Sample reverse-proxy setups for use with a Kestrel app.
Why did I develop this project? There seems to be a few claims** on the web that say Microsoft recommends using Kestrel along with a reverse proxy. Understandably so, since Kestrel was specifically designed to be lightweight.
** some examples:
- Oreilly.com
- Linode.com
- Tutorialspoint.com
- DotcoreTutorials.com
- Point # 16 here: Interviewbit.com
- partech.nl
It's no longer necessarily the case that Microsoft advises against using Kestrel directly exposed to the Internet, however, there are still reasons you may want to use Kestrel behind a reverse proxy.
As Kestrel is maturing, Microsoft has evidently removed most of their own cautions regarding using Kestrel as an edge server. Compare this quoted answer on StackOverflow, with the link that references it. That text is no longer there, it changed here, on 06/01/2019!
The danger here is that Microsoft does not specify when it became safe to use Kestrel without a proxy server! They're just making it seem as if it was always safe, even though, before they said it wasn't.
- Load balancing
- Caching static content
- DDoS protection
- SSL termination
- Insights and logging
- Simplify deployment
- Stuck having to use older version of .Net core (hence older version of Kestrel, which bad rhetoric applies to)
- Doesn't have robust Mime-Type mapping.
- Request Filtering (e.g. Blocking access to certain file extensions, folders, verbs etc).
- Proper HTTP access logs aren’t collected. CLF not supported till version 6
- Multiple apps on the same port.
- HTTP/2 not supported on macOS
- Response caching
- Windows authentication (possible with IIS, Apache and Nginx)
- Kestrel server doesn't currently offer built-in compression support
More reading to help you decide:
- HTTP.sys has more features
- IIS and Kestrel feature comparison
- When to use Kestrel with a reverse proxy
- Configure ASP.NET Core to work with proxy servers and load balancers
- You're using Linux
- You have basic docker knowledge
- You have Docker installed
The .Net app is in the app folder. It's just a very simple app that was autogenerated using dotnet new webapi and
includes the GET /weatherforecast endpoint. I've also added "Hello Word" at (GET) /hello.
The app/docker-build.sh script will build a docker image named demo, from the app code. This
image must be built first before trying to use any of the Docker compose files, which depend on the image being available.
After building the demo image, run the app behind one of the proxy servers using docker compose. The reverse proxy
examples are for the following types apache, haproxy, nginx, traefik using this following command format:
docker compose -f ./compose-<type>.yml up
For example: docker compose -f ./compose-apache.yml up
... and to bring it down: docker compose -f ./compose-apache.yml down
For each stack, you can access the app @ http://localhost:88/hello EXCEPT FOR haproxy, which publishes the app
at https://localhost/hello. The haproxy config is a basic setup for use with CertBot,
which you can use to get a valid HTTPS cert for free. (See https://github.com/nmarus/docker-haproxy-certbot).
Additionally haproxy has a stats page at http://localhost:88/stats (login = admin/admin) and Traefik as a dashboard
at http://localhost:8080 (no password, so this should be kept internal-only)
| Pros | Cons |
|---|---|
| Popular, proven, well documented and supported. Lots of features. | Complex configuration. |
(Microsoft sample config link)
| Pros | Cons |
|---|---|
| Purpose built, very fast, popular. Basic reporting UI. Fault tolerant. Free. | Dated. |
| Pros | Cons |
|---|---|
| Fast, popular, simple | Free vs Paid version, not GUI and not purpose built. |
(Microsoft sample config link)
| Pros | Cons |
|---|---|
| Fast, simple, modern, purpose built, built-in GUI, "rising star" | Free vs paid features; monetization squeeze. |
Each option has its own considerations, but the most outstanding consideration means that we really have just 2 categories of options: purpose-built reverse proxies which are fast but can't do much else, or web servers with reverse proxy capabilities that can be used to create complex solutions.
If in doubt, there's no reason you couldn't use one of the web servers behind a purpose built proxy, along with your Kestrel app.