发布Asp.net core到nginx 使用nginx代理

In this guide, we will cover setting up a production-ready ASP.NET environment on an Ubuntu 16.04 Server.+

Note
For Ubuntu 14.04 supervisord is recommended as a solution for monitoring the Kestrel process. systemd is not available on Ubuntu 14.04. See previous version of this document

We will take an existing ASP.NET Core application and place it behind a reverse-proxy server. We will then setup the reverse-proxy server to forward requests to our Kestrel web server.

Additionally we will ensure our web application runs on startup as a daemon and configure a process management tool to help restart our web application in the event of a crash to guarantee high availability.

Prerequisites

Access to an Ubuntu 16.04 Server with a standard user account with sudo privilege.

An existing ASP.NET Core application.

1

Copy over your app

Run

dotnet publish

from your dev environment to package your application into a self-contained directory that can run on your server.2

Before we proceed, copy your ASP.NET Core application to your server using whatever tool (SCP, FTP, etc) integrates into your workflow. Try and run the app and navigate to

http://<serveraddress>:<port>

in your browser to see if the application runs fine on Linux. I recommend you have a working app before proceeding.

Note
You can use Yeoman to create a new ASP.NET Core application for a new project.

Configure a reverse proxy server

A reverse proxy is a common setup for serving dynamic web applications. The reverse proxy terminates the HTTP request and forwards it to the ASP.NET application.

Why use a reverse-proxy server?

Kestrel is great for serving dynamic content from ASP.NET, however the web serving parts aren’t as feature rich as full-featured servers like IIS, Apache or Nginx. A reverse proxy-server can allow you to offload work like serving static content, caching requests, compressing requests, and SSL termination from the HTTP server. The reverse proxy server may reside on a dedicated machine or may be deployed alongside an HTTP server.

For the purposes of this guide, we are going to use a single instance of Nginx that runs on the same server alongside your HTTP server. However, based on your requirements you may choose a different setup.

When setting up a reverse-proxy server other than IIS, you must call

app.UseIdentity

(in

Configure

) before any other external providers.

Because requests are forwarded by reverse-proxy, use

ForwardedHeaders

middleware (from

Microsoft.AspNetCore.HttpOverrides

package) in order to set the redirect URI with the

X-Forwarded-For

and

X-Forwarded-Proto

headers instead of

Request.Scheme

and

Request.Host

."

Add

UseForwardedHeaders

to

Configure

before calling

app.UseFacebookAuthentication

or similar:

Copy
C#

app.UseForwardedHeaders(new ForwardedHeadersOptions
{
ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
});

Install Nginx

Copy

sudo apt-get install nginx

Note
If you plan to install optional Nginx modules you may be required to build Nginx from source.

We are going to

apt-get

to install Nginx. The installer also creates a System V init script that runs Nginx as daemon on system startup. Since we just installed Nginx for the first time, we can explicitly start it by running

Copy
bash

sudo service nginx start

At this point you should be able to navigate to your browser and see the default landing page for Nginx.

Configure Nginx

We will now configure Nginx as a reverse proxy to forward requests to our ASP.NET application

We will be modifying the

/etc/nginx/sites-available/default

, so open it up in your favorite text editor and replace the contents with the following.

Copy
nginx

server {
listen 80;
location / {
proxy_pass http://localhost:5000; proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}

This is one of the simplest configuration files for Nginx that forwards incoming public traffic on your port

80

to a port

5000

that your web application will listen on.

Once you have completed making changes to your nginx configuration you can run

sudo nginx -t

to verify the syntax of your configuration files. If the configuration file test is successful you can ask nginx to pick up the changes by running

sudo nginx -s reload

.

Monitoring our application

Nginx is now setup to forward requests made to

http://localhost:80

on to the ASP.NET Core application running on Kestrel at

http://127.0.0.1:5000

. However, Nginx is not set up to manage the Kestrel process. We will use systemd and create a service file to start and monitor the underlying web app. systemd is an init system that provides many powerful features for starting, stopping and managing processes.

Create the service file

Create the service definition file

Copy
bash

sudo nano /etc/systemd/system/kestrel-hellomvc.service

An example service file for our application.

Copy
text

[Unit]
Description=Example .NET Web API Application running on Ubuntu

[Service]
WorkingDirectory=/var/aspnetcore/hellomvc
ExecStart=/usr/bin/dotnet /var/aspnetcore/hellomvc/hellomvc.dll
Restart=always
RestartSec=10                                          # Restart service after 10 seconds if dotnet service crashes
SyslogIdentifier=dotnet-example
User=www-data
Environment=ASPNETCORE_ENVIRONMENT=Production

[Install]
WantedBy=multi-user.target

Note
User -- If the user www-data is not used by your configuration, the user defined here must be created first and given proper ownership for files

Save the file and enable the service.1

Copy
bash

systemctl enable kestrel-hellomvc.service

Start the service and verify that it is running.

Copy

systemctl start kestrel-hellomvc.service
systemctl status kestrel-hellomvc.service

● kestrel-hellomvc.service - Example .NET Web API Application running on Ubuntu
Loaded: loaded (/etc/systemd/system/kestrel-hellomvc.service; enabled)
Active: active (running) since Thu 2016-10-18 04:09:35 NZDT; 35s ago
Main PID: 9021 (dotnet)
CGroup: /system.slice/kestrel-hellomvc.service
└─9021 /usr/local/bin/dotnet /var/aspnetcore/hellomvc/hellomvc.dll

With the reverse proxy configured and Kestrel managed through systemd, the web application is fully configured and can be accessed from a browser on the local machine at

http://localhost

. Inspecting the response headers, the Server still shows the ASP.NET Core application being served by Kestrel.

