So it appears with the advent of ASP.NET Core 2.1, Kestrel now automatically creates an HTTPS endpoint along side the HTTP one, and default project templates are setup to redirect from HTTP to HTTPS (which is easy enough to undo).
However my question is... how can I disable HTTPS entirely for my project. I've read through the docs and played with a variety of config settings for HTTPS but nothing I do seems to allow me to turn it off and just run an HTTP project.
Am I crazy or just missing something. I would expect this to be super easy to do.
In the Startup.cs, remove the middleware
app.UseHttpsRedirection();
If you are using Visual Studio 2017, then you can do the following:
Go to your project properties. (Right-click > Properties)
Click on the Debug tab.
Under Web Server Settings, deselect Enable SSL.
Save, build, and try again.
This will update the iisExpress settings in the launchSettings.json file.
In the file Properties/launchSettings.json of your project, look of the key applicationUrl. You will find something like:
...
"applicationUrl": "https://localhost:5001;http://localhost:5000",
...
Remove the https endpoint and it's done.
Edit
As noted by #Xorcist the file launchSettings.json is not published. So, the solution above will only work in a development environment. To disable https and, in general, to configure the urls you want to listen to, both in production and in development, you can also do one of the following:
Use --urls parameters of dotnet run, will have the same effect as the applicationUrl in launchSettings.json. For instance: dotnet run --urls=http://0.0.0.0:5000,https://0.0.0.0:5001. Again, remove the one you don't want to use.
The same can be achieved with the ASPNETCORE_URLS enviroment variable.
As mentioned in the answer by #Konstantin to this question, in ASP Net Core 2.1 you can also configure Kestrel endpoints in the appsettings.json (it seems this cannot be done in 2.0).
Finally, the same can also be achieved with the useUrls extension method WebHost.CreateDefaultBuilder(args).UseUrls("http://0.0.0.0:5000"). I prefer the other solution because this ones hardcodes you're application endpoints, and can't be changed without recompiling the application.
All the possible options are explained in detail in the Microsoft Docs on this.
Update (09 Dec 2020): these options are still valid for Net Core 3.1, as per Microsoft Docs, except for the appsettings one. Maybe it still works but I am not sure.
Update (19 May 2021): these options are still valid for Net 5, as per Microsoft Docs, except for the appsettings one. Maybe it still works but I am not sure.
Turns out the proper way to achieve what I wanted to do, was to specifically configure Kestrel with .UseKestrel() and simply specify a single address, like this:
WebHost.CreateDefaultBuilder(args)
.UseKestrel(options => {
if (context.Configuration[WebHostDefaults.EnvironmentKey] == Environments.Development) {
options.Listen(IPAddress.Loopback, 5080); //HTTP port
}
})
.UseStartup<Startup>();
in effect overriding the default setup, and displaying this warning when Kestel starts:
warn: Microsoft.AspNetCore.Server.Kestrel[0]
Overriding address(es) 'https://localhost:5001, http://localhost:5000'. Binding to endpoints defined in UseKestrel() instead.
Note the check for development environment; in production the default ports are different (80) and without HTTPS.
if a second address is specified it will assume that address is to be secured with the built-in developer cert, as such:
WebHost.CreateDefaultBuilder(args)
.UseKestrel(options => {
options.Listen(IPAddress.Loopback, 5080); //HTTP port
options.Listen(IPAddress.Loopback, 5443); //HTTPS port
})
.UseStartup<Startup>();
you may of course specifically secure your SSL address as described here:
https://learn.microsoft.com/en-us/aspnet/core/fundamentals/servers/kestrel?view=aspnetcore-2.1&tabs=aspnetcore2x
which is necessary for production setups.
In the Program.cs, Add UseUrls as following:
WebHost.CreateDefaultBuilder(args)
.UseUrls("http://localhost:5000")
.UseStartup<Startup>();
And In The Startup.cs remove/comment the following:
app.UseHttpsRedirection();
The dotnet CLI now has a template for this.
dotnet new webapi --no-https
With ASPNET CORE 2.2, I simply set the web server URL to http not https and it picks it up on its own. I run it as a self hosted process.
Go to your project properties.
Click on the Debug tab.
Under Web Server Settings, set the URL to http://xxx
Try again :)
Turning off https lies in these 3 changes...
Properties/launchSettings.json
set sslPort to 0
remove the https url from the applicationUrl
Startup.cs
Remove or comment-out app.UseHttpsRedirection()
For Development & not in production:
in project properties disable Enable SSL
One more way for disabling https epecially is handy when docker is used.
Set enviroment variable in Dockerfile with only one HTTP url in value.
