Publish to a Linux Production Environment

By Sourabh Shirhatti

In this guide, we will cover setting up a production-ready ASP.NET environment on an Ubuntu 14.04 Server.

We will take an existing ASP.NET Core application and place it behind a reverse-proxy server. We will then setup the reverse-proxy server to forward requests to our Kestrel web server.

Additionally we will ensure our web application runs on startup as a daemon and configure a process management tool to help restart our web application in the event of a crash to guarantee high availability.

Prerequisites

  1. Access to an Ubuntu 14.04 Server with a standard user account with sudo privilege.

  2. An existing ASP.NET Core application.

Copy over your app

Run dotnet publish from your dev environment to package your application into a self-contained directory that can run on your server.

Before we proceed, copy your ASP.NET Core application to your server using whatever tool (SCP, FTP, etc) integrates into your workflow. Try and run the app and navigate to http://<serveraddress>:<port> in your browser to see if the application runs fine on Linux. I recommend you have a working app before proceeding.

[!NOTE] You can use Yeoman to create a new ASP.NET Core application for a new project.

Configure a reverse proxy server

A reverse proxy is a common setup for serving dynamic web applications. The reverse proxy terminates the HTTP request and forwards it to the ASP.NET application.

Why use a reverse-proxy server?

Kestrel is great for serving dynamic content from ASP.NET, however the web serving parts aren’t as feature rich as full-featured servers like IIS, Apache or Nginx. A reverse proxy-server can allow you to offload work like serving static content, caching requests, compressing requests, and SSL termination from the HTTP server. The reverse proxy server may reside on a dedicated machine or may be deployed alongside an HTTP server.

For the purposes of this guide, we are going to use a single instance of Nginx that runs on the same server alongside your HTTP server. However, based on your requirements you may choose a different setup.

Install Nginx

sudo apt-get install nginx

[!NOTE] If you plan to install optional Nginx modules you may be required to build Nginx from source.

We are going to apt-get to install Nginx. The installer also creates a System V init script that runs Nginx as daemon on system startup. Since we just installed Nginx for the first time, we can explicitly start it by running

sudo service nginx start

At this point you should be able to navigate to your browser and see the default landing page for Nginx.

Configure Nginx

We will now configure Nginx as a reverse proxy to forward requests to our ASP.NET application

We will be modifying the /etc/nginx/sites-available/default, so open it up in your favorite text editor and replace the contents with the following.

server {
listen 80;
location / {
proxy_pass http://localhost:5000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}

This is one of the simplest configuration files for Nginx that forwards incoming public traffic on your port 80 to a port 5000that your web application will listen on.

Once you have completed making changes to your nginx configuration you can run sudo nginx -t to verify the syntax of your configuration files. If the configuration file test is successful you can ask nginx to pick up the changes by running sudo nginx -s reload.

Monitoring our Web Application

Nginx will forward requests to your Kestrel server, however unlike IIS on Windows, it does not mangage your Kestrel process. In this tutorial, we will use supervisor to start our application on system boot and restart our process in the event of a failure.

Installing supervisor

sudo apt-get install supervisor

[!NOTE] supervisor is a python based tool and you can acquire it through pip or easy_install instead.

Configuring supervisor

Supervisor works by creating child processes based on data in its configuration file. When a child process dies, supervisor is notified via the SIGCHILD signal and supervisor can react accordingly and restart your web application.

To have supervisor monitor our application, we will add a file to the /etc/supervisor/conf.d/ directory.

/etc/supervisor/conf.d/hellomvc.conf

[program:hellomvc]
command=/usr/bin/dotnet /var/aspnetcore/HelloMVC/HelloMVC.dll
directory=/var/aspnetcore/HelloMVC/
autostart=true
autorestart=true
stderr_logfile=/var/log/hellomvc.err.log
stdout_logfile=/var/log/hellomvc.out.log
environment=HOME=/var/www/,ASPNETCORE_ENVIRONMENT=Production
user=www-data
stopsignal=INT
stopasgroup=true
killasgroup=true

Once you are done editing the configuration file, restart the supervisord process to change the set of programs controlled by supervisord.

sudo service supervisor stop
sudo service supervisor start

Start our web application on startup

In our case, since we are using supervisor to manage our application, the application will be automatically started by supervisor. Supervisor uses a System V Init script to run as a daemon on system boot and will susbsequently launch your application. If you chose not to use supervisor or an equivalent tool, you will need to write a systemd or upstart or SysVinit script to start your application on startup.

