Skip to content

Security Authentication

The API image runs the .NET Core app directly inside the /app folder. The same image takes care of compiling the code. It is also prepared to be cached, so some steps could be skipped if has not been changes from previous builds.

Building the image

The image must be built from the /Source folder. The Dockerfile is inside the Projects/Sequel.Security.Authentication/docker folder. Building the image does not require any parameters, but the appsettings.json file will not be included in the image, this must be included either by creating a new image or using a volume or secret.

docker image build -f Projects/Sequel.Security.Authentication/docker/Dockerfile -t security/authentication .

There is also a SECURITY_VERSION build argument that is useful for CD pipelines to specify which is the version that is building.

Use BuildKit to build images

It is recommended to use BuildKit instead the classic build system to improve build times of the image and take advantage of advanced cache system that brings this new system.

Preparing the app settings

As mentioned before, the image does not include an appsettings.json file, so it will always fail to run if no one is provided. The are three ways to add the settings into the container:

  1. Create a new image which adds the file inside /app (not recommended)
  2. Create a volume that maps the file into the container (-v argument in docker)
  3. Create a secret in Swarm or Kubernetes and put it in /app/appsettings.json

There are also some settings that must be set taking into account the deployment environment:

  • The InitializeSSL must be always set to false, failing to do so, will cause some troubles in Authentication.
  • The TrustForwardedHeaders should be set to true if Authentication will be behind a reverse proxy/load balancer.
  • The EnableContainerEndpoint in HealthCheckSettings must be set to true, if not, the container will be marked as unhealthy.
  • The Logging context must point to the right SQL Server instance, using the right.hostname, and must use SQL Server Authentication login method (provide User Id and Password).
  • Ensure internal and external URLs for the API and Authentication services are OK.
  • Windows identity provider will not work, so disable it if enabled.
  • Check the health check (example command curl -i -H "HealthCheck-ApiKey: cdb327e2-4f20-4a55-b44a-d3b948b84356" localhost/securityapi/health)

Access to hosts services from Docker

See the Security API section for more information about this.

SQL Server on Windows

See the Security API section for more information about this.

Running the image

Once the appsettings.json file is ready, you may start a container and check everything is fine. Authentication requires API to be running too. Below there is an example running a container and using a bind mount to provide the appsettings.json file:

docker container run --rm -it -v /deployments/sec/appsettings.authentication.json:/app/appsettings.json -p 8001:80 security/authentication

Running behind Reverse Proxies

Usually, in a reverse proxy environment, the published services will have path prefixes to have several services run under the same domain. To avoid any issues with URLs and redirections in Security Authentication, the PATH_PREFIX environment variable must be set in the container. In the reverse proxy settings, path prefix strip must be disabled.