Asp net хостинг linux

ASP.NET Core is a fully open source, high-performance, and cross-platform framework. ASP.NET Core runs anywhere you need it to (Windows, Mac, Linux). If you compare hosting apps on Windows vs Linux, Linux hosting is usually cheaper. At the time of writing this post, you can find a cheap Linux VPS for as little as $3.5 a month.

In this article, we will be using Linux VPS, having CentOS 7 installed, ASP.Net Core 2.0 application and Nginx as the reverse proxy. I will try to cover most of the details for basic web hosting including some safety measures, this post might get a little long, bear with me, please. The hosting process is broken into following steps:

Get Linux VPS Setup Linux Host
Install .NET Core
Deploying ASP.Net Core application
Configure Nginx as the reverse proxy

Step 1. Setup Linux Host

You can pick any VPS provider of your choice and any distribution of Linux, in this post I am using a $3.5 CentOS 7 64-bit VPS with 1 CPU core and 1 GB Ram from RamNode(affiliate link). Why CentOS and why not any other distribution? CentOS is a free clone of Red Hat Enterprise Linux. It is considered more stable, secure and supports most of the control panels (including the most popular one — cPanel) so it is preferred distribution for businesses and in the hosting industry.

Once you get VPS, you will receive an IP and root password which you will use to connect to the VPS. You need an SSH client to connect to Linux VPS. There are free SSH clients available, SmartTTY and Putty are very common ones. I will be using SmartTTY for this demo.

Install and open SmartTTY and enter the IP, port, username, and password.

Click connect, it should open the terminal window:

Now that we have connected to the VPS via SSH, next we will configure the Linux host.

We could simply install .NET Core, Nginx and run the application, but it is strongly recommended to first follow some basic common practices of initial server setup to cover our bases. I will cover the bare minimum steps which you should do for each of the Linux servers. This will apply for some basic security protection on the server. For example, change the default root login, change default SSH port etc. If you are hosting your app just for fun, you can skip the rest of the configuration and jump directly to step 2 Install .NET Core.

Change the default password for root. Use passwd command to change the default password provided by the VPS provider.

You will be asked to enter the password twice.

Create a new «Sudo» user. We will use this new user to login to the server from next time onwards, and disable root login because root is standard username hackers can easily guess.

Use the adduser command to add a new user, replace username with the user you want to create:
Use the passwd command to change the password for the user you created:

You will be prompted for a new password and confirm the password.

In CentOS, by default members of wheel group have sudo privileges.

List the contents of /root directory, which is only accessible to root user.

You will be prompted to enter the account password, once you enter that, the command should run with root privileges.

Now we can use this new user to perform all tasks we could with root user. Just remember to add sudo to commands.

Change default SSH port, disable root login and allow the new user to login via SSH. SSH default port number is 22 and everybody knows it, including the hackers, it is not safe. Changing the default SSH port number is the basic step towards security, for production servers, in my opinion, the best way to protect SSH server is to implement password-less login using certificates and encryption. You can find many articles on how to implement password-less login into SSH server, I am going to focus on just changing the default port 22 to something else in this post. To change the SSH default port, we need to edit «sshd_config» file. You can use any editor of your choice, I am going to use Nano editor:
Install nano:

Eidt «sshd_config» file:

Find the following line:

Remove # symbol and change the default port 22 to something else, 20020 for example:

Remove the # symbol and change yes to no:

At the end of the file, add this line, obviously, replace the username with the user you created:

Save and close the file, do not exit the session yet, allow port 20020 on firewall first, otherwise, you will not be able to login into the VM.

Restart SSH service:

Allow port 20020 on the firewall:

If you get «firewall-cmd: command not found» error, install and enable firewalld and run the command again, here are the commands to just do that:

Reload firewall config:

Now you should be able to login into the VM using the new SSH port with the new user, and login for root user is disabled via SSH.

