Net core cùng linux
Skip to main content This browser is no longer supported. Show
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Host ASP.NET Core on Linux with Nginx
In this articleBy Sourabh Shirhatti This guide explains setting up a production-ready ASP.NET Core environment on an Ubuntu 20.04 VM. These instructions likely work with newer versions of Ubuntu, but the instructions haven't been tested with newer versions. For information on other Linux distributions supported by ASP.NET Core, see Prerequisites for .NET Core on Linux. This guide:
Prerequisites
At any point in the future after upgrading the shared framework, restart the ASP.NET Core apps hosted by the server. Publish and copy over the appConfigure the app for a framework-dependent deployment. If the app is run locally in the Development environment and isn't configured by the server to make secure HTTPS connections, adopt either of the following approaches:
For more information on configuration by environment, see Use multiple environments in ASP.NET Core. Run dotnet publish from the development environment to package an app into a directory (for example,
The app can also be published as a self-contained deployment if you prefer not to maintain the .NET Core runtime on the server. Copy the ASP.NET Core
app to the server using a tool that integrates into the organization's workflow (for example, Note Under a production deployment scenario, a continuous integration workflow does the work of publishing the app and copying the assets to the server. Test the app:
Configure a reverse proxy serverA reverse proxy is a common setup for serving dynamic web apps. A reverse proxy terminates the HTTP request and forwards it to the ASP.NET Core app. Use a reverse proxy serverKestrel is great for serving dynamic content from ASP.NET Core. However, the web serving capabilities aren't as feature rich as servers such as IIS, Apache, or Nginx. A reverse proxy server can offload work such as serving static content, caching requests, compressing requests, and HTTPS termination from the HTTP server. A reverse proxy server may reside on a dedicated machine or may be deployed alongside an HTTP server. For the purposes of this guide, a single instance of Nginx is used. It runs on the same server, alongside the HTTP server. Based on requirements, a different setup may be chosen. Because requests are forwarded by
reverse proxy, use the Forwarded Headers Middleware from the Forwarded Headers Middleware should run before other middleware. This ordering ensures that the middleware relying on forwarded headers information can consume the header values for processing. To run Forwarded Headers Middleware after diagnostics and error handling middleware, see Forwarded Headers Middleware order. Invoke the
UseForwardedHeaders method at the top of
If no
ForwardedHeadersOptions are specified to the middleware, the default headers to forward are Proxies running on loopback addresses (
For more information, see Configure ASP.NET Core to work with proxy servers and load balancers. Install NginxUse Note If optional Nginx modules are required, building Nginx from source might be required. Since Nginx was installed for the first time, explicitly start it by running:
Verify a browser displays the default landing page for Nginx. The landing page is reachable
at Configure NginxTo configure Nginx as a reverse proxy to forward HTTP requests to your ASP.NET Core app, modify
If the app is a SignalR or Blazor Server app, see ASP.NET Core SignalR production hosting and scaling and Host and deploy ASP.NET Core Blazor Server respectively for more information. When no
With the preceding configuration file and default server, Nginx accepts public traffic on port 80 with host header Warning Failure to specify a proper
server_name directive exposes your app to security vulnerabilities. Subdomain wildcard binding (for example, Once the Nginx configuration is established, run To directly run the app on the server:
If the app runs on the server but fails to respond over the Internet, check the server's firewall and confirm port 80 is open. If using an Azure Ubuntu VM, add a Network Security Group (NSG) rule that enables inbound port 80 traffic. There's no need to enable an outbound port 80 rule, as the outbound traffic is automatically granted when the inbound rule is enabled. When done testing the app, shut down the app with Ctrl+C (Windows) or ⌘+C (macOS) at the command prompt. Monitor the appThe server is set up to
forward requests made to Create the service fileCreate the service definition file:
The following example is an
In the preceding example, the user that manages the service is specified by the Use
Linux has a case-sensitive file system. Setting Some values (for example, SQL connection strings) must be escaped for the configuration providers to read the environment variables. Use the following command to generate a properly escaped value for use in the configuration file:
Colon (
Save the file and enable the service.
Start the service and verify that it's running.
