Tuesday, March 21, 2023

IIS and .Net Core

original source: https://enlabsoftware.com/development/iis-processes-asp-net-core-http-request.html

How IIS Processes ASP.NET Core HTTP Request

 

Have you ever wondered what happens under the hood when you make an API call to your ASP.NET Core application hosted in IIS? Your request is passed through 2 pipelines in IIS and ASP.NET Core to be processed before returning the response. This article explains how your request is processed and how you can use it to add more functionalities to your ASP.NET Core applications.

HTTP pipeline

According to Microsoft documentation about IIS architecture, the HTTP request is picked up from the kernel mode, passed to the user mode for processing that results in a new IIS worker process (w3wp.exe) serving that HTTP request. Here are the steps: 

HTTP Request Processing in IIS

 

  1. When a client browser initiates an HTTP request for a resource on the webserver, HTTP.sys intercepts the request

  2. HTTP.sys contacts the WAS to obtain information from the configuration store

  3. WAS requests configuration information from the configuration store, applicationHost.config

  4. The WWW Service receives configuration information, such as application pool and site configuration

  5. The WWW Service uses the configuration information to configure HTTP.sys

  6. WAS starts a worker process for the application pool to which the request was made

  7. The worker process processes the request and returns a response to HTTP.sys

  8. The client receives a response

Source: Introduction to IIS Architecture - Microsoft documentation

 

After step 6, your ASP.NET core code is executed by either the IIS worker process itself or by a Kestrel server. The HTTP response is returned to HTTP.sys once done processing. HTTP.sys then returns to the client browser. 

Microsoft uses ASP.NET Core Module, a native IIS module, to plug into the pipeline to either host your ASP.NET Core app inside the IIS worker process (in-process hosting model) or to forward HTTP requests to a backend ASP.NET Core app running the Kestrel server (out-of-process hosting model).

In-process hosting model

The in-process hosting model is the default hosting model for all apps built with ASP.NET Core 2.2 or later. In the in-process hosting model, what ASP.NET Core Module does is to load the CoreCLR and calls the Program.Main method to bootstrap your app’s logic. It then handles the lifetime of the IIS native request.

 

In-process hosting model

Source: Host ASP.NET Core on Windows with IIS - Microsoft documentation

 

  • From the above diagram, it is clear that your app’s logic takes in the HttpContext produced by IISHttpServer which is responsible for converting the native HTTP request to managed before passing the ASP.NET Core middleware pipeline. 

  • The middleware pipeline handles the request and passes it on as an HttpContext instance to your app’s logic. 

  • The IISHttpServer passes your app’s response back to IIS which then forwards it back to the client initiating the request. 

All of this happens right in the same IIS worker process, so the best performance is achieved.

Make sure to call the UseIIS method when configuring your application, and to explicitly specify the in-process hosting model in the web.config file as below:

<system.webServer>
<aspNetCore processPath="dotnet" hostingModel="InProcess" />
</system.webServer>

To verify, check the response header to make sure it’s Microsoft-IIS, not Kestrel. 

response header - Microsoft-IIS

 

Out-of-process hosting model

Unlike the in-process hosting model, in the out-of-process hosting model, your app’s logic runs in a dotnet.exe process separate from the IIS worker process as follows:

 

Out-of-process hosting model

Source: Host ASP.NET Core on Windows with IIS - Microsoft documentation

 

  • The ASP.NET Core Module handles the dotnet.exe process management and forwards the HTTP request to the Kestrel server. 

  • The Kestrel server picks up the request from ASP.NET Core Module to forward into the ASP.NET Core middleware pipeline. 

  • The middleware pipeline handles the request and passes it on as an HttpContext instance to your app’s logic. 

  • The Kestrel receives the app’s response to pass back to IIS which forwards it back to the client initiating the request. 

To deploy your application using an out-of-process hosting model, specify it in your web.conf file as below:

<system.webServer>
<aspNetCore processPath="dotnet" hostingModel="OutOfProcess" />
</system.webServer>
Check the response header, it should be Kestrel. 

response header - kestrel

 

ASP.NET core middleware pipeline

Once the request is passed to your app’s logic as an HttpContext instance, it undergoes the ASP.NET Core middleware pipeline as depicted in the below diagram where you write custom code to handle the request and return your expected response.

 

ASP.NET Middleware Pineline

Source: ASP.NET Core Middleware - Microsoft documentation

 

Middleware is a software component that can be written and plugged into the pipeline for processing your app’s logic before or after passing the request to the next component. 

