获取页面已通过 HTTPS 加载，但请求了不安全的 XMLHttpRequest 端点“.well-known/openid-configuration”

Question

因此，我有一个 ASP.Net Core 托管 Blazor Web Assembly 项目，使用 Identity Server 4 来管理我的登录和注册，当我调试并尝试登录我的应用程序时，端点“.well-known/openid-configuration”是通过 HTTPS 提供服务，但是当我在 Docker 中运行它的发布版本时，它通过 HTTP 提供服务，导致我的登录页面无法工作。我如何才能通过 HTTPS 提供服务？

完整错误为： AuthenticationService.js:1 混合内容：“https://musicfusion.app/”页面是通过 HTTPS 加载的，但请求了不安全的 XMLHttpRequest 端点“http://musicfusion.app/.well-known” /openid-配置'。该请求已被阻止；内容必须通过 HTTPS 提供。

编辑：我的 Startup.cs

using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Components.Authorization;
using Microsoft.AspNetCore.Identity;
using Microsoft.AspNetCore.Identity.UI;
using Microsoft.AspNetCore.HttpsPolicy;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.ResponseCompression;
using Microsoft.EntityFrameworkCore;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;
using System.Linq;
using Soundbox.Server.Data;
using Soundbox.Shared;
using System;
using Blazored.Toast;
using test.Server.Hubs;
using Microsoft.AspNetCore.Identity.UI.Services;
using test.Server.Services;
using Microsoft.AspNetCore.HttpOverrides;

namespace test.Server
{
    public class Startup
    {
        public Startup(IConfiguration configuration)
        {
            Configuration = configuration;
        }

    public IConfiguration Configuration { get; }

    // This method gets called by the runtime. Use this method to add services to the container.
    // For more information on how to configure your application, visit https://go.microsoft.com/fwlink/?LinkID=398940
    public void ConfigureServices(IServiceCollection services)
    {
        services.AddDbContext<ApplicationDbContext>(options =>
        options.UseSqlite("Data Source=/data/test.db"));
        services.AddBlazoredToast();
        services.Configure<APIKeys>(this.Configuration.GetSection("APIKeys"));
        services.Configure<AuthMessageSenderOptions>(this.Configuration.GetSection("Emails"));
        services.Configure<ForwardedHeadersOptions>(options =>
        {
            options.ForwardedHeaders =
                ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
        });
        services.AddDefaultIdentity<ApplicationUser>(options => options.SignIn.RequireConfirmedAccount = true)
            .AddEntityFrameworkStores<ApplicationDbContext>();

        services.AddIdentityServer()
            .AddApiAuthorization<ApplicationUser, ApplicationDbContext>();

        services.AddAuthentication()
            .AddIdentityServerJwt();

        //services.AddCors(options =>
        //{
        //    options.AddPolicy("AllowSpecificOrigin",
        //            builder =>
        //            {
        //                builder
        //                .AllowAnyOrigin()
        //                .AllowAnyMethod()
        //                .AllowAnyHeader();
        //            });
        //});

        services.AddControllersWithViews();

        // requires
        // using Microsoft.AspNetCore.Identity.UI.Services;
        // using WebPWrecover.Services;
        services.AddTransient<IEmailSender, EmailSender>();

        services.AddRazorPages();
        services.AddSignalR();
        services.AddResponseCompression(opts =>
        {
            opts.MimeTypes = ResponseCompressionDefaults.MimeTypes.Concat(
                new[] { "application/octet-stream" });
        });
    }

    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    {
        app.UseResponseCompression();
        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
            app.UseDatabaseErrorPage();
            app.UseWebAssemblyDebugging();
        }
        else
        {
            app.UseExceptionHandler("/Error");
            // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
            app.UseHsts();
        }

        app.UseHttpsRedirection();
        app.UseBlazorFrameworkFiles();
        app.UseStaticFiles();


        //app.UseCors("AllowSpecificOrigin");
        app.UseRouting();

        app.UseIdentityServer();
        app.UseForwardedHeaders(new ForwardedHeadersOptions
        {
            ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
        });
        app.UseAuthentication();
        app.UseAuthorization();

        app.UseEndpoints(endpoints =>
        {
            endpoints.MapRazorPages();
            endpoints.MapControllers();
            endpoints.MapHub<PlaylistHub>("/playlisthub");
            endpoints.MapFallbackToFile("index.html");
        });

        UpdateDatabase(app);
    }

    private static void UpdateDatabase(IApplicationBuilder app)
    {
        using (var serviceScope = app.ApplicationServices
            .GetRequiredService<IServiceScopeFactory>()
            .CreateScope())
        {
            using (var context = serviceScope.ServiceProvider.GetService<ApplicationDbContext>())
            {
                context.Database.Migrate();
            }
        }
    }
}
}

Answer 1

解决方案是让 Cloudflare 强制所有流量均为 HTTPS。

编辑：要正确操作，请按照本教程操作： https: //blog.cloudflare.com/how-to-make-your-site-https-only/