0

When I run a webapp in Azure, it runs inside IIS (or behind it depending on the configuration). The IIS is set up for me. The Server header returns IIS. I can configure it through a web.config file. All good. I just tried setting up a custom docker image on a webapp, and ehn I run it, the Server header is set to kestrel.

This could mean that nothing is running in front of the docker, and I can't configure it. It is fine, that I myself need to run something in front. I like being able to choose my own stack.

What bugs me is that I can't get any positive confirmation anywhere that azure doesn't put something in front when running a custom docker image, or if they do and don't let me configure it.

Does anybody here talk to support about this, or read some docs, that can give som clarification on the subject?

mslot
  • 105
  • 1
  • 6
  • Yes, they use reverse proxy in front of docker (although I cannot find relevant documentation for that). This is most probably the YARP https://devblogs.microsoft.com/dotnet/introducing-yarp-preview-1/ – Jozef Izso Jun 06 '20 at 07:44
  • @JozefIzso I really need some more info on this :D I can't figure out if I need to install fx nginx in front of kestrel or if I am good to go. How do I configure the reversed proxy? Or isn't it possible. – mslot Jun 06 '20 at 08:03

2 Answers2

1

When using containers in App Service, the load balancer included in the service will simply forward the traffic to the port you configured. If you require a reverse proxy, simply build an image with your configuration, use the App Service multi-containers option and upload your docker-compose.yaml file.

CSharpRocks
  • 336
  • 1
  • 4
  • Yes. There is an included load balancer, but we don't have a reversed proxy in place as with a standard webapp running an IIS. If we want something to offload and cache with one or more docker webapp(s) then we need to provide our own, as you say. I have asked same question on github: https://github.com/dotnet/AspNetCore.Docs/issues/17342 but I don't feel like I am getting an answer. – mslot Jun 06 '20 at 13:32
0

The internals of how Azure App Service works are not something that Microsoft publish, and so you aren't going to get a definitive answer on this. It is possible that MS place something in front of Kestrel, especially when running on the docker version but you are not going to get conformation on this.

If you are want to be certain that your application has adequate protection then you should look at putting in place services like Azure Front Door or Application Gateway, which offer Web Application Firewall, Caching etc. as a service.

Sam Cogan
  • 38,736
  • 6
  • 78
  • 114
  • I kind of agree but no one, not even Microsoft, has been able to answer this clearly with a yes or a no. On a regular Windows webapp I have an IIS I can do some configuring of, like serving static files etc. – mslot Jun 11 '20 at 05:24
  • Yes, this is the difference between using a PaaS service and hosting yourself. If you want to be able to configure everything then PaaS is not for you, use a VM. – Sam Cogan Jun 11 '20 at 06:24