\u6d4f\u89c8\u5668\u5e94\u7528\u7a0b\u5e8f\u91c7\u7528\u76f8\u540c\u7684\u65b9\u6cd5\u662f\u6700\u5b89\u5168\u7684\uff0c\u4f46\u9057\u61be\u7684\u662f\uff0c\u6d4f\u89c8\u5668\u76ee\u524d\u9ed8\u8ba4\u4f7f\u7528\u5e94\u7528\u7a0b\u5e8f\u7684 HTTP \u7248\u672c\u3002<\/p>\n
You can disable HTTP requests for your application by setting the URLs for your app to include only https:\/\/ requests, using ASPNETCORE_URLS or another approach, as described in chapter 27. Setting
\n\u60a8\u53ef\u4ee5\u901a\u8fc7\u4f7f\u7528 ASPNETCORE_URLS \u6216\u5176\u4ed6\u65b9\u6cd5\u5c06\u5e94\u7528\u7a0b\u5e8f\u7684 URL \u8bbe\u7f6e\u4e3a\u4ec5\u5305\u542b https:\/\/ \u8bf7\u6c42\u6765\u7981\u7528\u5e94\u7528\u7a0b\u5e8f\u7684 HTTP \u8bf7\u6c42\uff0c\u5982\u7b2c 27 \u7ae0\u6240\u8ff0\u3002\u8bbe\u7f6e<\/p>\n
ASPNETCORE_URLS=https:\/\/*:5001<\/code><\/pre>\n
would ensure that your app serves only HTTPS requests on port 5001 and won\u2019t handle HTTP connections at all. This protects your clients, as they can\u2019t incorrectly make HTTP requests, and it may even make things simpler on your side, as you don\u2019t need to add the HTTP redirection middleware.
\n\u5c06\u786e\u4fdd\u60a8\u7684\u5e94\u7528\u7a0b\u5e8f\u4ec5\u5728\u7aef\u53e3 5001 \u4e0a\u63d0\u4f9b HTTPS \u8bf7\u6c42\uff0c\u5e76\u4e14\u6839\u672c\u4e0d\u5904\u7406 HTTP \u8fde\u63a5\u3002\u8fd9\u53ef\u4ee5\u4fdd\u62a4\u4f60\u7684\u5ba2\u6237\u7aef\uff0c\u56e0\u4e3a\u5b83\u4eec\u4e0d\u4f1a\u9519\u8bef\u5730\u53d1\u51fa HTTP \u8bf7\u6c42\uff0c\u751a\u81f3\u53ef\u80fd\u4f7f\u4f60\u7684\u4e8b\u60c5\u53d8\u5f97\u66f4\u7b80\u5355\uff0c\u56e0\u4e3a\u4f60\u4e0d\u9700\u8981\u6dfb\u52a0 HTTP \u91cd\u5b9a\u5411\u4e2d\u95f4\u4ef6\u3002<\/p>\n
HTTPS is one of the most basic requirements for adding security to your application these days. It can be tricky to set up initially, but once you\u2019re up and running, you can largely forget about it, especially if you\u2019re using SSL\/TLS termination at a reverse proxy.
\nHTTPS \u662f\u5f53\u4eca\u4e3a\u5e94\u7528\u7a0b\u5e8f\u6dfb\u52a0\u5b89\u5168\u6027\u7684\u6700\u57fa\u672c\u8981\u6c42\u4e4b\u4e00\u3002\u6700\u521d\u8bbe\u7f6e\u53ef\u80fd\u5f88\u68d8\u624b\uff0c\u4f46\u662f\u4e00\u65e6\u60a8\u542f\u52a8\u5e76\u8fd0\u884c\uff0c\u60a8\u57fa\u672c\u4e0a\u53ef\u4ee5\u5fd8\u8bb0\u5b83\uff0c\u5c24\u5176\u662f\u5728\u53cd\u5411\u4ee3\u7406\u4e0a\u4f7f\u7528 SSL\/TLS \u7ec8\u6b62\u65f6\u3002<\/p>\n
Unfortunately, most other security practices require rather more vigilance to ensure that you don\u2019t accidentally introduce vulnerabilities into your app as it grows and develops. In the next chapter we\u2019ll look at several common attacks, learn how ASP.NET Core protects you, and see a few things you need to watch out for.
