.NET 8.0.17 - Forward X-Forwarded-Proto HTTP header is no longer taken into account

[Adrien-YooSoft]

Description

My application is running behind a reverse proxy with HTTPS termination: the reverse proxy receives requests in HTTPS and then forwards the requests to the .NET application over HTTP.

The .NET application is configured to take into account the header X-Forwarded-Proto in order to have Request.Scheme returning https.
It was working as expected with .NET 8.0.16 - returning https
But the bahavior has changed with .NET 8.0.017 - returning http

Reproduction Steps

1. Configure headers forwarding in Program.cs

builder.Services.Configure<ForwardedHeadersOptions>(options =>
    options.ForwardedHeaders = ForwardedHeaders.XForwardedProto);

app.UseForwardedHeaders();

2. Create a controller that just returns Request.Scheme

[ApiController]
[Route("[controller]")]
public class DisplayXForwardProtoController() : ControllerBase
{
    [HttpGet(Name = "DisplayXForwardProto")]
    public object DisplayXForwardProto() =>
        new
        {
            requestScheme = Request.Scheme,
            xForwardedProto = Request.Headers["X-Forwarded-Proto"]
        };
}

3. Running the application with Docker

# Base image that works as expected: FROM mcr.microsoft.com/dotnet/aspnet:8.0.16 AS base
# Base image causing issues: FROM mcr.microsoft.com/dotnet/aspnet:8.0.17 AS base
FROM mcr.microsoft.com/dotnet/aspnet:8.0.17 AS base
USER $APP_UID
WORKDIR /app
EXPOSE 8080
EXPOSE 8081

FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
ARG BUILD_CONFIGURATION=Release
WORKDIR /src
COPY ["TestForwardProto/TestForwardProto.csproj", "TestForwardProto/"]
RUN dotnet restore "TestForwardProto/TestForwardProto.csproj"
COPY . .
WORKDIR "/src/TestForwardProto"
RUN dotnet build "./TestForwardProto.csproj" -c $BUILD_CONFIGURATION -o /app/build

FROM build AS publish
ARG BUILD_CONFIGURATION=Release
RUN dotnet publish "./TestForwardProto.csproj" -c $BUILD_CONFIGURATION -o /app/publish /p:UseAppHost=false

FROM base AS final
WORKDIR /app
COPY --from=publish /app/publish .
ENTRYPOINT ["dotnet", "TestForwardProto.dll"]

4. Calling the .NET endpoint with header X-Forwarded-Proto
   curl --location 'http://127.0.0.1:8080/DisplayXForwardProto' --header 'X-Forwarded-Proto: https'

Please find enclosed the full minimal project to reproduce the issue: TestForwardProto.zip

Expected behavior

Request.Scheme should return https

Actual behavior

Request.Scheme returns http

Regression?

Yes, it was working on .NET 8.0.16
In the code provided, simply replace the base image in Dockerfile with mcr.microsoft.com/dotnet/aspnet:8.0.16 and it works.

Known Workarounds

No response

Configuration

No response

Other information

No response

[desasta]

This is due to a recent fix in the .net 8 runtime:
https://github.com/dotnet/aspnetcore/releases/tag/v8.0.17

Forwarded Headers Middleware: Ignore X-Forwarded-Headers from Unknown Proxy (#61623)
The Forwarded Headers Middleware now ignores X-Forwarded-Headers sent from unknown proxies. This change improves security by ensuring that only trusted proxies can influence the forwarded headers, preventing potential spoofing or misrouting of requests.

When you explicitly set KnownProxies or KnownNetworks, you are providing the ForwardedHeadersMiddleware with the necessary information to trust the incoming X-Forwarded-Proto header.

[Adrien-YooSoft]

Thank you @desasta for your response and the link. I missed that point (i checked this link https://github.com/dotnet/core/blob/main/release-notes/8.0/8.0.17/8.0.17.md but it was not mentioned).

I will configure KnownProxies or KnownNetworks, as they are indeed not set in my application.
Thanks again.

[miaooss]

Any documentation on what will need to be added for the KnownProxies or KnownNetworks

[Adrien-YooSoft]

Any documentation on what will need to be added for the KnownProxies or KnownNetworks

The full documentation is here - https://learn.microsoft.com/aspnet/core/host-and-deploy/proxy-load-balancer

In practice, for my setup, I specified the proxy IP address as follows:

app.UseForwardedHeaders(new ForwardedHeadersOptions()
{
    ForwardedHeaders = ForwardedHeaders.XForwardedProto,
    KnownProxies =
    {
        // IP v4 format
        IPAddress.Parse("10.244.2.29"),
        // IPv6-mapped version
        IPAddress.Parse("::ffff:10.244.2.29")
    }
});

The equivalent with KnownNetworks should look like this:

app.UseForwardedHeaders(new ForwardedHeadersOptions()
{
    ForwardedHeaders = ForwardedHeaders.XForwardedProto,
    KnownNetworks =
    {
        // IP v4 network
        new IPNetwork(IPAddress.Parse("10.244.0.0"), 16),
        // IPv4-mapped IPv6 version
        new IPNetwork(IPAddress.Parse("::ffff:10.244.0.0"), 112) // /112 = /16 for IPv4-mapped IPv6
    }
});

I also read that some people simply clear KnownProxies and KnownNetworks to always apply X-Forwarded-* but this may cause security issues. See dotnet/aspnetcore#61622 (comment) for the snippet code.