-
Notifications
You must be signed in to change notification settings - Fork 25.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hosting Docs #791
Hosting Docs #791
Changes from all commits
e012646
cb637da
abb0438
dcefdb5
acf6e06
15514c9
efcaa40
aafad87
e1c227e
f251c6d
41f6705
e386418
c3b1a9b
9a47288
c43bf9a
1828c2f
3b3664f
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
This file was deleted.
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -24,5 +24,4 @@ Fundamentals | |
request-features | ||
servers | ||
owin | ||
hosting | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
.. _apppool: | ||
|
||
Application Pools | ||
================= | ||
|
||
By `Sourabh Shirhatti` | ||
|
||
When hosting multiple web sites on a single server, you should consider isolating the applications from each other by running each application in its own application pool. This document provides an overview of how to set up Application Pools to securely host multiple web sites on a single server. | ||
|
||
Application Pool Identity Account | ||
--------------------------------- | ||
|
||
An application pool identity account allows you to run an application under a unique account without having to create and manage domains or local accounts. On IIS 8.0+ the IIS Admin Worker Process (WAS) will create a virtual account with the name of the new application pool and run the application pool's worker processes under this account by default. | ||
|
||
Configuring IIS Application Pool Identities | ||
------------------------------------------- | ||
|
||
In the IIS Management Console, under **Advanced Settings** for your application pool ensure that `Identity` list item is set to use **ApplicationPoolIdentity** as shown in the image below. | ||
|
||
.. image:: apppool/_static/apppool-identity.png | ||
|
||
Securing Resources | ||
------------------ | ||
|
||
The IIS management process creates a secure identifier with the name of the application pool in the Windows Security System. Resources can be secured by using this identity, however this identity is not a real user account and will not show up in the Windows User Management Console. | ||
|
||
To grant the IIS worker process access to your application, you will need to modify the Access Control List (ACL) for the the directory containing your application. | ||
|
||
1. Open Windows Explorer and naviagate to the directory. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. s/naviagate/navigate/ There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Thanks for catching that |
||
2. Right click on the directory and click properties. | ||
3. Under the **Security** tab, click the **Edit** button and then the **Add** button | ||
4. Click the **Locations** and make sure you select your server. | ||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Isn't this only true if it's changed to a non-admin account? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @guardrex Can you elaborate? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I've seen comments along the lines of folks having to explicitly grant folder access permissions but never for the default ApplicationPoolIdentity. I don't know what's going on under-the-covers, but that default account seems to be able to access the runtime(s), packages, and logs folder even when the basic settings path and pass-through auth for the app points to the What I have seen is when someone changes this account they must explicitly set the permissions. I can see if I can find an example in the issues if you want. Let me know. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @guardrex Can you find an example? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @shirhatti ... but are you saying that you did need to explicitly set permissions, or are you saying you didn't set them and that that section pertains to setting permissions for some other purpose. I was pointing out that everything up to this statement ...
is all good. But I get confused at that point. It makes it sound like the dev needs to configure permissions for the root folder itself ... for the application itself, but that shouldn't be necessary. I'm wondering if what you're talking about here are other folders outside of the root dir on the server or maybe something for virtual directories. Let me ask you the other way around: Have you had trouble (e.g., 502.3 error) when you don't grant explicit permissions for any account to the root folder of an app? I mean, is the pass-through auth with the default AppPool identity failing? btw- I'm only aware from one quick test I did with pass-through auth and a fileshare that it failed even with explicit permissions being set, but I think that was the old vdir problem ... maybe that's been fixed ... not sure. But coming back to my main point: It just seems a little confusing here, because the text up to ...
