发布Asp.net core到nginx 使用nginx代理
2017-03-21 17:23
260 查看
In this guide, we will cover setting up a production-ready ASP.NET environment on an Ubuntu 16.04 Server.+
Note
For Ubuntu 14.04 supervisord is recommended as a solution for monitoring the Kestrel process. systemd is not available on Ubuntu 14.04. See previous version of this document
We will take an existing ASP.NET Core application and place it behind a reverse-proxy server. We will then setup the reverse-proxy server to forward requests to our Kestrel web server.
Additionally we will ensure our web application runs on startup as a daemon and configure a process management tool to help restart our web application in the event of a crash to guarantee high availability.
An existing ASP.NET Core application.
1
Before we proceed, copy your ASP.NET Core application to your server using whatever tool (SCP, FTP, etc) integrates into your workflow. Try and run the app and navigate to
Note
You can use Yeoman to create a new ASP.NET Core application for a new project.
For the purposes of this guide, we are going to use a single instance of Nginx that runs on the same server alongside your HTTP server. However, based on your requirements you may choose a different setup.
When setting up a reverse-proxy server other than IIS, you must call
Because requests are forwarded by reverse-proxy, use
Add
Copy
C#
Note
If you plan to install optional Nginx modules you may be required to build Nginx from source.
We are going to
Copy
bash
At this point you should be able to navigate to your browser and see the default landing page for Nginx.
We will be modifying the
Copy
nginx
This is one of the simplest configuration files for Nginx that forwards incoming public traffic on your port
Once you have completed making changes to your nginx configuration you can run
Copy
bash
An example service file for our application.
Copy
text
Note
User -- If the user www-data is not used by your configuration, the user defined here must be created first and given proper ownership for files
Save the file and enable the service.1
Copy
bash
Start the service and verify that it is running.
Copy
With the reverse proxy configured and Kestrel managed through systemd, the web application is fully configured and can be accessed from a browser on the local machine at
Copy
text
Copy
bash
For further filtering, time options such as
Copy
bash
Enable
Linux Security Modules (LSM) is a framework that is part of the Linux kernel since Linux 2.6 that supports different implementations of security modules.
Copy
bash
bash
Copy
c
Consider using a web application firewall like ModSecurity to harden your application.
Copy
bash
Harden your security by employing some of the practices suggested below like choosing a stronger cipher and redirecting all traffic over HTTP to HTTPS.
Adding an
Do not add the Strict-Transport-Security header or chose an appropriate
Add
Copy
nginx
Edit
Copy
nginx
Edit the nginx.conf file.
Copy
bash
Add the the line
Edit the nginx.conf file.
Copy
bash
Add the the line
Note
For Ubuntu 14.04 supervisord is recommended as a solution for monitoring the Kestrel process. systemd is not available on Ubuntu 14.04. See previous version of this document
We will take an existing ASP.NET Core application and place it behind a reverse-proxy server. We will then setup the reverse-proxy server to forward requests to our Kestrel web server.
Additionally we will ensure our web application runs on startup as a daemon and configure a process management tool to help restart our web application in the event of a crash to guarantee high availability.
Prerequisites
Access to an Ubuntu 16.04 Server with a standard user account with sudo privilege.An existing ASP.NET Core application.
1
Copy over your app
Rundotnet publishfrom your dev environment to package your application into a self-contained directory that can run on your server.2
Before we proceed, copy your ASP.NET Core application to your server using whatever tool (SCP, FTP, etc) integrates into your workflow. Try and run the app and navigate to
http://<serveraddress>:<port>in your browser to see if the application runs fine on Linux. I recommend you have a working app before proceeding.
Note
You can use Yeoman to create a new ASP.NET Core application for a new project.
Configure a reverse proxy server
A reverse proxy is a common setup for serving dynamic web applications. The reverse proxy terminates the HTTP request and forwards it to the ASP.NET application.Why use a reverse-proxy server?
Kestrel is great for serving dynamic content from ASP.NET, however the web serving parts aren’t as feature rich as full-featured servers like IIS, Apache or Nginx. A reverse proxy-server can allow you to offload work like serving static content, caching requests, compressing requests, and SSL termination from the HTTP server. The reverse proxy server may reside on a dedicated machine or may be deployed alongside an HTTP server.For the purposes of this guide, we are going to use a single instance of Nginx that runs on the same server alongside your HTTP server. However, based on your requirements you may choose a different setup.
When setting up a reverse-proxy server other than IIS, you must call
app.UseIdentity(in
Configure) before any other external providers.
Because requests are forwarded by reverse-proxy, use
ForwardedHeadersmiddleware (from
Microsoft.AspNetCore.HttpOverridespackage) in order to set the redirect URI with the
X-Forwarded-Forand
X-Forwarded-Protoheaders instead of
Request.Schemeand
Request.Host."
Add
UseForwardedHeadersto
Configurebefore calling
app.UseFacebookAuthenticationor similar:
Copy
C#
app.UseForwardedHeaders(new ForwardedHeadersOptions { ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto });
Install Nginx
Copysudo apt-get install nginx
Note
If you plan to install optional Nginx modules you may be required to build Nginx from source.
