Production Ready: Recommendation for Kestrel and Linux #612
Comments
|
I believe it is (though I'm not official; don't work for MS, and could be wrong) Windows - Kestrel reversed proxied behind IIS with HttpPlatformHandler With addition of at least to ngnix's reverse proxy config |
|
@DamianEdwards @glennc do we have any docs (in progress?) on production hosting? |
|
@benaadams There's on wrong answer just choices and some will be better than other. I got nginix running on Linux however, my application just hung. I will try the proxy settings you suggested. @DamianEdwards I understand this is an Open Source Project but a little direction/recommendation would be helpful. Lol! I'm curious how Kestrel will running in production environment. For instance as a services in the background on Linux OS. I wonder if ServiceContext.cs could be used for this purpose. But it doesn't have the same contract the service command would use. Better yet, I believe this could be the recommended way Issue 390. |
|
@davidfowl @benaadams @DamianEdwards I'm wonder if Docker is the best choice for hosting and running an ASP.NET application on Linux (Centos). Any suggestion?? |
|
@kscott5 my community member take on it is
This definitely may fall into the last category; if its not one of the previous ones - and using with the newer dotnet cli approach when compiling you can have an executable for your service that that has Kestrel embedded within it. Other examples for the last case would be
The common trend here is either port sharing; or not being directly on a port that is directly accessible to the internet. Though the potential security risk is DoS rather than information exposure. However, the official recommended approach by Microsoft is one that is also a fully supported one; e.g. you can phone them up and get support; help etc for it and also has a greater in depth analysis behind it; whereas this is just my opinion - so they are very different things 😄 |
|
Double disclaimer; just to make a point. I am not a security professional and this is just my own personal current opinion; based on what I believe to be a safe conservative approach for anything business critical. And you should certainly take any official documentation, advice or recommended scenarios from Microsoft over anything I've said here... |
|
Lol! @benaadams Got It! |
|
Even in an intranet scenario I'd have it behind IIS or ngnix. Never ever trust your internal network. Treat it as a hostile network like you would the internet. |
|
@blowdart but have your honeypot servers have a hotline to HR? |
|
We're still building out our "official" guidance in this area, but as @benaadams points out, it really comes down to your particular scenario. There may be times when it makes sense to expose Kestrel directly, assuming you understand the caveats, just as it may sometimes make sense to expose node.exe directly. But for the vast majority of cases, we'll recommend you have a front-end web server that proxies to your application process (which is running Kestrel). |
@DamianEdwards I don't understand all the caveats but are you referring to nginx proxy that @benaadams mention above? |
|
Yes, ngnix on linux |
|
Well, Accessing a docker container from Windows Host was a good place to look. But the best help was the command 'docker-machine ls'. This gave me the VM Box/Container hosted ip address. From there I was able to access my site. Thanks again!!!! |
|
With all of the performance work you're doing with Kestrel, how does IIS figure into this in terms of performance? I'm assuming IIS can't give you anywhere near the performance that you are now getting via Kestrel, so what does that mean for perf when you are running Kestrel behind IIS (or nginx for that matter)? |
|
@RickStrahl we actively measure direct Kestrel performance on multiple platforms, and on Windows we also measure IIS+Kestrel, and on Linux we measure nginx+Kestrel. For the IIS case, we have an "in" with IIS because of the AspNetCoreModule - that's how Kestrel hooks into IIS. And we have more work planned there that we hope should get even better perf for IIS+Kestrel. |
|
Are those results (iis+kestrel, nginix+kestrel) published somewhere? |
|
Thanks @Eilon. Can you point at any more info on what exactly AspNetCoreModule does? Is there a repo for it? I can't seem to find the native code.Nothing in the IISIntegration repo. |
|
@RickStrahl - AspNet Core Module is a reverse proxy. It's not open source at the moment. It is forked from httpPlatformHandler and replaces it (aspnet/Announcements#164) |
|
It will be open sourced. |
|
Any info anywhere? After my IIS post a few days ago anumber of questions have come up exactly what still works in IIS and what doesn't. UrlRewrite, possible to use IIS for static hosting in the same site/virtual etc. From what I can see the module takes over IIS completely and nothing runs in the IIS application. |
|
@RickStrahl We're still working on publishing the sources. Not sure how long that will take. |
|
Also, it only takes over because that's how it's registered in the web.config by default. |
|
@RickStrahl We just did the update on the doc regarding ANCM. It won't answer all of your questions, but here's the doc: https://docs.asp.net/en/latest/hosting/aspnet-core-module.html You may also glean some tidbits from the IIS Hotline! doc in the #iis channel at Slack. I would like to expand that doc to address the issues you are raising now, so I'll work on that over the coming days/weeks. |
|
The problem is there's not a lot of control with the But even that doesn't work very well because the IIS site or virtual is rooted in the Binary folder not in the IOW, I have to do |
|
This is the same level of control IIS has always given you, no? |
|
@RickStrahl The simplest solution is just allow Static File Middleware (https://docs.asp.net/en/latest/fundamentals/static-files.html) to take care of static files. Did you have a strong need to avoid the Static File Middleware approach (just curious)? |
|
No not a specific case, but other things have come up. I got several questions about mixing classic ASPX, ASP.NET Auth, using re-write Module (actually haven't tried that - that might work). |
|
Ok ... just curious ... the Static File Middleware has been rock solid, and it simplifies things well. Actually, I'm sort'a telling people to disable the IIS static file module, because if the ^^ [EDIT] That's far from official guidance ... it's definitely not so, but I feel it's a safe approach given ... as you say ... the IIS physical path is a folder containing sensitive files that IIS would happily serve in absence of the ANCM. |
|
Agree - I'd be happy to use CORE libs, but I'm sure there will be interop scenerios where integrateion is required and running out of the binary folder is a problem overall. It'd be much better if IIS was rooted in wwwroot and then has a bin probe to the binary folder to find all the config files. dotnet.exe can still run out of the base folder, but IIS really should be rooted to |
|
There was a good discussion on it: aspnet/IISIntegration#158 |
|
@RickStrahl @guardrex - I started working on this over the weekend but this discussion prompted me to finish. Hopefully you will find it useful: https://blog.3d-logic.com/2016/06/08/running-asp-net-core-applications-with-iis-and-antares/ |
|
It appears the focus of my original question changed. I've notice a few changes related to the current release of .NET Core 1.0.1 preview2. Closing this unless there are some objections. |
|
@RickStrahl This is an old thread, but you asked about effective/ineffective modules with ANCM/ASP.NET Core apps. There's a WIP doc now, and it will be going through the review process at some point. I tested many of the modules to see if they worked in order to put the doc together. It hasn't been reviewed by team members yet, so it probably has a few kinks and bugs. |
What is the recommended way to host a web application on Linux (Centos) using RC1?
I'm figure with iptables command but port 80 never appears to work. I can use a non-standard port such as 5000 just fine.
I've used ngix on windows but not for ASP.NET MVC Application.
Also, how does the domain name or host name affect the hosting.json file, etc?
Any help would be great.
The text was updated successfully, but these errors were encountered: