Is kestrel for asp.net core application production ready? - McMap

About

Is kestrel for asp.net core application production ready?

Asked 24/4, 2018 at 9:21 Answered 24/4, 2018 at 9:45

security iis asp.net-core kestrel

C

1

28

I have an api used by my angular application developed in asp.net core 2.0 Its been deployed in IIS and configured to use kestrel.

I read Kestrel is not safe when exposing the application publicly and more. Is that true? Is kestrel still not ready for production use? or kestrel is for different purpose altogether like few blogs say for internal applications.

Clot answered 24/4, 2018 at 9:21 Comment(0)

V

31

Yes, Kestrel is production ready and is supported on all platforms and versions that .NET Core supports, but if your application is available on public networks Microsoft recommend that you use it with a reverse proxy:

Even if a reverse proxy server isn't required, using a reverse proxy server might be a good choice.

You can find out more about the options for hosting ASP.NET Core apps in the MSDN documentation, including on Windows with IIS, on Linux with Nginx and on Linux with Apache among others.

There are a number of reasons to use a reverse proxy including:

Running multiple applications on the same IP and port
Limiting your exposed surface area
Additional layers of configuration and defence
Simplified load balancing and SSL set-up (these can be terminated at the reverse proxy for example)
Better support for static files, compression, etc.

Depending on your requirements, different aspects of the above may be more or less important for you.

For example, Kestrel is very lightweight web server that specialises in running ASP.NET Core apps, but to do that it doesn't have many of the features of the likes of IIS or Apache, which you may find that you want. For example, processing static file such as images, CSS or JS doesn't need to be handled by the ASP.NET Core engine - using IIS you can automatically compress these files and add caching headers to speed up subsequent page loads. Similarly redirects and routing can be handled by IIS before the request reaches the processor.

From a security point of view, again you can take advantage of features such as request filtering (i.e. verbs used, paths, etc.), IP filtering, authentication, etc. before the request reaches Kestrel and not have to handle those aspects in your code.

As a point of note, for ASP.NET Core 1.x, the documentation is even more specific:

If you expose your application to the Internet, you must use IIS, Nginx, or Apache as a reverse proxy server. A reverse proxy server receives HTTP requests from the Internet and forwards them to Kestrel after some preliminary handling.

Vraisemblance answered 24/4, 2018 at 9:45 Comment(13)

But if you use it under IIS i think it will reduce the kestrel speed, am i right ?. – Dustcloth 10/12, 2018 at 8:38

Not significantly, no, and you then get security, caching, compression, etc on top (if you want them). IIS is very good at pushing data around, especially if all it's doing is filtering traffic based on some simple rules. – Vraisemblance 10/12, 2018 at 8:42

How idiotic is that? When Core was launched, it was announced that IIS would be obsolete/not needed, as it is huge/clumsy code, now, not only Kestrel is needed, IIS is also needed. Let's keep over-complicating things. – Karlise 23/1, 2020 at 11:16

IIS is no longer needed to run a site with ASP.NET Core, you can run it on a Linux distro as you like, or Windows Server Core without IIS, however Microsoft still recommend running Kestral behind a server that provides the additional security and performance benefits of a fully featured web server. – Vraisemblance 23/1, 2020 at 13:33

Also, the confusion might have been around the fact that ASP.NET Core removed the dependencies on IIS from ASP.NET/ASP.NET MVC - i.e. you no longer had to care about IHttpHandlers or IHttpModules, etc. – Vraisemblance 23/1, 2020 at 13:39

@Zhaph-BenDuguid do you know if we need to run kestrel behind a proxy if the kestrel runs in a docker on a webapp in Azure? Or is there something in front of the docker that we can configure like we can with web.config in IIS? – Shamanism 6/6, 2020 at 9:13

@Shamanism - good question - when running a docker instance in an Azure Web App for Containers you do get some infrastructure out of the box, (namely a load balancer for routing requests to your container, and a some DDOS protection), and I believe it does provide a fairly reasonable server pass through - I've not tried mapping different paths to different containers though, so couldn't say if you get all the features you might want. – Vraisemblance 8/6, 2020 at 8:48

@Zhaph-BenDuguid I have looked into this and I can't find anything. My conclusion is that we have to provide this our self (nginx, or Apache). – Shamanism 8/6, 2020 at 10:51

@Shamanism - that would be my assumption to - but as you're already going down the container route, that should be something you can do - i.e. add an ngnix container alongside your .net core container and route requests through there. – Vraisemblance 8/6, 2020 at 11:4

@Zhaph-BenDuguid yes. Easily. But if they already had something in front, I would try that out :) thanks a bunch for your input! – Shamanism 8/6, 2020 at 12:56

It's summer 2021 and .NET 5.0 is out. How has this answer changed? Is Kestrel mature enough for exposing the application publicly? – Aeroscope 23/6, 2021 at 16:17

@Aeroscope Not much. It's still production ready, and is supported exposed to the internet, but it does not, and isn't planned to support all the features of a full web server. – Vraisemblance 23/6, 2021 at 17:0

@Aeroscope Same applies now, however I'd note that .NET 5.0 is not on the LTS track, and recommend targeting .NET 6.0 instead ;) – Vraisemblance 12/11, 2021 at 17:25

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.