#https + http
ENV ASPNETCORE_URLS=http://+:5001;http://+:5000
#http only
ENV ASPNETCORE_URLS=http://+:5000
#joanlofe answer is excellent one, but there is also "stupid" way how one can reintroduce HTTPS on 5001 port. If you call Clear on your config sources (for proper layering of config sources for example) it means that one implicit source is gone -- "launchSettings.json" template. So if you rely on this file instead of "appsettings.json" (and by default you probably are) your app will enable HTTPS on port 5001.
My local k8s deployment was failing due to the existence of
"Kestrel": {
"Certificates": {
"Default": {
...
}
}
}
in an appsettings.json override, even after following the other steps here. If you're trying to strip a server of SSL (for example, if SSL is now terminated upstream), make sure to get rid of this configuration as well.
This seems pretty obvious now that I found it, but it still tripped us up for a few hours.
I have a SignalR-service in two api-versions running in self-hosted Owin processes. I want to route traffic for api.service.com to either api1.service.com or api2.service.com depending on a http-header (api-ver) in a request. Is this possible to do with Owin middleware or in some other way without having to host this in IIS or using a 3rd party reverse proxy or similar? I was hoping it could be done with "Url Rewriting" but I don't know if this is possible in self-hosting?
Have you considered this, I am in the same boat and thinking it will resolve my problem. But to answer your question it does seem possible in self-hosted environments.
Owin.UrlRewrite
EDIT - This library doesn't work (at least I sure can't get it to work). I did experiment with an OWIN middleware of my own and it can be done with redirects but there is a flicker in the URL to essentially the hashtag url (before the client router kicks in (Aurelia in my case) and makes it the non-hash url). Best I can say is this is a limited use case (Self-hosting with need for URL Rewriting) as I cannot find a pre-made solution to do this.
I need to bypass an MVC route for an application where the developer left - we're going to fully replace it, but for now if I can bypass this one route, it'll save us a ton of time.
The route is (e.g.) www.this.site/path/subpath
Since it's on IIS, I can take advantage of the default document and create the following folder / file structure: /path/subpath/index.htm
However if I do this, I'll "break" the parent www.this.site/path route (it throws a 403 - Forbidden: Access is denied) because I now have an actual file folder where the /path/ route was.
Is there a way to get around this / have IIS defer to MVC on /path/ but still handle the child html file?
thanks. Again, this is not intended as a long term solution but a work-around until we can replace the app entirely.
Perhaps a better workaround would be to use the IIS AAR module and it's reverse proxy functionality out the app.
To do so:
a) stand up the app at it's own site the proper path -- so it should work at something like http://localhost:1234/path/subpath/index.htm
b) install IIS AAR module and enable the reverse proxy functions using the WebPI and the IIS management tools
c) Ignore the /path/subpath route in your app
d) Add a virtual directory for /path/subpath to IIS
e) Configure that to reverse back to localhost:1234 or whatever port you configured the site
This will keep the legacy app completely separate while keeping the public facing URLs looking correct for the rest of the world.
I'm developing two projects under one solution API and Web application.
I'm using Visual Studio 2012 and ports for each project are different when debugging, e.g. localhost:32335 and localhost:21890, so now each time I need to use api I need to set localhost with that port.
I come up with solution to set default port to for example 1337, and in host file set example.com to localhost:1337, so now I just need to use example.com/api/someaction.
What I want to do is set base url in ajax so I don't have to retype example.com in my code, so basically I just need to type /api/someaction and ajax call will now to use example.com by default, not localhost:33181.
Start to work with your iis. create a different application with different domain name and edit your hosts file to use that address. don't use with the cassini. for each application , create an application in the iis. add a binding , and create the different domain names in the hosts file.
Use jquery ajaxSetup:
$.ajaxSetup({
url: 'ping.php'
});
I have a custom Authorize attribute. This attribute checks if the user also have permissions to that action based on the parameters of the attribute. In some times inside the custom Authorize attribute I want to requiere HTTPS or redirect to it. Is there any way to do this with the AuthorizationContext?
How can I test it? and debug it? Is there a simple tutorial to use SSL in my developer machine with VS 2010?
Thanks!
RequireHttps will redirect HOWEVER it doesn't stop the browser from sending data non-ssl first which could be captured. Note that for post actions this wont work right out of the box either.
To install ssl, simply generate your cert and import it. Do you have a subscription to pluralsight.com? i have a course up there where I go over the steps for requiressl and installing ssl on local machine (theres a 30 day free trial too)
If you just want the details here : )
theres a nice powershell script to use:
http://learn.iis.net/page.aspx/491/powershell-snap-in-configuring-ssl-with-the-iis-powershell-snap-in/