6

When using Kestrel with IIS you define an Application Pool and identity (user). The default identity is "ApplicationPoolIdentity" but can be one of the following or a custom user:

enter image description here

When the application runs, Kestrel runs under the Identity you defined in IIS:

enter image description here

However, when using Kestrel behind a proxy server such as nginx (or standalone) what is the recommended "identity" (user) to use and how does one go about using it with Kestrel?

Exocomp
  • 1,477
  • 2
  • 20
  • 29

2 Answers2

2

When you host Kestrel behind a proxy on Windows it is recommended to host the ASP.NET Core app in a Windows Service. Nginx would be configured to reverse proxy the applications url (e.g. http://localhost:5000) and the ASP.NET application would run under whatever user the service is configured to run as.

If you are hosting on Linux then you are responsible for creating your own service using whatever technology the underlying operating system provides (e.g. systemd, upstart, etc.)

The 'recommended' identity to use depends on what resources the ASP.NET app needs to access. The LocalService account has the same privileges as a member of the Users group.

David Jones
  • 2,879
  • 2
  • 18
  • 23
  • 1
    I didn't know Microsoft recommended using a Windows Service, thanks for including the link as reference. Any recommendation on what user identity to use? – Exocomp Nov 07 '17 at 16:07
  • As I said, it depends on the resources your application will need. – David Jones Nov 07 '17 at 16:14
1

You seem to be confused here. What you're talking about is the Application Pool Identity (which is what the window is even labeled as). The App Pool is essentially the process that serves your website. Processes run under accounts, be it a system, service, network, or user account. What account the process runs under determines (obviously) it's permissions and access. By default, in IIS, App Pools run under ApplicationPoolIdentity, which is just a local service account, with relatively limited permissions.

None of this has anything to do with Kestrel. Kestrel is just a simple web server. IIS merely acts as a reverse proxy. It accepts requests, hands them off to Kestrel, gets the response from Kestrel, and then sends that response back to the client. IIS gives you your security and administration layer, while Kestrel just handles the grunt work of serving the requests.

As a result, IIS can be interchanged for pretty much any web server than can act as a reverse proxy, such as Nginx. This would work the same way. Again, you don't define anything with Kestrel. It's just grunting along serving the requests the reverse proxy forwards it. It doesn't know or care what that reverse proxy is, and it doesn't matter.

That said, in either scenario there is no such thing as a "recommended identity" to use. This is a security aspect you are responsible for making a decision on. IIS has a default service account and Nginx probably has one as well. (I haven't run Nginx on Windows, but on linux, it literally runs under nginx:nginx.) For some, that's fine. Others decide to use a dedicated network account or a custom local service account. Still others decide to run under an actual user account. There's various reasons for each option and there's no one "right" way to do it, only a "right" way for your app, your server, your network, and your organization. No one can make those decisions for you.

Chris Pratt
  • 232,153
  • 36
  • 385
  • 444
  • not all that you've written here is accurate. For ex, you say "None of this has anything to do with Kestrel". I updated my post to show you that when you set the identity of the Application Pool in IIS it also sets the identity for application that kestrel is serving. In my example, I set the application pool identity to Network Service but if you set it to ApplicationPoolIdentity that is what is reflected for app as well. – Exocomp Nov 07 '17 at 15:03
  • That simply because Kestrel is running in the App Pool process. The point is that the configuration the identity is not tied to Kestrel, but rather the reverse proxy. – Chris Pratt Nov 07 '17 at 15:05
  • Well yea, my point is setting the app pool in IIS does affect Kestrel but you said "None of this has anything to do with Kestrel". – Exocomp Nov 07 '17 at 15:09
  • It *doesn't*. Kestrel is just along for the ride. – Chris Pratt Nov 07 '17 at 15:10
  • I don't think your understanding, even though Kestrel is just along for the ride, it is being affected indirectly. For example, running an Application Pool with ApplicationPoolIdentity will limit what a Kestrel app can do - hence it is affected. My question basically was if there is a recommended user that one must use with Kestrel+.NET Core, surely there has to be some recommendation. – Exocomp Nov 07 '17 at 15:16
  • That indirect effect is the point. It's not a matter of "what identity should I configure Kestrel to run under", but rather "what identity should I configure my App Pool to run under". That's an *entirely* different framework to operate from and there's *scores* of information available about the latter. However, again, no there is no hard recommendation. It's a decision you will always have to make yourself. – Chris Pratt Nov 07 '17 at 15:18
  • I must say this has NOT been helpful at all, my whole point was to get information and recommendation via this post not be directed to "scores" of information out there. – Exocomp Nov 07 '17 at 15:23
  • In other words, you're upset that you were simply not just handed a prepackaged solution. Yeah, sorry, that's how life works sometimes. The point still remains that there is no one holy grail "right" answer to provide you. It doesn't exist. You need to do your own research and make your own decisions. And frankly, you might consider working on the attitude while you're at it. None of us here are paid, so you should be *thankful* that anyone even takes the time to respond to you. – Chris Pratt Nov 07 '17 at 15:26
  • The point of this web site is to offer ideas, recommendations and solutions. It is not about getting a pre-packaged solution. It is about using your knowledge and experience to offer advice. My original post still stands and if there isn't a recommendation right now then someone has to create one - not simply say it doesn't exit and be done with it. Please point the finger to your self and fix your own attitude. – Exocomp Nov 07 '17 at 15:37