With the reverse proxy configured and Kestrel managed through
View logsSince the web app using Kestrel is managed using
For further filtering, time options such as
Data protectionThe ASP.NET Core Data Protection stack is used by several ASP.NET Core middlewares, including authentication middleware (for example, cookie middleware) and cross-site request forgery (CSRF) protections. Even if Data Protection APIs aren't called by user code, data protection should be configured to create a persistent cryptographic key store. If data protection isn't configured, the keys are held in memory and discarded when the app restarts. If the key ring is stored in memory when the app restarts:
To configure data protection to persist and encrypt the key ring, see:
Long request header fieldsProxy server default settings typically limit request header fields to 4 K or 8 K depending on the platform. An app may require fields longer than the default (for example, apps that use Azure Active Directory). If longer fields are required, the proxy server's default settings require adjustment. The values to apply depend on the scenario. For more information, see your server's documentation.
Warning Don't increase the default values of proxy buffers unless necessary. Increasing these values increases the risk of buffer overrun (overflow) and Denial of Service (DoS) attacks by malicious users. Secure the appEnable AppArmorLinux Security Modules (LSM) is a framework that's part of the Linux kernel since Linux 2.6. LSM supports different implementations of security modules. AppArmor is an LSM that implements a Mandatory Access Control system, which allows confining the program to a limited set of resources. Ensure AppArmor is enabled and properly configured. Configure the firewallClose off all external ports that aren't in use. Uncomplicated firewall (ufw) provides a front end for Warning A firewall will prevent access to the whole system if not configured correctly. Failure to specify the correct SSH port will effectively lock you out of the system if you are using SSH to connect to it. The default port is 22. For more information, see the introduction to ufw and the manual. Install
Secure NginxChange the Nginx response nameEdit
Configure optionsConfigure the server with additional required modules. Consider using a web app firewall, such as ModSecurity, to harden the app. HTTPS configurationConfigure the app for secure (HTTPS) local connections The dotnet run command uses the app's Configure the app to use a certificate in development for the
Configure the reverse proxy for secure (HTTPS) client connections Warning The security configuration in this section is a general configuration to be used as a starting point for further customization. We're unable to provide support for third-party tooling, servers, and operating systems. Use the configuration in this section at your own risk. For more information, access the following resources:
Add the /etc/nginx/proxy.conf configuration file:
Replace the contents of the /etc/nginx/nginx.conf configuration file with the following file. The example contains both
Note The preceding example disables Online Certificate Status Protocol (OCSP) Stapling. If enabled, confirm that the certificate supports the feature. For more information and guidance on enabling OCSP, see the following properties in the Module ngx_http_ssl_module (Nginx documentation) article:
Secure Nginx from clickjackingClickjacking, also known as a UI redress attack, is a malicious attack where a website visitor is tricked into clicking a link or button on a different page than they're currently visiting. Use To mitigate clickjacking attacks:
MIME-type sniffingThis header prevents most browsers from MIME-sniffing a response away from the declared content type, as the header instructs the browser not to override the response content type. With the
Additional Nginx suggestionsAfter upgrading the shared framework on the server, restart the ASP.NET Core apps hosted by the server. Additional resources
This guide explains setting up a production-ready ASP.NET Core environment on an Ubuntu 16.04 server. These instructions likely work with newer versions of Ubuntu, but the instructions haven't been tested with newer versions. For information on other Linux distributions supported by ASP.NET Core, see Prerequisites for .NET Core on Linux. Note For Ubuntu 14.04, This guide:
Prerequisites
At any point in the future after upgrading the shared framework, restart the ASP.NET Core apps hosted by the server. Publish and copy over the appConfigure the app for a framework-dependent deployment. If the app is run locally in the Development environment and isn't configured by the server to make secure HTTPS connections, adopt either of the following approaches:
For more information on configuration by environment, see Use multiple environments in ASP.NET Core. Run dotnet publish from the development environment to package an app into a directory (for example,