\n\u4e0d\u5e78\u7684\u662f\uff0c\u5927\u591a\u6570\u5176\u4ed6\u5b89\u5168\u5b9e\u8df5\u90fd\u9700\u8981\u66f4\u52a0\u8b66\u60d5\uff0c\u4ee5\u786e\u4fdd\u60a8\u4e0d\u4f1a\u5728\u5e94\u7528\u7a0b\u5e8f\u7684\u6210\u957f\u548c\u53d1\u5c55\u8fc7\u7a0b\u4e2d\u610f\u5916\u5730\u5c06\u6f0f\u6d1e\u5f15\u5165\u5e94\u7528\u7a0b\u5e8f\u3002\u5728\u4e0b\u4e00\u7ae0\u4e2d\uff0c\u6211\u4eec\u5c06\u4ecb\u7ecd\u51e0\u79cd\u5e38\u89c1\u7684\u653b\u51fb\uff0c\u4e86\u89e3 ASP.NET Core \u5982\u4f55\u4fdd\u62a4\u60a8\uff0c\u5e76\u4e86\u89e3\u60a8\u9700\u8981\u6ce8\u610f\u7684\u4e00\u4e9b\u4e8b\u9879\u3002<\/p>\n
28.5 Summary<\/h2>\n
28.5 \u603b\u7ed3<\/p>\n
HTTPS is used to encrypt your app\u2019s data as it travels from the server to the browser and back. This encryption prevents third parties from seeing or modifying it.
\nHTTPS \u7528\u4e8e\u52a0\u5bc6\u5e94\u7528\u7a0b\u5e8f\u7684\u6570\u636e\uff0c\u56e0\u4e3a\u5b83\u5728\u670d\u52a1\u5668\u548c\u6d4f\u89c8\u5668\u4e4b\u95f4\u4f20\u8f93\u3002\u6b64\u52a0\u5bc6\u53ef\u9632\u6b62\u7b2c\u4e09\u65b9\u67e5\u770b\u6216\u4fee\u6539\u5b83\u3002<\/p>\n
HTTPS is virtually mandatory for production apps, as modern browsers like Chrome and Firefox mark non-HTTPS apps as explicitly \u201cnot secure.\u201d
\nHTTPS \u5bf9\u4e8e\u751f\u4ea7\u5e94\u7528\u7a0b\u5e8f\u51e0\u4e4e\u662f\u5fc5\u9700\u7684\uff0c\u56e0\u4e3a Chrome \u548c Firefox \u7b49\u73b0\u4ee3\u6d4f\u89c8\u5668\u5c06\u975e HTTPS \u5e94\u7528\u7a0b\u5e8f\u660e\u786e\u6807\u8bb0\u4e3a\u201c\u4e0d\u5b89\u5168\u201d\u3002<\/p>\n
In production, you can avoid handling the TLS in your app by using SSL\/TLS offloading. This is where a reverse proxy uses HTTPS to talk to the browser, but the traffic is unencrypted between your app and the reverse proxy. The reverse proxy could be on the same or a different server, such as IIS or NGINX, or it could be a third-party service, such as Cloudflare.
\n\u5728\u751f\u4ea7\u73af\u5883\u4e2d\uff0c\u60a8\u53ef\u4ee5\u901a\u8fc7\u4f7f\u7528 SSL\/TLS \u5378\u8f7d\u6765\u907f\u514d\u5728\u5e94\u7528\u7a0b\u5e8f\u4e2d\u5904\u7406 TLS\u3002\u8fd9\u662f\u53cd\u5411\u4ee3\u7406\u4f7f\u7528 HTTPS \u4e0e\u6d4f\u89c8\u5668\u901a\u4fe1\uff0c\u4f46\u5e94\u7528\u4e0e\u53cd\u5411\u4ee3\u7406\u4e4b\u95f4\u7684\u6d41\u91cf\u672a\u52a0\u5bc6\u7684\u4f4d\u7f6e\u3002\u53cd\u5411\u4ee3\u7406\u53ef\u4ee5\u4f4d\u4e8e\u76f8\u540c\u6216\u4e0d\u540c\u7684\u670d\u52a1\u5668\u4e0a\uff0c\u4f8b\u5982 IIS \u6216 NGINX\uff0c\u4e5f\u53ef\u4ee5\u662f\u7b2c\u4e09\u65b9\u670d\u52a1\uff0c\u4f8b\u5982 Cloudflare\u3002<\/p>\n
You can use the ASP.NET Core developer certificate or the IIS express developer certificate to enable HTTPS during development. This can\u2019t be used for production, but it\u2019s sufficient for testing locally. You must run dotnet dev-certs https --trust when you first install the .NET SDK to trust the certificate.
\n\u5728\u5f00\u53d1\u8fc7\u7a0b\u4e2d\uff0c\u60a8\u53ef\u4ee5\u4f7f\u7528 ASP.NET Core \u5f00\u53d1\u4eba\u5458\u8bc1\u4e66\u6216 IIS Express \u5f00\u53d1\u4eba\u5458\u8bc1\u4e66\u6765\u542f\u7528 HTTPS\u3002\u8fd9\u4e0d\u80fd\u7528\u4e8e\u751f\u4ea7\uff0c\u4f46\u8db3\u4ee5\u5728\u672c\u5730\u8fdb\u884c\u6d4b\u8bd5\u3002\u9996\u6b21\u5b89\u88c5 .NET SDK \u65f6\uff0c\u5fc5\u987b\u8fd0\u884c dotnet dev-certs https --trust \u624d\u80fd\u4fe1\u4efb\u8bc1\u4e66\u3002<\/p>\n
Kestrel is the default web server in ASP.NET Core. It is responsible for reading and writing data from and to the network, parsing the bytes based on the underlying HTTP and network protocols and converting from raw bytes to .NET objects you can use in your apps.
