Skip to content

Latest commit

 

History

History
143 lines (95 loc) · 7.15 KB

README.md

File metadata and controls

143 lines (95 loc) · 7.15 KB

reverse-proxy-kestrel

Sample reverse-proxy setups for use with a Kestrel app.

Why did I develop this project? There seems to be a few claims** on the web that say Microsoft recommends using Kestrel along with a reverse proxy. Understandably so, since Kestrel was specifically designed to be lightweight.

** some examples:

It's no longer necessarily the case that Microsoft advises against using Kestrel directly exposed to the Internet, however, there are still reasons you may want to use Kestrel behind a reverse proxy.

As Kestrel is maturing, Microsoft has evidently removed most of their own cautions regarding using Kestrel as an edge server. Compare this quoted answer on StackOverflow, with the link that references it. That text is no longer there, it changed here, on 06/01/2019!

The danger here is that Microsoft does not specify when it became safe to use Kestrel without a proxy server! They're just making it seem as if it was always safe, even though, before they said it wasn't.


Why use a reverse proxy instead of just Kestrel?

  1. Load balancing
  2. Caching static content
  3. DDoS protection
  4. SSL termination
  5. Insights and logging
  6. Simplify deployment
  7. Stuck having to use older version of .Net core (hence older version of Kestrel, which bad rhetoric applies to)

Some features lacking in Kestrel that you (might) run into

  • Doesn't have robust Mime-Type mapping.
  • Request Filtering (e.g. Blocking access to certain file extensions, folders, verbs etc).
  • Proper HTTP access logs aren’t collected. CLF not supported till version 6
  • Multiple apps on the same port.
  • HTTP/2 not supported on macOS
  • Response caching
  • Windows authentication (possible with IIS, Apache and Nginx)
  • Kestrel server doesn't currently offer built-in compression support

More reading to help you decide:


Getting started with these examples

Assumptions

  • You're using Linux
  • You have basic docker knowledge
  • You have Docker installed

The .Net app is in the app folder. It's just a very simple app that was autogenerated using dotnet new webapi and includes the GET /weatherforecast endpoint. I've also added "Hello Word" at (GET) /hello.

The app/docker-build.sh script will build a docker image named demo, from the app code. This image must be built first before trying to use any of the Docker compose files, which depend on the image being available.

After building the demo image, run the app behind one of the proxy servers using docker compose. The reverse proxy examples are for the following types apache, haproxy, nginx, traefik using this following command format:

docker compose -f ./compose-<type>.yml up

For example: docker compose -f ./compose-apache.yml up
... and to bring it down: docker compose -f ./compose-apache.yml down

For each stack, you can access the app @ http://localhost:88/hello EXCEPT FOR haproxy, which publishes the app at https://localhost/hello. The haproxy config is a basic setup for use with CertBot, which you can use to get a valid HTTPS cert for free. (See https://github.com/nmarus/docker-haproxy-certbot).

Additionally haproxy has a stats page at http://localhost:88/stats (login = admin/admin) and Traefik as a dashboard at http://localhost:8080 (no password, so this should be kept internal-only)


Pros and Cons

Apache

https://httpd.apache.org/

Pros Cons
Popular, proven, well documented and supported. Lots of features. Complex configuration.

(Microsoft sample config link)


HaProxy

https://www.haproxy.org/

Pros Cons
Purpose built, very fast, popular. Basic reporting UI. Fault tolerant. Free. Dated.

Nginx

https://www.nginx.com/

Pros Cons
Fast, popular, simple Free vs Paid version, not GUI and not purpose built.

(Microsoft sample config link)


Traefik Proxy

https://traefik.io/traefik/

Pros Cons
Fast, simple, modern, purpose built, built-in GUI, "rising star" Free vs paid features; monetization squeeze.

Take Away

Each option has its own considerations, but the most outstanding consideration means that we really have just 2 categories of options: purpose-built reverse proxies which are fast but can't do much else, or web servers with reverse proxy capabilities that can be used to create complex solutions.

If in doubt, there's no reason you couldn't use one of the web servers behind a purpose built proxy, along with your Kestrel app.