The app can also be published as a self-contained deployment if you prefer not to maintain the .NET Core runtime on the server. Copy the ASP.NET Core app to the server using a tool that integrates into the organization's workflow (for example, Note Under a production deployment scenario, a continuous integration workflow does the work of publishing the app and copying the assets to the server. Test the app:
Configure a reverse proxy serverA reverse proxy is a common setup for serving dynamic web apps. A reverse proxy terminates the HTTP request and forwards it to the ASP.NET Core app. Use a reverse proxy serverKestrel is great for serving dynamic content from ASP.NET Core. However, the web serving capabilities aren't as feature rich as servers such as IIS, Apache, or Nginx. A reverse proxy server can offload work such as serving static content, caching requests, compressing requests, and HTTPS termination from the HTTP server. A reverse proxy server may reside on a dedicated machine or may be deployed alongside an HTTP server. For the purposes of this guide, a single instance of Nginx is used. It runs on the same server, alongside the HTTP server. Based on requirements, a different setup may be chosen. Because requests are forwarded by reverse proxy, use the
Forwarded Headers Middleware from the Forwarded Headers Middleware should run before other middleware. This ordering ensures that the middleware relying on forwarded headers information can consume the header values for processing. To run Forwarded Headers Middleware after diagnostics and error handling middleware, see Forwarded Headers Middleware order. Invoke the
UseForwardedHeaders method at the top of
If no
ForwardedHeadersOptions are specified to the middleware, the default headers to forward are Proxies running on loopback addresses (
For more information, see Configure ASP.NET Core to work with proxy servers and load balancers. Install NginxUse Note If optional Nginx modules are required, building Nginx from source might be required. Since Nginx was installed for the first time, explicitly start it by running:
Verify a browser displays the default landing page for Nginx. The landing page is reachable
at Configure NginxTo configure Nginx as a reverse proxy to forward HTTP requests to your ASP.NET Core app, modify
If the app is a SignalR or Blazor Server app, see ASP.NET Core SignalR production hosting and scaling and Host and deploy ASP.NET Core Blazor Server respectively for more information. When no
With the preceding configuration file and default server, Nginx accepts public traffic on port 80 with host header Warning Failure to specify a proper
server_name directive exposes your app to security vulnerabilities. Subdomain wildcard binding (for example, Once the Nginx configuration is established, run To directly run the app on the server:
If the app runs on the server but fails to respond over the Internet, check the server's firewall and confirm port 80 is open. If using an Azure Ubuntu VM, add a Network Security Group (NSG) rule that enables inbound port 80 traffic. There's no need to enable an outbound port 80 rule, as the outbound traffic is automatically granted when the inbound rule is enabled. When done testing the app, shut down the app with Ctrl+C (Windows) or ⌘+C (macOS) at the command prompt. Monitor the appThe server is set up to
forward requests made to Create the service fileCreate the service definition file:
The following example is a service file for the app:
In the preceding example, the user that manages the service is specified by the Use
Linux has a case-sensitive file system. Setting Some values (for example, SQL connection strings) must be escaped for the configuration providers to read the environment variables. Use the following command to generate a properly escaped value for use in the configuration file:
Colon (
Save the file and enable the service.
Start the service and verify that it's running.
With the reverse proxy configured and Kestrel managed through
View logsSince the web app using Kestrel is managed using
For further filtering, time options such as
Data protectionThe ASP.NET Core Data Protection stack is used by several ASP.NET Core middlewares, including authentication middleware (for example, cookie middleware) and cross-site request forgery (CSRF) protections. Even if Data Protection APIs aren't called by user code, data protection should be configured to create a persistent cryptographic key store. If data protection isn't configured, the keys are held in memory and discarded when the app restarts. If the key ring is stored in memory when the app restarts:
To configure data protection to persist and encrypt the key ring, see:
Long request header fieldsProxy server default settings typically limit request header fields to 4 K or 8 K depending on the platform. An app may require fields longer than the default (for example, apps that use Azure Active Directory). If longer fields are required, the proxy server's default settings require adjustment. The values to apply depend on the scenario. For more information, see your server's documentation.