Step 2. Install .NET Core

Run following commands to install .NET Core in CentOS

Add the dotnet product feed:

Install the .NET Core SDK and add dotnet to PATH:

Verify installation by running:

Step 3. Deploying ASP.NET Core application

I am going to use an existing application, publish it and copy that over to VPS. Publish the application by using the following command:

Copy the output contents over to the VPS using any SFTP or FTP tool. I am using WinSCP to copy the published code. You can run the application by using the dotnet command on the command prompt, you need a monitor to run it and keep it running. Let’s create a service for that:

Create the service definition file:

Add following content to the service file:

Now you need to enable the service and run it:

The status command should show the service as running if the configuration was correct. Now, our web application is running, kestrel by default listens on port 5000, so our application is available on http://localhost:5000.

Kestrel is good for serving dynamic content, but it is not a fully featured web-server. A reverse proxy server allows you to offload work like serving static content, cashing requests, compressing requests, and SSL termination from the HTTP server. In the next step, we will configure Nginx as the reverse proxy.

Step 4. Configure Nginx as Reverse Proxy

Almost all major Linux distro comes with Apache by default, since we are going to use Nginx only and Apache configuration might cause issues when Nginx is installed, we will turn Apache off. This will stop all the existing sites hosted in Apache. If you have any sites hosted in Apache. Since we do not have any site installed on Apache, we will stop and disable the Apache. Stop command will stop the Apache and disable command will make sure Apache does not start on next reboot:

Add Nginx repository, install Nginx, Start and Enable:

Enabling Nginx will make sure it is started on every reboot.

Check the status of Nginx service:

If you are running a firewall, run following commands to allow HTTP and HTTPS traffic:

You can verify right away that Nginx installed by browsing your server’s public IP address in any browser. E.g.

You should see a default Nginx page saying «Welcome to nginx». If you see this page, nginx is installed correctly.

I am changing the nginx config file directly, ideally, for production, you should create a separate config file. Open nginx config file:

Update the config file:

Verify and reload the config:

All set, now your website should be available when you type the IP of the server:

Have any questions, suggestions or feedback? Please leave a comment below.

Источник

Host ASP.NET Core on Linux with Nginx

This guide explains setting up a production-ready ASP.NET Core environment on an Ubuntu 16.04 server. These instructions likely work with newer versions of Ubuntu, but the instructions haven’t been tested with newer versions.

For information on other Linux distributions supported by ASP.NET Core, see Prerequisites for .NET Core on Linux.

For Ubuntu 14.04, supervisord is recommended as a solution for monitoring the Kestrel process. systemd isn’t available on Ubuntu 14.04. For Ubuntu 14.04 instructions, see the previous version of this topic.

Places an existing ASP.NET Core app behind a reverse proxy server.
Sets up the reverse proxy server to forward requests to the Kestrel web server.
Ensures the web app runs on startup as a daemon.
Configures a process management tool to help restart the web app.

Prerequisites

Access to an Ubuntu 16.04 server with a standard user account with sudo privilege.
The latest non-preview .NET runtime installed on the server.
An existing ASP.NET Core app.

At any point in the future after upgrading the shared framework, restart the ASP.NET Core apps hosted by the server.

Publish and copy over the app

If the app is run locally and isn’t configured to make secure connections (HTTPS), adopt either of the following approaches:

Configure the app to handle secure local connections. For more information, see the HTTPS configuration section.
Remove https://localhost:5001 (if present) from the applicationUrl property in the Properties/launchSettings.json file.

Run dotnet publish from the development environment to package an app into a directory (for example, bin/Release//publish , where the placeholder is the Target Framework Moniker/TFM) that can run on the server:

The app can also be published as a self-contained deployment if you prefer not to maintain the .NET Core runtime on the server.

Copy the ASP.NET Core app to the server using a tool that integrates into the organization’s workflow (for example, SCP , SFTP ). It’s common to locate web apps under the var directory (for example, var/www/helloapp ).