Viewing logs

Supervisord logs messages about its own health and its subprocess' state changes to the activity log. The path to the activity log is configured via the logfile parameter in the configuration file.

sudo tail -f /var/log/supervisor/supervisord.log

You can redirect application logs (STDOUT and STERR) in the program section of your configuration file.

tail -f /var/log/hellomvc.out.log

Securing our application

Enable AppArmor

Linux Security Modules (LSM) is a framework that is part of the Linux kernel since Linux 2.6 that supports different implementations of security modules. AppArmor is a LSM that implements a Mandatory Access Control system which allows you to confine the program to a limited set of resources. Ensure AppArmor is enabled and properly configured.

Configuring our firewall

Close off all external ports that are not in use. Uncomplicated firewall (ufw) provides a frontend for iptables by providing a command-line interface for configuring the firewall. Verify that ufw is configured to allow traffic on any ports you need.

sudo apt-get install ufw
sudo ufw enable sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

Securing Nginx

The default distribution of Nginx doesn't enable SSL. To enable all the security features we require, we will build from source.

Download the source and install the build dependencies

# Install the build dependencies
sudo apt-get update
sudo apt-get install build-essential zlib1g-dev libpcre3-dev libssl-dev libxslt1-dev libxml2-dev libgd2-xpm-dev libgeoip-dev libgoogle-perftools-dev libperl-dev # Download nginx 1.10.0 or latest
wget http://www.nginx.org/download/nginx-1.10.0.tar.gz
tar zxf nginx-1.10.0.tar.gz

Change the Nginx response name

Edit src/http/ngx_http_header_filter_module.c

static char ngx_http_server_string[] = "Server: Your Web Server" CRLF;
static char ngx_http_server_full_string[] = "Server: Your Web Server" CRLF;

Configure the options and build

The PCRE library is required for regular expressions. Regular expressions are used in the location directive for the ngx_http_rewrite_module. The http_ssl_module adds HTTPS protocol support.

Consider using a web application firewall like ModSecurity to harden your application.

./configure
--with-pcre=../pcre-8.38
--with-zlib=../zlib-1.2.8
--with-http_ssl_module
--with-stream
--with-mail=dynamic

Configure SSL

  • Configure your server to listen to HTTPS traffic on port 443 by specifying a valid certificate issued by a trusted Certificate Authority (CA).

  • Harden your security by employing some of the practices suggested below like choosing a stronger cipher and redirecting all traffic over HTTP to HTTPS.

  • Adding an HTTP Strict-Transport-Security (HSTS) header ensures all subsequent requests made by the client are over HTTPS only.

  • Do not add the Strict-Transport-Security header or chose an appropriate max-age if you plan to disable SSL in the future.

Add /etc/nginx/proxy.conf configuration file.

[!code-nginxMain]

Edit /etc/nginx/nginx.conf configuration file. The example contains both http and server sections in one configuration file.

[!code-nginxMain]

Publish to a Linux Production Environment的更多相关文章

  1. 【asp.net core】Publish to a Linux-Ubuntu 14.04 Server Production Environment

    Submary 又升级了,目录结构有变化了 . project.json and Visual Studio 2015 with .NET Core On March 7, 2017, the .NE ...

  2. [转]The Production Environment at Google (part 2)

    How the production environment at Google fits together for networking, monitoring and finishing with ...

  3. [转]The Production Environment at Google

    A brief tour of some of the important components of a Google Datacenter.   A photo of the interior o ...

  4. Implement a deployment tool such as Ansible, Chef, Puppet, or Salt to automate deployment and management of the production environment

    Implement a deployment tool such as Ansible, Chef, Puppet, or Salt to automate deployment and manage ...

