Keywords: ASP.NET Core 2.1 | Kestrel Server | HTTPS Disable
Abstract: This article provides an in-depth exploration of how to entirely disable HTTPS and run only HTTP projects in ASP.NET Core 2.1. By analyzing the default behavior of the Kestrel server, it details multiple configuration methods, including modifying Startup.cs, adjusting launchSettings.json, using environment variables, and directly configuring Kestrel endpoints. The focus is on the complete solution of overriding default settings via the .UseKestrel() method, with code examples and best practice recommendations to help developers flexibly configure based on different needs in development and production environments.
With the release of ASP.NET Core 2.1, the Kestrel server defaults to creating both HTTP and HTTPS endpoints, and project templates are typically configured to redirect HTTP requests to HTTPS. While disabling redirection is relatively straightforward, many developers wish to completely disable HTTPS and run pure HTTP projects. This article systematically introduces multiple implementation methods, with configuring Kestrel as the core solution.
Understanding Default Behavior and Problem Context
In ASP.NET Core 2.1, Kestrel's default configuration includes two endpoints: an HTTP endpoint (typically http://localhost:5000) and an HTTPS endpoint (typically https://localhost:5001). This design encourages security best practices, but in certain scenarios (such as internal development environments or specific deployment requirements), developers may need to use HTTP only. A common misconception is that simply removing the redirection middleware suffices, but this only stops redirection; the HTTPS endpoint remains active and can cause confusion.
Basic Configuration Methods
First, removing the HTTPS redirection middleware from Startup.cs is a fundamental step. In the Configure method, delete or comment out the following code:
app.UseHttpsRedirection();This prevents HTTP requests from being automatically redirected to HTTPS, but the HTTPS endpoint itself is not disabled. For development environments, adjustments can be made by modifying the Properties/launchSettings.json file. Locate the applicationUrl key and remove the HTTPS portion, for example, change:
"applicationUrl": "https://localhost:5001;http://localhost:5000",to:
"applicationUrl": "http://localhost:5000",It is important to note that launchSettings.json only affects development environments and is not published during production deployment.
Advanced Environment Configuration
To unify configuration across development and production environments, command-line arguments or environment variables can be used. The --urls parameter of the dotnet run command allows specifying URLs to listen on, for example:
dotnet run --urls=http://0.0.0.0:5000Similarly, setting the ASPNETCORE_URLS environment variable achieves the same effect. These methods offer flexibility but may rely on external configuration.
Core Solution: Configuring Kestrel Endpoints
The most thorough approach is to directly configure the Kestrel server, overriding its default endpoint settings. In the CreateWebHostBuilder method of Program.cs, use the .UseKestrel() method to explicitly define endpoints. Here is an example code that listens only on an HTTP port:
WebHost.CreateDefaultBuilder(args)
.UseKestrel(options => {
options.Listen(IPAddress.Loopback, 5080); // HTTP port
})
.UseStartup<Startup>();This configuration overrides the default HTTPS and HTTP endpoints and displays a warning message at startup, indicating that custom endpoints are being used. If both HTTP and HTTPS are needed, multiple Listen calls can be added, but HTTPS endpoints require additional certificate configuration. For development environments, dynamic configuration can be combined with environment checks, for example:
WebHost.CreateDefaultBuilder(args)
.UseKestrel(options => {
var context = options.ApplicationServices.GetRequiredService<IHostingEnvironment>();
if (context.IsDevelopment()) {
options.Listen(IPAddress.Loopback, 5080); // Development environment HTTP port
} else {
options.Listen(IPAddress.Any, 80); // Production environment HTTP port
}
})
.UseStartup<Startup>();Production Environment Considerations
In production environments, disabling HTTPS should be done cautiously, as it may reduce security. If HTTP must be used, ensure that a security layer is provided through other means, such as load balancers or reverse proxies. Additionally, Kestrel's endpoint configuration supports more advanced options, like configuring HTTPS with specific certificates, which is detailed in Microsoft's official documentation.
Summary and Best Practices
Completely disabling HTTPS in ASP.NET Core 2.1 requires configuring Kestrel endpoints, not just removing middleware or adjusting development settings. Using the .UseKestrel() method for explicit configuration is recommended, as it offers maximum control and applies to all environments. Developers should choose appropriate methods based on specific needs and evaluate security impacts in production. By understanding these configuration mechanisms, server behavior can be managed more flexibly to meet deployment requirements in various scenarios.