I'm trying to understand the options for hosting an asp.net core website on the internet today. I understand that HTTP.SYS based hosting is possible without having IIS on the webserver but I've not found clear information as to why you would do it (pros/cons) and what is today the most security way to host on the internet an asp.net core website. IIS was time back considered somehow an unsecure webserver and I don't know to what extent this is still true today. I'm leaving out of the discussion kestrel which I perceive more as a development-only option but not secure enough for direct internet hosting.
Asked
Active
Viewed 481 times
2 Answers
2
There are quite a few places of misunderstanding.
- HTTP.sys can be considered a lite web server itself for web apps. Even Microsoft products like SQL Server Reporting Services hook to HTTP.sys directly.
- IIS is built upon HTTP.sys but comes with more complex designs such as application pools and management APIs to enable a more desirable web server experience. It has hosted most of Microsoft sites for decades.
- Kestrel started as a thin wrapper over libuv with limited features but now is also a full blown web server. YARP is built upon Kestrel and widely used in Azure today in production.
All three are secure and production ready.
However, an internet facing web site can be compromised easily because of other factors, such vulnerabilities in the OS (Windows/Linux), web frameworks (PHP/ASP.NET), or your own code. So, if your goal is to secure your web sites, you have to focus on a bigger picture and work with security professionals. "I've not found clear information" because detailed information on how to secure a specific web site requires extensive investigation of your setup and is rarely free.
Lex Li
- 60,503
- 9
- 116
- 147
1
HTTP.sys is a Windows-based web server for ASP.NET Core. It is an alternative to Kestrel Server and it has some features that are not supported by Kestrel. It is built on the HTTP.sys Kernel mode driver. It cannot be used with IIS Express or IIS due to it is incompatibility with the ASP.NET Core modules. HTTP.sys web server implementation in ASP.NET Core
IIS is a powerful, flexible and general-purpose Web server from Microsoft that runs on the Windows platform. It is bundled with Windows as a feature and can be turned on or off as needed. Even though IIS has been around for two decades, it still supports running applications developed 20 years ago as well as applications written in the last year using the latest .Net technologies.
You say that IIS was considered an insecure web server in the past and don't know to what extent this is still the case today. But I want to say that the security configuration and management of IIS is not only a technical issue, human factors are also very important, because in the end it is people who implement various settings and controls. Security is a systematic project, not only has the span of space, but also the span of time, the IIS system with security configuration and management is not absolutely safe, it can only be said that it is safe under certain circumstances and within a certain period of time, With continuous development, its security situation is also undergoing corresponding changes. Only by allowing security awareness, security technology and security management to run through the entire process can maximum security be achieved.
YurongDai
- 1,362
- 1
- 2
- 7