  5. EF中三大开发模式之DB First,Model First,Code First以及在Production Environment中的抉择

    一:ef中的三种开发方式 1. db first... db放在第一位,在我们开发之前必须要有完整的database,实际开发中用到最多的... <1> DBset集合的单复数... db ...

  6. 在Linux上以服务的方式运行ASP.NET Core站点

    更新:用supervisor是更好的解决方法,详见 Linux下为 dotnet 创建守护进程 要在生成环境下在Linux服务器上跑ASP.NET Core站点,首先要解决的问题是以服务的方式运行AS ...

  7. 发布ASP.NET Core程序到Linux生产环境

    原文翻译:Publish to a Linux Production Environment 作者:Sourabh Shirhatti 在这篇文章里我们将介绍如何在 Ubuntu 14.04 Serv ...

  8. 怎么部署 .NET Core Web项目 到linux

    .NET Core is free, open source, cross platform and runs basically everywhere. STEP 0 - GET A CHEAP H ...

  9. ASP.NET Core 中文文档 第三章 原理(12)托管

    原文:Hosting 作者:Steve Smith 翻译:娄宇(Lyrics) 校对:何镇汐.许登洋(Seay) 为了运行 ASP.NET Core 应用程序,你需要使用 WebHostBuilder ...

随机推荐

  1. SEM(搜索引擎营销)

    ylbtech-Miscellaneos:SEM(搜索引擎营销) 搜索引擎营销:英文Search Engine Marketing ,我们通常简称为“SEM”.就是根据用户使用搜索引擎的方式利用用户检 ...

  2. Asp.net web Control Enable 属性设置

    最近手上有一个很简单的一个小项目,需要查看编辑的历史记录,先前设计的时候把数据都save 到DB了,现在时间紧迫 就不在画新的UI,而是采用以前的edit页面 来显示数据,这里就需要把页面上所有的co ...

  3. 详说 Block Formatting Contexts (块级格式化上下文)

    在上文<详说清除浮动>中,Kayo 较为详细地介绍了 BFC ,也就是本文的主角 Block Formatting Contexts (块级格式化上下文),本文会基于上文关于 BFC 的部 ...

  4. 解决PHP使用CVS导出Excel乱码问题

    在使用PHP生成CVS文件后通过Excel打开发现中文全部变成了乱码,之前在我本地win08通过WPS正常的,但上传到服务器Linux在服务器上测试出现了乱码 一开始以后是Linux的问题但后来测试时 ...

  5. ElasticSearch无法启动

    安装了ElasticSearch5.5.1后,每次启动服务的时候,都是启动了一下就自动停止了.查看了一下EventViewer, 错误信息如下: Application: elasticsearch. ...

  6. Android OpenGL ES和OpenGL一起学(二)------理解Viewport(视口)和坐标系Android OpenGL ES篇(转帖)

      来自:http://www.cnblogs.com/xiaobo68688/archive/2011/12/01/2269985.html   首先我们在屏幕中心显示一个矩形,效果如图: // 代 ...

  7. OpenGL ES 3.0顶点着色器(一)

    OpenGL ES 3.0流程图 1.Vertex Shader(顶点着色器) 顶点着色实现了一种通用的可编程方法操作顶点. 顶点着色器的输入包括以下几个: • Shader program.程序的顶 ...

  8. Lintcode: Unique Paths

    C++ dp 递推式:dp[i][j] = dp[i-1][j] + dp[i][j-1] 初值:dp[i][j] = 1,i=0 or j=0 空间优化:省掉一维 class Solution { ...

  9. HTML页面跳转的5种方式

    下面列了五个例子来详细说明,这几个例子的主要功能是:在5秒后,自动跳转到同目录下的hello.html(根据自己需要自行修改)文件. 1) html的实现 <head> <!-- 以 ...

  10. 树莓派系统(Debain)中设置SSH服务开机自启动

    一.方式: 禁用命令:sudo update-rc.d ssh disable 启用命令:sudo update-rc.d ssh enable 二.chkconfig的方式: 1.安装:apt-ge ...