We are going to
apt-getto install Nginx. The installer also creates a System V init script that runs Nginx as daemon on system startup. Since we just installed Nginx for the first time, we can explicitly start it by running
Copy
bash
sudo service nginx start
At this point you should be able to navigate to your browser and see the default landing page for Nginx.
Configure Nginx
We will now configure Nginx as a reverse proxy to forward requests to our ASP.NET applicationWe will be modifying the
/etc/nginx/sites-available/default, so open it up in your favorite text editor and replace the contents with the following.
Copy
nginx
server { listen 80; location / { proxy_pass http://localhost:5000; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection keep-alive; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; } }
This is one of the simplest configuration files for Nginx that forwards incoming public traffic on your port
80to a port
5000that your web application will listen on.
Once you have completed making changes to your nginx configuration you can run
sudo nginx -tto verify the syntax of your configuration files. If the configuration file test is successful you can ask nginx to pick up the changes by running
sudo nginx -s reload.
Monitoring our application
Nginx is now setup to forward requests made tohttp://localhost:80on to the ASP.NET Core application running on Kestrel at
http://127.0.0.1:5000. However, Nginx is not set up to manage the Kestrel process. We will use systemd and create a service file to start and monitor the underlying web app. systemd is an init system that provides many powerful features for starting, stopping and managing processes.
Create the service file
Create the service definition fileCopy
bash
sudo nano /etc/systemd/system/kestrel-hellomvc.service
An example service file for our application.
Copy
text
[Unit] Description=Example .NET Web API Application running on Ubuntu [Service] WorkingDirectory=/var/aspnetcore/hellomvc ExecStart=/usr/bin/dotnet /var/aspnetcore/hellomvc/hellomvc.dll Restart=always RestartSec=10 # Restart service after 10 seconds if dotnet service crashes SyslogIdentifier=dotnet-example User=www-data Environment=ASPNETCORE_ENVIRONMENT=Production [Install] WantedBy=multi-user.target
Note
User -- If the user www-data is not used by your configuration, the user defined here must be created first and given proper ownership for files
Save the file and enable the service.1
Copy
bash
systemctl enable kestrel-hellomvc.service
Start the service and verify that it is running.
Copy
systemctl start kestrel-hellomvc.service systemctl status kestrel-hellomvc.service ● kestrel-hellomvc.service - Example .NET Web API Application running on Ubuntu Loaded: loaded (/etc/systemd/system/kestrel-hellomvc.service; enabled) Active: active (running) since Thu 2016-10-18 04:09:35 NZDT; 35s ago Main PID: 9021 (dotnet) CGroup: /system.slice/kestrel-hellomvc.service └─9021 /usr/local/bin/dotnet /var/aspnetcore/hellomvc/hellomvc.dll
With the reverse proxy configured and Kestrel managed through systemd, the web application is fully configured and can be accessed from a browser on the local machine at
http://localhost. Inspecting the response headers, the Server still shows the ASP.NET Core application being served by Kestrel.
Copy
text
HTTP/1.1 200 OK Date: Tue, 11 Oct 2016 16:22:23 GMT Server: Kestrel Keep-Alive: timeout=5, max=98 Connection: Keep-Alive Transfer-Encoding: chunked
Viewing logs
Since the web application using Kestrel is managed using systemd, all events and processes are logged to a centralized journal. However, this journal includes all entries for all services and processes managed by systemd. To view thekestrel-hellomvc.servicespecific items, use the following command.
Copy
bash
sudo journalctl -fu kestrel-hellomvc.service
For further filtering, time options such as
--since today,
--until 1 hour agoor a combination of these can reduce the amount of entries returned.
Copy
bash
sudo journalctl -fu kestrel-hellomvc.service --since "2016-10-18" --until "2016-10-18 04:00"
Securing our application
Enable AppArmor
Linux Security Modules (LSM) is a framework that is part of the Linux kernel since Linux 2.6 that supports different implementations of security modules. AppArmoris a LSM that implements a Mandatory Access Control system which allows you to confine the program to a limited set of resources. Ensure AppArmor is enabled and properly configured.
Configuring our firewall
Close off all external ports that are not in use. Uncomplicated firewall (ufw) provides a frontend foriptablesby providing a command-line interface for configuring the firewall. Verify that
ufwis configured to allow traffic on any ports you need.
Copy
bash
sudo apt-get install ufw sudo ufw enable sudo ufw allow 80/tcp sudo ufw allow 443/tcp
Securing Nginx
The default distribution of Nginx doesn't enable SSL. To enable all the security features we require, we will build from source.Download the source and install the build dependencies
Copybash
# Install the build dependencies sudo apt-get update sudo apt-get install build-essential zlib1g-dev libpcre3-dev libssl-dev libxslt1-dev libxml2-dev libgd2-xpm-dev libgeoip-dev libgoogle-perftools-dev libperl-dev # Download nginx 1.10.0 or latest wget http://www.nginx.org/download/nginx-1.10.0.tar.gz tar zxf nginx-1.10.0.tar.gz
Change the Nginx response name
Edit src/http/ngx_http_header_filter_module.cCopy
c
static char ngx_http_server_string[] = "Server: Your Web Server" CRLF; static char ngx_http_server_full_string[] = "Server: Your Web Server" CRLF;
Configure the options and build
The PCRE library is required for regular expressions. Regular expressions are used in the location directive for the ngx_http_rewrite_module. The http_ssl_module adds HTTPS protocol support.Consider using a web application firewall like ModSecurity to harden your application.