Warning Don't increase the default values of proxy buffers unless necessary. Increasing these values increases the risk of buffer overrun (overflow) and Denial of Service (DoS) attacks by malicious users. Secure the appEnable AppArmorLinux Security Modules (LSM) is a framework that's part of the Linux kernel since Linux 2.6. LSM supports different implementations of security modules. AppArmor is an LSM that implements a Mandatory Access Control system, which allows confining the program to a limited set of resources. Ensure AppArmor is enabled and properly configured. Configure the firewallClose off all external ports that aren't in use. Uncomplicated firewall (ufw) provides a front end for Warning A firewall will prevent access to the whole system if not configured correctly. Failure to specify the correct SSH port will effectively lock you out of the system if you are using SSH to connect to it. The default port is 22. For more information, see the introduction to ufw and the manual. Install
Secure NginxChange the Nginx response nameEdit
Configure optionsConfigure the server with additional required modules. Consider using a web app firewall, such as ModSecurity, to harden the app. HTTPS configurationConfigure the app for secure (HTTPS) local connections The dotnet run command uses the app's Configure the app to use a certificate in development for the
Configure the reverse proxy for secure (HTTPS) client connections Warning The security configuration in this section is a general configuration to be used as a starting point for further customization. We're unable to provide support for third-party tooling, servers, and operating systems. Use the configuration in this section at your own risk. For more information, access the following resources:
Add the /etc/nginx/proxy.conf configuration file:
Replace the contents of the /etc/nginx/nginx.conf configuration file with the following file. The example contains both
Note The preceding example disables Online Certificate Status Protocol (OCSP) Stapling. If enabled, confirm that the certificate supports the feature. For more information and guidance on enabling OCSP, see the following properties in the Module ngx_http_ssl_module (Nginx documentation) article:
Secure Nginx from clickjackingClickjacking, also known as a UI redress attack, is a malicious attack where a website visitor is tricked into clicking a link or button on a different page than they're currently visiting. Use To mitigate clickjacking attacks:
MIME-type sniffingThis header prevents most browsers from MIME-sniffing a response away from the declared content type, as the header instructs the browser not to override the response content type. With the
Additional Nginx suggestionsAfter upgrading the shared framework on the server, restart the ASP.NET Core apps hosted by the server. Additional resources
This guide explains setting up a production-ready ASP.NET Core environment on an Ubuntu 16.04 server. These instructions likely work with newer versions of Ubuntu, but the instructions haven't been tested with newer versions. For information on other Linux distributions supported by ASP.NET Core, see Prerequisites for .NET Core on Linux. Note For Ubuntu 14.04, This guide:
Prerequisites
At any point in the future after upgrading the shared framework, restart the ASP.NET Core apps hosted by the server. Publish and copy over the appConfigure the app for a framework-dependent deployment. If the app is run locally in the Development environment and isn't configured by the server to make secure HTTPS connections, adopt either of the following approaches:
For more information on configuration by environment, see Use multiple environments in ASP.NET Core. Run dotnet publish from the development environment to package an app into a directory (for example,
The app can also be published as a self-contained deployment if you prefer not to maintain the .NET Core runtime on the server. Copy the ASP.NET Core app to the server using a tool that integrates into the organization's workflow (for example, Note Under a production deployment scenario, a continuous integration workflow does the work of publishing the app and copying the assets to the server. Test the app:
Configure a reverse proxy serverA reverse proxy is a common setup for serving dynamic web apps. A reverse proxy terminates the HTTP request and forwards it to the ASP.NET Core app. Use a reverse proxy serverKestrel is great for serving dynamic content from ASP.NET Core. However, the web serving capabilities aren't as feature rich as servers such as IIS, Apache, or Nginx. A reverse proxy server can offload work such as serving static content, caching requests, compressing requests, and HTTPS termination from the HTTP server. A reverse proxy server may reside on a dedicated machine or may be deployed alongside an HTTP server. For the purposes of this guide, a single instance of Nginx is used. It runs on the same server, alongside the HTTP server. Based on requirements, a different setup may be chosen. Because requests are forwarded by reverse proxy, use the
Forwarded Headers Middleware from the Forwarded Headers Middleware should run before other middleware. This ordering ensures that the middleware relying on forwarded headers information can consume the header values for processing. To run Forwarded Headers Middleware after diagnostics and error handling middleware, see Forwarded Headers Middleware order. Invoke the
UseForwardedHeaders method at the top of
If no
ForwardedHeadersOptions are specified to the middleware, the default headers to forward are Proxies running on loopback addresses (
For more information, see Configure ASP.NET Core to work with proxy servers and load balancers. Install NginxUse Note If optional Nginx modules are required, building Nginx from source might be required. Since Nginx was installed for the first time, explicitly start it by running:
Verify a browser displays the default landing page for Nginx. The landing page is reachable
at Configure NginxTo configure Nginx as a reverse proxy to forward HTTP requests to your ASP.NET Core app, modify
If the app is a SignalR or Blazor Server app, see ASP.NET Core SignalR production hosting and scaling and Host and deploy ASP.NET Core Blazor Server respectively for more information. When no
With the preceding configuration file and default server, Nginx accepts public traffic on port 80 with host header Warning Failure to specify a proper
server_name directive exposes your app to security vulnerabilities. Subdomain wildcard binding (for example, Once the Nginx configuration is established, run To directly run the app on the server:
If the app runs on the server but fails to respond over the Internet, check the server's firewall and confirm port 80 is open. If using an Azure Ubuntu VM, add a Network Security Group (NSG) rule that enables inbound port 80 traffic. There's no need to enable an outbound port 80 rule, as the outbound traffic is automatically granted when the inbound rule is enabled. When done testing the app, shut down the app with Ctrl+C (Windows) or ⌘+C (macOS) at the command prompt. Monitor the appThe server is set up to
forward requests made to Create the service fileCreate the service definition file:
The following example is a service file for the app:
In the preceding example, the user that manages the service is specified by the Use
Linux has a case-sensitive file system. Setting Some values (for example, SQL connection strings) must be escaped for the configuration providers to read the environment variables. Use the following command to generate a properly escaped value for use in the configuration file:
Colon (
Save the file and enable the service.