Many built-in middleware components are ready to use. Understanding what they are for and their orders to use is important.

References

original source: https://www.tutorialspoint.com/what-is-kestrel-and-how-does-it-differ-from-iis-asp-net

What is Kestrel and how does it differ from IIS? (ASP.NET)

Kestrel is a lightweight, cross-platform, and open-source web server for ASP.NET Core. It is included and enabled by default in ASP.NET Core. Kestrel is supported on all platforms and versions supported by .NET Core.

In the Program class, the ConfigureWebHostDefaults() method configures Kestrel as the web server for the ASP.NET Core application.

public class Program{
   public static void Main(string[] args){
      CreateHostBuilder(args).Build().Run();
   }

   public static IHostBuilder CreateHostBuilder(string[] args) =>
      Host.CreateDefaultBuilder(args)
         .ConfigureWebHostDefaults(webBuilder =>{
            webBuilder.UseStartup<Startup>();
         });
}

Though Kestrel can serve an ASP.NET Core application on its own, Microsoft recommends using it along with a reverse proxy such as Apache, IIS, or Nginx for better performance, security, and reliability.

The main difference between IIS and Kestrel is that Kestrel is a cross-platform server. It runs on Linux, Windows, and Mac, whereas IIS is Windows-specific.

Another essential difference between the two is that Kestrel is fully open-source, whereas IIS is closed-source and developed and maintained only by Microsoft.

IIS is an old, albeit powerful software. With Kestrel, Microsoft started with cross-platform and high performance as explicit design goals. Since the Kestrel codebase started from scratch, it allowed developers to ignore the legacy/compatibility issues and focus on speed and efficiency.

However, Kestrel doesn’t provide all the rich functionality of a full-fledged web server such as IIS, Nginx, or Apache. Hence, we typically use it as an application server, with one of the above servers acting as a reverse proxy.

 

Thursday, March 2, 2023

code signing and ssl

"C:\Programs\jdk1.8.0_121\bin\keytool" -genkey -alias server -keyalg RSA -keysize 2048 -keystore dshsapoly3uat01.jks -dname "CN=dshsapoly3uat01.dshs.wa.lcl, OU=CATS, O=DSHS, L=Olympia, ST=WA, C=US"

"C:\Programs\jdk1.8.0_121\bin\keytool" -certreq -alias server -file dshsapoly3uat01.csr -keystore dshsapoly3uat01.jks

"C:\Programs\jdk1.8.0_121\bin\keytool" -import -trustcacerts -alias dshsapoly3uat01 -file dshsapoly3uat01.cer -keystore application.keystore

------------------------------------------------------------------------------------------------------------------------

"C:\Programs\jdk1.8.0_121\bin\keytool" -genkey -alias server -keyalg RSA -keysize 2048 -keystore dshsapoly3uat02.jks -dname "CN=dshsapoly3uat02.dshs.wa.lcl, OU=CATS, O=DSHS, L=Olympia, ST=WA, C=US"

"C:\Programs\jdk1.8.0_121\bin\keytool" -certreq -alias server -file dshsapoly3uat02.csr -keystore dshsapoly3uat02.jks

"C:\Programs\jdk1.8.0_121\bin\keytool" -v -list -keystore dshsapoly3uat01.jks

keytool -delete -alias server -keystore application.keystore -storepass password

"C:\Programs\jdk1.8.0_121\bin\keytool" -import -trustcacerts -alias server -file dshsapoly3uat01.cer -keystore dshsapoly3uat01.jks

--------------------------------------------------------------------------------------------------------------------------

// how to create key and request file

set OPENSSL_CONF=C:\Admin\OpenSSL\bin\openssl.cnf

openssl genrsa -out C:\Admin\certopenssl\dshsapoly3uat01.key 2048

openssl req -new -sha256 -key C:\Admin\certopenssl\dshsapoly3uat01.key -out C:\Admin\certopenssl\dshsapoly3uat01.csr

openssl req -noout -text -in C:\Admin\certopenssl\dshsapoly3uat01.csr

openssl pkcs12 -export -out C:\Programs\wildfly-10.1.0.Final\domain-host1\configuration\dshsapoly3uat01.pfx -inkey C:\Programs\wildfly-10.1.0.Final\domain-host1\configuration\dshsapoly3uat01.key -in C:\Programs\wildfly-10.1.0.Final\domain-host1\configuration\dshsapoly3uat01.cer