Copy
bash
./configure --with-pcre=../pcre-8.38 --with-zlib=../zlib-1.2.8 --with-http_ssl_module --with-stream --with-mail=dynamic
Configure SSL
Configure your server to listen to HTTPS traffic on port443by specifying a valid certificate issued by a trusted Certificate Authority (CA).
Harden your security by employing some of the practices suggested below like choosing a stronger cipher and redirecting all traffic over HTTP to HTTPS.
Adding an
HTTP Strict-Transport-Security(HSTS) header ensures all subsequent requests made by the client are over HTTPS only.
Do not add the Strict-Transport-Security header or chose an appropriate
max-ageif you plan to disable SSL in the future.
Add
/etc/nginx/proxy.confconfiguration file.
Copy
nginx
proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; client_max_body_size 10m; client_body_buffer_size 128k; proxy_connect_timeout 90; proxy_send_timeout 90; proxy_read_timeout 90; proxy_buffers 32 4k;
Edit
/etc/nginx/nginx.confconfiguration file. The example contains both http and server sections in one configuration file.
Copy
nginx
http { include /etc/nginx/proxy.conf; limit_req_zone $binary_remote_addr zone=one:10m rate=5r/s; server_tokens off; sendfile on; keepalive_timeout 29; # Adjust to the lowest possible value that makes sense for your use case. client_body_timeout 10; client_header_timeout 10; send_timeout 10; upstream hellomvc{ server localhost:5000; } server { listen *:80; add_header Strict-Transport-Security max-age=15768000; return 301 https://$host$request_uri; } server { listen *:443 ssl; server_name example.com; ssl_certificate /etc/ssl/certs/testCert.crt; ssl_certificate_key /etc/ssl/certs/testCert.key; ssl_protocols TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_ecdh_curve secp384r1; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_stapling on; #ensure your cert is capable ssl_stapling_verify on; #ensure your cert is capable add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; #Redirects all traffic location / { proxy_pass http://hellomvc; limit_req zone=one burst=10; } } }
Secure Nginx from clickjacking
Clickjacking is a malicious technique to collect an infected user's clicks. Clickjacking tricks the victim (visitor) into clicking on an infected site. Use X-FRAME-OPTIONS to secure your site.Edit the nginx.conf file.
Copy
bash
sudo nano /etc/nginx/nginx.conf
Add the the line
add_header X-Frame-Options "SAMEORIGIN";and save the file, then restart Nginx.
MIME-type sniffing
This header prevents Internet Explorer from MIME-sniffing a response away from the declared content-type as the header instructs the browser not to override the response content type. With the nosniff option, if the server says the content is text/html, the browser will render it as text/html.Edit the nginx.conf file.
Copy
bash
sudo nano /etc/nginx/nginx.conf
Add the the line
add_header X-Content-Type-Options "nosniff"and save the file, then restart Nginx.
相关文章推荐
- Asp.Net Core 发布和部署( MacOS + Linux + Nginx )
- Asp.Net Core 发布和部署( MacOS + Linux + Nginx )
- ASP.NET Core部署到CentOS7,使用Nginx代理
- Asp.Net Core 发布和部署( MacOS + Linux + Nginx )
- 使用 Visual Studio 部署 .NET Core 应用 ——ASP.NET Core 发布的具体操作
- Asp.Net Core IIS发布后PUT、DELETE请求错误405.0 - Method Not Allowed 因为使用了无效方法(HTTP 谓词)
- 使用Visual Studio Code开发Asp.Net Core WebApi学习笔记(十)-- 发布(Windows)
- ubuntu下发布asp.net core并用nginx代理之旅
- ubuntu下发布asp.net core并用nginx代理之旅(续)
- [C#]使用 C# 代码实现拓扑排序 dotNet Core WEB程序使用 Nginx反向代理 C#里面获得应用程序的当前路径 关于Nginx设置端口号,在Asp.net 获取不到的,解决办法 .Net程序员 初学Ubuntu ,配置Nignix 夜深了,写了个JQuery的省市区三级级联效果
- ASP.NET Core 1.0 安装并发布到Centos 7.2 使用jexus 5.8.2
- 使用Visual Studio Code开发Asp.Net Core WebApi学习笔记(十)-- 发布(Windows)
- 详解Asp.Net Core 发布和部署( MacOS + Linux + Nginx )
- ubuntu下发布asp.net core并用nginx代理之旅
- ubuntu下发布asp.net core并用nginx代理之旅(转载)
- Asp.Net Core 发布和部署( MacOS + Linux + Nginx )
- 使用MSBuild自动编译发布你的ASP.NET应用程序
- Silverlight WCF RIA网站使用ASP.NET身份验证发布在IIS及Windows Azure的配置
- ASP.NET 使用Process类 发布 权限问题