sounds great, then it looks like the doc is telling devs that permissions must be set even for a default app setup. Certainly, I might be missing something here. So just throw a 🔧 at me if I have missed the point or scenario this addresses. 😄 There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Oh, ok ... I missed the point there a little. Sorry for the bother on it (as Luke takes a virtual 🔧 to the head). There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The feedback was useful. I'm adding an introduction section to describe that the Hosting Docs is for shared hosts / anyone hosting a multi-tenant ASP.NET 5 server. These docs are meant to outline the best practices and not just the easiest way to get started. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Oh, cool. I'm trying to keep this updated: aspnet/Hosting#364 (comment). It might be one or two weeks behind, but I'm going to run down the issues again, especially to make sure that its updated for RC1 Update 1. There are a lot of cross-linked IIS-related bits there that might be helpful. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I wasn't aware of your effort. Do you want to capture that information in a doc on the docs site? If you open an issue at https://github.com/aspnet/docs/issues, we can try and figure out where that content should live on the docs site. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It's already done at the basic level: https://docs.asp.net/en/latest/publishing/iis.html I'm Luke ... I help Rick (and anyone I can). Give me a shout if you need a community cat to run a test or check out a scenario or something with IIS. I enjoy that type of stuff. |
||
.. image:: apppool/_static/apppool-adduser.jpg | ||
|
||
5. Enter **IIS AppPool\\DefaultAppPool** in **Enter the object names to select** textbox. | ||
6. Click the **Check Names** button and then click **OK**. | ||
|
||
You can also do this via the command-line by using **ICACLS** tool. | ||
|
||
.. code:: bat | ||
|
||
ICACLS C:\sites\MyWebApp /grant "IIS AppPool\DefaultAppPool" :F | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
.. _dataprotection: | ||
|
||
Data Protection | ||
=============== | ||
|
||
By `Sourabh Shirhatti` | ||
|
||
The ASP.NET 5 data protection stack provides a simple and easy to use cryptographic API a developer can use to protect data, including key management and rotation. This document provides an overview of how to configure Data Protection on your server to enable developers to use data protection. | ||
|
||
Create Data Protection Registry Hive | ||
------------------------------------ | ||
|
||
By default, keys are not persisted outside of the current process. When the process shuts down, all generated keys will be lost. To persist keys for an application hosted in IIS, you must create registry hives for each application pool to store the keys. You should use the `Provisioning PowerShell script <https://github.com/aspnet/DataProtection/blob/dev/Provision-AutoGenKeys.ps1>`_ for each application pool you will be hosting ASP.NET 5 applications under. This script will create a special registry key in the HKLM registry that is ACLed only to the worker process account. Keys are encrypted at rest using DPAPI. | ||
|
||
.. note:: A developer can consume the Data Protection APIs to encrypt data at rest using a X.509 certificates. | ||
|
||
Machine Wide Policy | ||
------------------- | ||
|
||
The data protection system has limited support for setting default machine-wide policy for all applications that consume the data protection APIs. For more information on how to configure the machine wide policy have a look at :ref:`this article <data-protection-configuration-machinewidepolicy>`. | ||
|
||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'd consider adding a section on how developers can choose where keys are stored, and how hosters should consider offering a directory outside of the application root (and properly ACLed), and the ability to upload X509 Certificates to protect file system key stores. Such certificates must be placed in the trusted certificate store see http://blogs.technet.com/b/sbs/archive/2007/04/10/installing-a-self-signed-certificate-as-a-trusted-root-ca-in-windows-vista.aspx and the private key ACLed to the app pool ID - https://technet.microsoft.com/en-us/library/ee662329.aspx?f=255&MSPPError=-2147217396 |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
.. _directory-structure: | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Needs to discuss minimum directory permissions. |
||
|
||