"C:\Programs\jdk1.8.0_121\bin\keytool" -importkeystore -srckeystore dshsapoly3uat01.pfx -srcstoretype pkcs12 -destkeystore dshsapoly3uat01.jks -deststoretype JKS

"C:\Programs\jdk1.8.0_121\bin\keytool" -v -list -keystore dshsapoly3flp01.jks


openssl pkcs12 -export -in C:\Programs\wildfly-10.1.0.Final\domain-host1\configuration\dshsapoly3uat01.cer -out C:\Programs\wildfly-10.1.0.Final\domain-host1\configuration\dshsapoly3uat01.p12

-------------------------------------------------------------------------------------------------------------

// how to create key and request file for code signing certificate

openssl req -new -newkey rsa:2048 -keyout C:\Admin\certs\ocx\codesign\eWiSACWISCodeSign.key -sha256 -nodes -out C:\Admin\certs\ocx\codesign\eWiSACWISCodeSign.csr -config codesign.cnf

// how to generate self sign certificate

openssl x509 -req -days 365 -in C:\Admin\certs\ocx\codesign\eWiSACWISCodeSign1.csr -signkey C:\Admin\certs\ocx\codesign\eWiSACWISCodeSign1.key -sha256 -out C:\Admin\certs\ocx\codesign\eWiSACWISCodeSign1.cer

// code sign ocx, exe, cab, etc

Signtool sign /debug /f eWiSACWIS.pfx /p changeit /t http://timestamp.digicert.com SacwisDocumentAutomation.ocx

signtool verify /a SacwisDocumentAutomation.ocx

============================ codesign.cnf ==================================

[ req ]

default_bits                     = 2048                            # RSA key size

encrypt_key                    = yes                               # Protect private key

default_md                      = sha256                        # MD to use

utf8                                  = yes                              # Input is UTF-8

string_mask                     = utf8only                       # Emit UTF-8 strings

prompt                             = yes                              # Prompt for DN

distinguished_name        = codesign_dn               # DN template

req_extensions               = codesign_reqext          # Desired extensions


[ codesign_dn ]

commonName                = Department of Social and Health Services

commonName_max       = 64


[ codesign_reqext ]

keyUsage                       = critical,digitalSignature

extendedKeyUsage        = critical,codeSigning

subjectKeyIdentifier        = hash

=====================================================================




---------------------------------------------------------

// how to create key and request file

// first of all, download openssl tool and save it somewhere on the machine.

// steps to create key and cert request file.

set OPENSSL_CONF=C:\Admin\OpenSSL\bin\openssl.cnf

openssl genrsa -out C:\Admin\certopenssl\dshsapoly3uat01.key 2048

openssl req -new -sha256 -key C:\Admin\certopenssl\dshsapoly3uat01.key -out C:\Admin\certopenssl\dshsapoly3uat01.csr

//this command is to view the csr, not a necessary step

openssl req -noout -text -in C:\Admin\certopenssl\dshsapoly3uat01.csr



// send your csr to WaTech or any other CA and get cer files from your CA before running the following commands.

//create pfx file 

openssl pkcs12 -export -out C:\Programs\wildfly-10.1.0.Final\domain-host1\configuration\dshsapoly3uat01.pfx -inkey C:\Programs\wildfly-10.1.0.Final\domain-host1\configuration\dshsapoly3uat01.key -in C:\Programs\wildfly-10.1.0.Final\domain-host1\configuration\dshsapoly3uat01.cer


// create keystore

"C:\Programs\jdk1.8.0_121\bin\keytool" -importkeystore -srckeystore dshsapoly3uat01.pfx -srcstoretype pkcs12 -destkeystore dshsapoly3uat01.jks -deststoretype JKS


// change alias if necessary

"C:\Programs\jdk1.8.0_121\bin\keytool" -changealias -alias "te-93ac6810-4331-41b9-b99a-efd06df5ec5b" -destalias "uat01" -keypass uat01pass -keystore dshsapoly3uat01.jks -storepass changed

// change private key password (keypass)

"C:\Programs\jdk1.8.0_121\bin\keytool" -keypasswd -alias uat01  -keystore dshsapoly3uat01.jks


// view your keystore file and check the alias name in the file

"C:\Programs\jdk1.8.0_121\bin\keytool" -v -list -keystore dshsapoly3flp01.jks