Under a production deployment scenario, a continuous integration workflow does the work of publishing the app and copying the assets to the server.

to verify the app works on Linux locally.

Configure a reverse proxy server

A reverse proxy is a common setup for serving dynamic web apps. A reverse proxy terminates the HTTP request and forwards it to the ASP.NET Core app.

Use a reverse proxy server

Kestrel is great for serving dynamic content from ASP.NET Core. However, the web serving capabilities aren’t as feature rich as servers such as IIS, Apache, or Nginx. A reverse proxy server can offload work such as serving static content, caching requests, compressing requests, and HTTPS termination from the HTTP server. A reverse proxy server may reside on a dedicated machine or may be deployed alongside an HTTP server.

For the purposes of this guide, a single instance of Nginx is used. It runs on the same server, alongside the HTTP server. Based on requirements, a different setup may be chosen.

Because requests are forwarded by reverse proxy, use the Forwarded Headers Middleware from the Microsoft.AspNetCore.HttpOverrides package. The middleware updates the Request.Scheme , using the X-Forwarded-Proto header, so that redirect URIs and other security policies work correctly.

Forwarded Headers Middleware should run before other middleware. This ordering ensures that the middleware relying on forwarded headers information can consume the header values for processing. To run Forwarded Headers Middleware after diagnostics and error handling middleware, see Forwarded Headers Middleware order.

Invoke the UseForwardedHeaders method at the top of Startup.Configure before calling other middleware. Configure the middleware to forward the X-Forwarded-For and X-Forwarded-Proto headers:

If no ForwardedHeadersOptions are specified to the middleware, the default headers to forward are None .

Proxies running on loopback addresses ( 127.0.0.0/8 , [::1] ), including the standard localhost address ( 127.0.0.1 ), are trusted by default. If other trusted proxies or networks within the organization handle requests between the Internet and the web server, add them to the list of KnownProxies or KnownNetworks with ForwardedHeadersOptions. The following example adds a trusted proxy server at IP address 10.0.0.100 to the Forwarded Headers Middleware KnownProxies in Startup.ConfigureServices :

Install Nginx

Use apt-get to install Nginx. The installer creates a systemd init script that runs Nginx as daemon on system startup. Follow the installation instructions for Ubuntu at Nginx: Official Debian/Ubuntu packages.

If optional Nginx modules are required, building Nginx from source might be required.

Since Nginx was installed for the first time, explicitly start it by running:

Verify a browser displays the default landing page for Nginx. The landing page is reachable at http:// /index.nginx-debian.html .

Configure Nginx

To configure Nginx as a reverse proxy to forward HTTP requests to your ASP.NET Core app, modify /etc/nginx/sites-available/default . Open it in a text editor, and replace the contents with the following snippet:

If the app is a SignalR or Blazor Server app, see ASP.NET Core SignalR production hosting and scaling and Host and deploy ASP.NET Core Blazor Server respectively for more information.

When no server_name matches, Nginx uses the default server. If no default server is defined, the first server in the configuration file is the default server. As a best practice, add a specific default server that returns a status code of 444 in your configuration file. A default server configuration example is:

With the preceding configuration file and default server, Nginx accepts public traffic on port 80 with host header example.com or *.example.com . Requests not matching these hosts won’t get forwarded to Kestrel. Nginx forwards the matching requests to Kestrel at http://127.0.0.1:5000 . For more information, see How nginx processes a request. To change Kestrel’s IP/port, see Kestrel: Endpoint configuration.

Failure to specify a proper server_name directive exposes your app to security vulnerabilities. Subdomain wildcard binding (for example, *.example.com ) doesn’t pose this security risk if you control the entire parent domain (as opposed to *.com , which is vulnerable). For more information, see rfc7230 section-5.4.

Once the Nginx configuration is established, run sudo nginx -t to verify the syntax of the configuration files. If the configuration file test is successful, force Nginx to pick up the changes by running sudo nginx -s reload .