\nKestrel \u662f ASP.NET Core \u4e2d\u7684\u9ed8\u8ba4 Web \u670d\u52a1\u5668\u3002\u5b83\u8d1f\u8d23\u4ece\u7f51\u7edc\u8bfb\u53d6\u548c\u5199\u5165\u6570\u636e\uff0c\u6839\u636e\u5e95\u5c42 HTTP \u548c\u7f51\u7edc\u534f\u8bae\u89e3\u6790\u5b57\u8282\uff0c\u4ee5\u53ca\u5c06\u539f\u59cb\u5b57\u8282\u8f6c\u6362\u4e3a\u53ef\u5728\u5e94\u7528\u7a0b\u5e8f\u4e2d\u4f7f\u7528\u7684 .NET \u5bf9\u8c61\u3002<\/p>\n
You can configure an HTTPS certificate for Kestrel in production using the Kestrel:Certificates:Default configuration section. This does not require any code changes to your application; Kestrel automatically loads the certificate when your app starts and uses it to serve HTTPS requests.
\n\u60a8\u53ef\u4ee5\u4f7f\u7528 Kestrel\uff1aCertificates\uff1aDefault \u914d\u7f6e\u90e8\u5206\u5728\u751f\u4ea7\u4e2d\u4e3a Kestrel \u914d\u7f6e HTTPS \u8bc1\u4e66\u3002\u8fd9\u4e0d\u9700\u8981\u5bf9\u5e94\u7528\u7a0b\u5e8f\u8fdb\u884c\u4efb\u4f55\u4ee3\u7801\u66f4\u6539;Kestrel \u4f1a\u5728\u60a8\u7684\u5e94\u7528\u7a0b\u5e8f\u542f\u52a8\u65f6\u81ea\u52a8\u52a0\u8f7d\u8bc1\u4e66\uff0c\u5e76\u4f7f\u7528\u5b83\u6765\u5904\u7406 HTTPS \u8bf7\u6c42\u3002<\/p>\n
You can use the HstsMiddleware to set HSTS headers for your application to ensure that the browser always sends HTTPS requests to your app instead of HTTP requests. HSTS can be enforced only when an initial HTTPS request is made to your app, so it\u2019s best used in conjunction with HTTP to HTTPS redirection.
\n\u4f60\u53ef\u4ee5\u4f7f\u7528 HstsMiddleware \u4e3a\u4f60\u7684\u5e94\u7528\u8bbe\u7f6e HSTS \u5934\uff0c\u786e\u4fdd\u6d4f\u89c8\u5668\u603b\u662f\u5411\u4f60\u7684\u5e94\u7528\u53d1\u9001 HTTPS \u8bf7\u6c42\uff0c\u800c\u4e0d\u662f HTTP \u8bf7\u6c42\u3002\u53ea\u6709\u5728\u5411\u5e94\u7528\u7a0b\u5e8f\u53d1\u51fa\u521d\u59cb HTTPS \u8bf7\u6c42\u65f6\uff0c\u624d\u80fd\u5f3a\u5236\u6267\u884c HSTS\uff0c\u56e0\u6b64\u6700\u597d\u5c06\u5176\u4e0e HTTP \u5230 HTTPS \u91cd\u5b9a\u5411\u7ed3\u5408\u4f7f\u7528\u3002<\/p>\n
You can enable HSTS preload for your application to ensure that HTTP requests from browsers are never sent and are always upgraded to HTTPS. You must configure your app as shown in listing 28.3, deploy your app with a TLS certificate, and register your app at the URL https:\/\/hstspreload.org<\/a>. This will schedule your app to be included in browsers\u2019 built-in list of HTTPS only sites.