Directory Structure | ||
=================== | ||
|
||
By `Sourabh Shirhatti` | ||
|
||
|
||
In ASP.NET 5, the application directory comprises of three sub-directories. This is unlike previous versions of ASP.NET where the entire application lived inside the web root directory. The recommended permissions for each of the directories are specified in the table below. | ||
|
||
======= ============== =========== | ||
Folder Permissions Description | ||
======= ============== =========== | ||
approot Read & Execute Contains the application, app config files, packages and the DNX runtime. | ||
logs Read & Write The default folder for HTTP Platform Handler to redirect logs to. | ||
wwwroot Read & Execute Contains the static assets | ||
======= ============== =========== | ||
|
||
The **wwwroot** directory represents the web root of the application. The physical path for the IIS site should point to the web root directory. While deploying a web site, a developer will need access to the entire application directory. |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
.. _http-platformhandler: | ||
|
||
HTTP Platform Handler | ||
===================== | ||
|
||
By `Sourabh Shirhatti` | ||
|
||
In ASP.NET 5, the web application is hosted by an external process outside of IIS. The HTTP Platform Handler is an IIS 7.5+ module which is responsible for process management of http listeners and to proxy requests to processes that it manages. This document provides an overview of how to configure the HTTP Platform Handler module for shared hosting of ASP.NET 5. | ||
|
||
Installing the HTTP Platform Handler | ||
------------------------------------ | ||
|
||
To get started with hosting with ASP.NET 5 applications you will need to install the HTTP Platform Handler version 1.2 or higher on an IIS 7.5 or higher server. Download links are below | ||
|
||
* `64 bit HTTP PlatformHandler (x64) <http://go.microsoft.com/fwlink/?LinkID=690721>`_ | ||
* `32 bit HTTP PlatformHandler (x86) <http://go.microsoft.com/fwlink/?LinkId=690722>`_ | ||
|
||
|
||
Configuring the HTTP Platform Handler | ||
------------------------------------- | ||
|
||
The HTTP Platform Handler is configured via a site or application's *web.config* file and has its own configuration section within ``system.webServer - httpPlatform``. The `HTTP Platform Handler configuration reference whitepaper <http://www.iis.net/learn/extensions/httpplatformhandler/httpplatformhandler-configuration-reference>`_ describes in detail how to modify Configuration Attributes for the HTTP PlatformHandler module. | ||
|
||
.. note:: | ||
You may need to unlock the handlers section of *web.config*. Follow the instructions :ref:`here <unlock-handlers>`. | ||
|
||
Log Redirection | ||
--------------- | ||
|
||
The HTTP Platform Handler module can redirect ``stdout`` and ``stderr`` logs to disk by setting the ``stdoutLogEnabled`` and ``stdoutLogFile`` properties of the ``httpPlatform`` attribute. However, the HTTP Platform Handler module does not rotate logs and it is the responsibilty of the hoster to limit the disk space the logs consume. | ||
|
||
.. literalinclude:: http-platformhandler/sample/web.config | ||
:language: xml | ||
:lines: 12-16,20 | ||
|
||
|
||
Setting Environment Variables | ||
----------------------------- | ||
|
||
The HTTP Platform Handler module allows you specify environment variables for the process specified in the ``processPath`` setting by specifying them in ``environmentVariables`` child attribute to the ``httpPlatform`` attribute. The example below illustrates how you would use it. | ||
|
||
.. literalinclude:: http-platformhandler/sample/web.config | ||
:language: xml | ||
:lines: 12-20 | ||
|
||
.. note:: | ||
There is a `known issue <https://github.com/aspnet/dnx/issues/3062>`_ known issue with ``dnu publish`` where it removes all child attributes of the ``httpPlatform`` attribute. |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
<configuration> | ||
<system.webServer> | ||
<handlers> | ||
<remove name="ExtensionlessUrlHandler-Integrated-4.0" /> | ||
<remove name="OPTIONSVerbHandler" /> | ||
<remove name="TRACEVerbHandler" /> | ||
<add name="httpplatformhandler" | ||
path="*" verb="*" | ||
modules="httpPlatformHandler" | ||
resourceType="Unspecified" /> | ||
</handlers> | ||
<httpPlatform processPath="..\approot\web.cmd" | ||
arguments="" | ||
stdoutLogEnabled="true" | ||
stdoutLogFile="..\logs\stdout" | ||
startupTimeLimit="3600"> | ||
<environmentVariables> | ||
<environmentVariable name="DEMO" value="demo_value" /> | ||
</environmentVariables> | ||