To directly run the app on the server:

If the app runs on the server but fails to respond over the Internet, check the server’s firewall and confirm port 80 is open. If using an Azure Ubuntu VM, add a Network Security Group (NSG) rule that enables inbound port 80 traffic. There’s no need to enable an outbound port 80 rule, as the outbound traffic is automatically granted when the inbound rule is enabled.

When done testing the app, shut down the app with Ctrl + C at the command prompt.

Monitor the app

The server is set up to forward requests made to http:// :80 on to the ASP.NET Core app running on Kestrel at http://127.0.0.1:5000 . However, Nginx isn’t set up to manage the Kestrel process. systemd can be used to create a service file to start and monitor the underlying web app. systemd is an init system that provides many powerful features for starting, stopping, and managing processes.

Create the service file

Create the service definition file:

The following example is a service file for the app:

In the preceding example, the user that manages the service is specified by the User option. The user ( www-data ) must exist and have proper ownership of the app’s files.

Use TimeoutStopSec to configure the duration of time to wait for the app to shut down after it receives the initial interrupt signal. If the app doesn’t shut down in this period, SIGKILL is issued to terminate the app. Provide the value as unitless seconds (for example, 150 ), a time span value (for example, 2min 30s ), or infinity to disable the timeout. TimeoutStopSec defaults to the value of DefaultTimeoutStopSec in the manager configuration file ( systemd-system.conf , system.conf.d , systemd-user.conf , user.conf.d ). The default timeout for most distributions is 90 seconds.

Linux has a case-sensitive file system. Setting ASPNETCORE_ENVIRONMENT to Production results in searching for the configuration file appsettings.Production.json , not appsettings.production.json .

Some values (for example, SQL connection strings) must be escaped for the configuration providers to read the environment variables. Use the following command to generate a properly escaped value for use in the configuration file:

Colon ( : ) separators aren’t supported in environment variable names. Use a double underscore ( __ ) in place of a colon. The Environment Variables configuration provider converts double-underscores into colons when environment variables are read into configuration. In the following example, the connection string key ConnectionStrings:DefaultConnection is set into the service definition file as ConnectionStrings__DefaultConnection :

Save the file and enable the service.

Start the service and verify that it’s running.

With the reverse proxy configured and Kestrel managed through systemd , the web app is fully configured and can be accessed from a browser on the local machine at http://localhost . It’s also accessible from a remote machine, barring any firewall that might be blocking. Inspecting the response headers, the Server header shows the ASP.NET Core app being served by Kestrel.

View logs

Since the web app using Kestrel is managed using systemd , all events and processes are logged to a centralized journal. However, this journal includes all entries for all services and processes managed by systemd . To view the kestrel-helloapp.service -specific items, use the following command:

For further filtering, time options such as —since today , —until 1 hour ago , or a combination of these can reduce the number of entries returned.

Data protection

The ASP.NET Core Data Protection stack is used by several ASP.NET Core middlewares, including authentication middleware (for example, cookie middleware) and cross-site request forgery (CSRF) protections. Even if Data Protection APIs aren’t called by user code, data protection should be configured to create a persistent cryptographic key store. If data protection isn’t configured, the keys are held in memory and discarded when the app restarts.

If the key ring is stored in memory when the app restarts:

All cookie-based authentication tokens are invalidated.
Users are required to sign in again on their next request.
Any data protected with the key ring can no longer be decrypted. This may include CSRF tokens and ASP.NET Core MVC TempData cookies.

To configure data protection to persist and encrypt the key ring, see:

Long request header fields

Proxy server default settings typically limit request header fields to 4 K or 8 K depending on the platform. An app may require fields longer than the default (for example, apps that use Azure Active Directory). If longer fields are required, the proxy server’s default settings require adjustment. The values to apply depend on the scenario. For more information, see your server’s documentation.

Don’t increase the default values of proxy buffers unless necessary. Increasing these values increases the risk of buffer overrun (overflow) and Denial of Service (DoS) attacks by malicious users.