Copy
text

HTTP/1.1 200 OK
Date: Tue, 11 Oct 2016 16:22:23 GMT
Server: Kestrel
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Transfer-Encoding: chunked

Viewing logs

Since the web application using Kestrel is managed using systemd, all events and processes are logged to a centralized journal. However, this journal includes all entries for all services and processes managed by systemd. To view the

kestrel-hellomvc.service

specific items, use the following command.

Copy
bash

sudo journalctl -fu kestrel-hellomvc.service

For further filtering, time options such as

--since today

,

--until 1 hour ago

or a combination of these can reduce the amount of entries returned.

Copy
bash

sudo journalctl -fu kestrel-hellomvc.service --since "2016-10-18" --until "2016-10-18 04:00"

Securing our application

Enable

AppArmor

Linux Security Modules (LSM) is a framework that is part of the Linux kernel since Linux 2.6 that supports different implementations of security modules.

AppArmor

is a LSM that implements a Mandatory Access Control system which allows you to confine the program to a limited set of resources. Ensure AppArmor is enabled and properly configured.

Configuring our firewall

Close off all external ports that are not in use. Uncomplicated firewall (ufw) provides a frontend for

iptables

by providing a command-line interface for configuring the firewall. Verify that

ufw

is configured to allow traffic on any ports you need.

Copy
bash

sudo apt-get install ufw
sudo ufw enable

sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

Securing Nginx

The default distribution of Nginx doesn't enable SSL. To enable all the security features we require, we will build from source.

Download the source and install the build dependencies

Copy
bash

# Install the build dependencies
sudo apt-get update
sudo apt-get install build-essential zlib1g-dev libpcre3-dev libssl-dev libxslt1-dev libxml2-dev libgd2-xpm-dev libgeoip-dev libgoogle-perftools-dev libperl-dev

# Download nginx 1.10.0 or latest
wget http://www.nginx.org/download/nginx-1.10.0.tar.gz tar zxf nginx-1.10.0.tar.gz

Change the Nginx response name

Edit src/http/ngx_http_header_filter_module.c

Copy
c

static char ngx_http_server_string[] = "Server: Your Web Server" CRLF;
static char ngx_http_server_full_string[] = "Server: Your Web Server" CRLF;

Configure the options and build

The PCRE library is required for regular expressions. Regular expressions are used in the location directive for the ngx_http_rewrite_module. The http_ssl_module adds HTTPS protocol support.

Consider using a web application firewall like ModSecurity to harden your application.

Copy
bash

./configure
--with-pcre=../pcre-8.38
--with-zlib=../zlib-1.2.8
--with-http_ssl_module
--with-stream
--with-mail=dynamic

Configure SSL

Configure your server to listen to HTTPS traffic on port

443

by specifying a valid certificate issued by a trusted Certificate Authority (CA).

Harden your security by employing some of the practices suggested below like choosing a stronger cipher and redirecting all traffic over HTTP to HTTPS.

Adding an

HTTP Strict-Transport-Security

(HSTS) header ensures all subsequent requests made by the client are over HTTPS only.

Do not add the Strict-Transport-Security header or chose an appropriate

max-age

if you plan to disable SSL in the future.

Add

/etc/nginx/proxy.conf

configuration file.

Copy
nginx

proxy_redirect 			off;
proxy_set_header 		Host 			$host;
proxy_set_header		X-Real-IP 		$remote_addr;
proxy_set_header		X-Forwarded-For	$proxy_add_x_forwarded_for;
proxy_set_header    X-Forwarded-Proto $scheme;
client_max_body_size 	10m;
client_body_buffer_size 128k;
proxy_connect_timeout 	90;
proxy_send_timeout 		90;
proxy_read_timeout 		90;
proxy_buffers			32 4k;

Edit

/etc/nginx/nginx.conf

configuration file. The example contains both http and server sections in one configuration file.

Copy
nginx

http {
include    /etc/nginx/proxy.conf;
limit_req_zone $binary_remote_addr zone=one:10m rate=5r/s;
server_tokens off;

sendfile on;
keepalive_timeout 29; # Adjust to the lowest possible value that makes sense for your use case.
client_body_timeout 10; client_header_timeout 10; send_timeout 10;

upstream hellomvc{
server localhost:5000;
}

server {
listen *:80;
add_header Strict-Transport-Security max-age=15768000;
return 301 https://$host$request_uri; }

server {
listen *:443    ssl;
server_name     example.com;
ssl_certificate /etc/ssl/certs/testCert.crt;
ssl_certificate_key /etc/ssl/certs/testCert.key;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on; #ensure your cert is capable
ssl_stapling_verify on; #ensure your cert is capable

add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

#Redirects all traffic
location / {
proxy_pass  http://hellomvc; limit_req   zone=one burst=10;
}
}
}

Secure Nginx from clickjacking

Clickjacking is a malicious technique to collect an infected user's clicks. Clickjacking tricks the victim (visitor) into clicking on an infected site. Use X-FRAME-OPTIONS to secure your site.

Edit the nginx.conf file.

Copy
bash

sudo nano /etc/nginx/nginx.conf

Add the the line

add_header X-Frame-Options "SAMEORIGIN";

and save the file, then restart Nginx.

MIME-type sniffing

This header prevents Internet Explorer from MIME-sniffing a response away from the declared content-type as the header instructs the browser not to override the response content type. With the nosniff option, if the server says the content is text/html, the browser will render it as text/html.

Edit the nginx.conf file.

Copy
bash

sudo nano /etc/nginx/nginx.conf

Add the the line

add_header X-Content-Type-Options "nosniff"

and save the file, then restart Nginx.