</httpPlatform> | ||
</system.webServer> | ||
</configuration> |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
Hosting | ||
======= | ||
|
||
By `Sourabh Shirhatti` | ||
|
||
The hosting docs provide an overview of how to host ASP.NET 5. Hosters who offer ASP.NET hosting will be able to use the setup and configuration recommendations to integrate ASP.NET 5 into their hosting solution. This document should also serve as a guide for any enviroment where multiple discrete users will be running web sites on a single server or web farm. | ||
|
||
.. toctree:: | ||
:titlesonly: | ||
|
||
http-platformhandler | ||
directory-structure | ||
apppool | ||
servicing | ||
dataprotection |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
.. _hosting-servicing: | ||
|
||
Servicing | ||
========= | ||
|
||
By `Sourabh Shirhatti` | ||
|
||
ASP.NET 5 supports servicing of runtime components (DNX) and packages through Microsoft Update, which will deliver updates to patch any vulnerabilities when they are discovered. This document provides an overview of how to setup your Windows Server correctly to receive updates. | ||
|
||
Breadcrumbs Directory | ||
--------------------- | ||
|
||
All serviceable assemblies will leave a breadcrumb in the ``BreadcrumbStore`` Directory. At the time of servicing Microsoft Update looks in this directory to figure out which assemblies are used on the server and require patching. The ``BreadcrumbStore`` directory must be protected by ACLs to prevent rogue applications from deleting entries from this directory. To create the ``BreadcrumbStore`` directory and set the ACLs securely, run the following powershell script below in an elevated prompt: to create the ``BreadcrumbStore`` directory and set ACLs on it correctly. | ||
|
||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Link to the script in github rather than copy it - that way if it changes then it doesn't need updating here. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This script doesn't live on Github. It was written up for these docs There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Nits: There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Then put the script on github - @glennc |
||
.. code-block:: powershell | ||
|
||
$breadcrumbFolder = $env:ALLUSERSPROFILE + '\Microsoft DNX\BreadcrumbStore' | ||
New-Item -Force -Path $breadcrumbFolder -ItemType "Directory" | ||
$ACL = Get-Acl -Path $breadcrumbFolder | ||
# Clear any permissions | ||
$ACL.SetAccessRuleProtection($true, $false) | ||
# Set new permissions | ||
$ACL.SetSecurityDescriptorSddlForm("O:SYG:SYD:P(A;OICI;CCDCSWWPLORC;;;WD)(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)") | ||
Set-Acl -Path $breadcrumbFolder -AclObject $ACL | ||
|
||
Servicing Directory | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Will hosters care about how it works? Not sure this matters. |
||
------------------- | ||
|
||
At the time of loading an asset, DNX will check against an index file in the ``Servicing`` directory to determine whether it should load a patched version instead of what it would normally load. The index file is updated by Microsoft Update during servicing to point to the location of the patched version of the asset on disk, which will reside in the ``Servicing`` directory. The index file defaults to ``%PROGRAMFILES%\Microsoft DNX\Servicing``, but you can change this by setting the ``DNX_SERVICING`` environment variable to a different path. |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,9 +1,6 @@ | ||
Dependency Injection and Controllers | ||
==================================== | ||
|
||
.. _dependency-injection-controllers: | ||
|
||
|stub-icon| Dependency Injection and Controllers | ||
By `Steve Smith`_ | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Why is this change in this PR? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. To fix the Travis build. The change was already made upstream. It will go away from my diff when I rebase |
||
|
||
ASP.NET MVC 6 controllers should request their dependencies explicitly via their constructors. In some instances, individual controller actions may require a service, and it may not make sense to request at the controller level. In this case, you can also choose to inject a service as a parameter on the action method. | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This explains how to change app pool identities but not why. You need to bring in the App Pool Identity Accounts section from https://www.iis.net/learn/manage/configuring-security/application-pool-identities