Start the service and verify that it's running.
With the reverse proxy configured and Kestrel managed through
View logsSince the web app using Kestrel is managed using
For further filtering, time options such as
Data protectionThe ASP.NET Core Data Protection stack is used by several ASP.NET Core middlewares, including authentication middleware (for example, cookie middleware) and cross-site request forgery (CSRF) protections. Even if Data Protection APIs aren't called by user code, data protection should be configured to create a persistent cryptographic key store. If data protection isn't configured, the keys are held in memory and discarded when the app restarts. If the key ring is stored in memory when the app restarts:
To configure data protection to persist and encrypt the key ring, see:
Long request header fieldsProxy server default settings typically limit request header fields to 4 K or 8 K depending on the platform. An app may require fields longer than the default (for example, apps that use Azure Active Directory). If longer fields are required, the proxy server's default settings require adjustment. The values to apply depend on the scenario. For more information, see your server's documentation.
Warning Don't increase the default values of proxy buffers unless necessary. Increasing these values increases the risk of buffer overrun (overflow) and Denial of Service (DoS) attacks by malicious users. Secure the appEnable AppArmorLinux Security Modules (LSM) is a framework that's part of the Linux kernel since Linux 2.6. LSM supports different implementations of security modules. AppArmor is an LSM that implements a Mandatory Access Control system, which allows confining the program to a limited set of resources. Ensure AppArmor is enabled and properly configured. Configure the firewallClose off all external ports that aren't in use. Uncomplicated firewall (ufw) provides a front end for Warning A firewall will prevent access to the whole system if not configured correctly. Failure to specify the correct SSH port will effectively lock you out of the system if you are using SSH to connect to it. The default port is 22. For more information, see the introduction to ufw and the manual. Install
Secure NginxChange the Nginx response nameEdit
Configure optionsConfigure the server with additional required modules. Consider using a web app firewall, such as ModSecurity, to harden the app. HTTPS configurationConfigure the app for secure (HTTPS) local connections The dotnet run command uses the app's Configure the app to use a certificate in development for the
Configure the reverse proxy for secure (HTTPS) client connections Warning The security configuration in this section is a general configuration to be used as a starting point for further customization. We're unable to provide support for third-party tooling, servers, and operating systems. Use the configuration in this section at your own risk. For more information, access the following resources:
Add the /etc/nginx/proxy.conf configuration file:
Replace the contents of the /etc/nginx/nginx.conf configuration file with the following file. The example contains both
Note The preceding example disables Online Certificate Status Protocol (OCSP) Stapling. If enabled, confirm that the certificate supports the feature. For more information and guidance on enabling OCSP, see the following properties in the Module ngx_http_ssl_module (Nginx documentation) article:
Secure Nginx from clickjackingClickjacking, also known as a UI redress attack, is a malicious attack where a website visitor is tricked into clicking a link or button on a different page than they're currently visiting. Use To mitigate clickjacking attacks:
MIME-type sniffingThis header prevents most browsers from MIME-sniffing a response away from the declared content type, as the header instructs the browser not to override the response content type. With the
Additional Nginx suggestionsAfter upgrading the shared framework on the server, restart the ASP.NET Core apps hosted by the server. Additional resources
FeedbackSubmit and view feedback for |