\n\u60a8\u53ef\u4ee5\u4e3a\u60a8\u7684\u5e94\u7528\u7a0b\u5e8f\u542f\u7528 HSTS \u9884\u52a0\u8f7d\uff0c\u4ee5\u786e\u4fdd\u6765\u81ea\u6d4f\u89c8\u5668\u7684 HTTP \u8bf7\u6c42\u6c38\u8fdc\u4e0d\u4f1a\u53d1\u9001\uff0c\u5e76\u4e14\u59cb\u7ec8\u5347\u7ea7\u5230 HTTPS\u3002\u60a8\u5fc5\u987b\u6309\u7167\u6e05\u5355 28.3 \u4e2d\u6240\u793a\u914d\u7f6e\u60a8\u7684\u5e94\u7528\u7a0b\u5e8f\uff0c\u4f7f\u7528 TLS \u8bc1\u4e66\u90e8\u7f72\u60a8\u7684\u5e94\u7528\u7a0b\u5e8f\uff0c\u5e76\u5728 URL https:\/\/hstspreload.org<\/a> \u5904\u6ce8\u518c\u60a8\u7684\u5e94\u7528\u7a0b\u5e8f\u3002\u8fd9\u5c06\u5b89\u6392\u60a8\u7684\u5e94\u7528\u7a0b\u5e8f\u5305\u542b\u5728\u6d4f\u89c8\u5668\u7684\u5185\u7f6e\u4ec5\u9650 HTTPS \u7ad9\u70b9\u5217\u8868\u4e2d\u3002<\/p>\n
You can enforce HTTPS for your whole app using the HttpsRedirectionMiddleware. This will redirect any HTTP requests to the HTTPS version of endpoints.
\n\u4f60\u53ef\u4ee5\u4f7f\u7528 HttpsRedirectionMiddleware \u4e3a\u6574\u4e2a\u5e94\u7528\u7a0b\u5e8f\u5f3a\u5236\u5b9e\u65bd HTTPS\u3002\u8fd9\u4f1a\u5c06\u4efb\u4f55 HTTP \u8bf7\u6c42\u91cd\u5b9a\u5411\u5230\u7ec8\u7aef\u8282\u70b9\u7684 HTTPS \u7248\u672c\u3002<\/p>\n
If you\u2019re building an API application, you should avoid exposing your application over HTTP entirely and use only HTTPS. Mobile and other nonbrowser clients don\u2019t have protections such as HSTS, so there\u2019s no safe way to support both HTTP and HTTPS. Disable HTTP for your app by listening only on https:\/\/ URLs, such as by setting ASPNETCORE_URLS=https:\/\/*:5001<\/a>.
\n\u5982\u679c\u60a8\u6b63\u5728\u6784\u5efa API \u5e94\u7528\u7a0b\u5e8f\uff0c\u5219\u5e94\u907f\u514d\u5b8c\u5168\u901a\u8fc7 HTTP \u516c\u5f00\u5e94\u7528\u7a0b\u5e8f\uff0c\u800c\u4ec5\u4f7f\u7528 HTTPS\u3002\u79fb\u52a8\u5ba2\u6237\u7aef\u548c\u5176\u4ed6\u975e\u6d4f\u89c8\u5668\u5ba2\u6237\u7aef\u6ca1\u6709 HSTS \u7b49\u4fdd\u62a4\u63aa\u65bd\uff0c\u56e0\u6b64\u6ca1\u6709\u5b89\u5168\u7684\u65b9\u6cd5\u53ef\u4ee5\u540c\u65f6\u652f\u6301 HTTP \u548c HTTPS\u3002\u901a\u8fc7\u4ec5\u4fa6\u542c https:\/\/ URL \u6765\u7981\u7528\u5e94\u7528\u7a0b\u5e8f\u7684 HTTP\uff0c\u4f8b\u5982\u901a\u8fc7\u8bbe\u7f6e ASPNETCORE_URLS=https\uff1a\/\/*\uff1a5001\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"
28 Adding HTTPS to an application 28 \u5c06 HTTPS \u6dfb\u52a0\u5230\u5e94\u7528\u7a0b\u5e8f This chapter covers \u672c\u7ae0\u6db5\u76d6 \u2022 Encrypting traffic between clients and your app using HTTPS \u4f7f\u7528 HTTPS\u52a0\u5bc6\u5ba2\u6237\u7aef\u548c\u5e94\u7528\u7a0b\u5e8f\u4e4b\u95f4\u7684\u6d41\u91cf \u2022 Using the HTTPS development certificate for local development \u4f7f\u7528 HTTPS \u5f00\u53d1\u8bc1\u4e66\u8fdb\u884c\u672c\u5730\u5f00\u53d1 \u2022 Configuring Kestrel with a custom HTTPS certificate \u4f7f\u7528\u81ea\u5b9a\u4e49 HTTPS \u8bc1\u4e66\u914d\u7f6e Kestrel \u2022 Enforcing HTTPS for your […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-627","post","type-post","status-publish","format-standard","hentry","category-csharp"],"_links":{"self":[{"href":"https:\/\/diji.net\/index.php?rest_route=\/wp\/v2\/posts\/627","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/diji.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/diji.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/diji.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/diji.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=627"}],"version-history":[{"count":0,"href":"https:\/\/diji.net\/index.php?rest_route=\/wp\/v2\/posts\/627\/revisions"}],"wp:attachment":[{"href":"https:\/\/diji.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=627"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/diji.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=627"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/diji.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=627"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}