Secure the app

Enable AppArmor

Linux Security Modules (LSM) is a framework that’s part of the Linux kernel since Linux 2.6. LSM supports different implementations of security modules. AppArmor is an LSM that implements a Mandatory Access Control system, which allows confining the program to a limited set of resources. Ensure AppArmor is enabled and properly configured.

Configure the firewall

Close off all external ports that aren’t in use. Uncomplicated firewall (ufw) provides a front end for iptables by providing a CLI for configuring the firewall.

A firewall will prevent access to the whole system if not configured correctly. Failure to specify the correct SSH port will effectively lock you out of the system if you are using SSH to connect to it. The default port is 22. For more information, see the introduction to ufw and the manual.

Install ufw and configure it to allow traffic on any ports needed.

Secure Nginx

Change the Nginx response name

Configure options

Configure the server with additional required modules. Consider using a web app firewall, such as ModSecurity, to harden the app.

HTTPS configuration

Configure the app for secure (HTTPS) local connections

The dotnet run command uses the app’s Properties/launchSettings.json file, which configures the app to listen on the URLs provided by the applicationUrl property. For example, https://localhost:5001;http://localhost:5000 .

Configure the app to use a certificate in development for the dotnet run command or development environment ( F5 or Ctrl + F5 in Visual Studio Code) using one of the following approaches:

Configure the reverse proxy for secure (HTTPS) client connections

The security configuration in this section is a general configuration to be used as a starting point for further customization. We’re unable to provide support for third-party tooling, servers, and operating systems. Use the configuration in this section at your own risk. For more information, access the following resources:

Configure the server to listen to HTTPS traffic on port 443 by specifying a valid certificate issued by a trusted Certificate Authority (CA).

Harden the security by employing some of the practices depicted in the following /etc/nginx/nginx.conf file.

The following example doesn’t configure the server to redirect insecure requests. We recommend using HTTPS Redirection Middleware. For more information, see Enforce HTTPS in ASP.NET Core.

For development environments where the server configuration handles secure redirection instead of HTTPS Redirection Middleware, we recommend using temporary redirects (302) rather than permanent redirects (301). Link caching can cause unstable behavior in development environments.

Adding a Strict-Transport-Security (HSTS) header ensures all subsequent requests made by the client are over HTTPS. For guidance on setting the Strict-Transport-Security header, see Enforce HTTPS in ASP.NET Core.

If HTTPS will be disabled in the future, use one of the following approaches:

Don’t add the HSTS header.
Choose a short max-age value.

Add the /etc/nginx/proxy.conf configuration file:

Replace the contents of the /etc/nginx/nginx.conf configuration file with the following file. The example contains both http and server sections in one configuration file.

Blazor WebAssembly apps require a larger burst parameter value to accommodate the larger number of requests made by an app. For more information, see Host and deploy ASP.NET Core Blazor WebAssembly.

The preceding example disables Online Certificate Status Protocol (OCSP) Stapling. If enabled, confirm that the certificate supports the feature. For more information and guidance on enabling OCSP, see the following properties in the Module ngx_http_ssl_module (Nginx documentation) article:

ssl_stapling
ssl_stapling_file
ssl_stapling_responder
ssl_stapling_verify

Secure Nginx from clickjacking

Clickjacking, also known as a UI redress attack, is a malicious attack where a website visitor is tricked into clicking a link or button on a different page than they’re currently visiting. Use X-FRAME-OPTIONS to secure the site.

To mitigate clickjacking attacks:

Edit the nginx.conf file:

Add the line: add_header X-Frame-Options «SAMEORIGIN»;

MIME-type sniffing

This header prevents most browsers from MIME-sniffing a response away from the declared content type, as the header instructs the browser not to override the response content type. With the nosniff option, if the server says the content is text/html , the browser renders it as text/html .

Edit the nginx.conf file:

Add the line: add_header X-Content-Type-Options «nosniff»;

Источник