I need to support http/2 on my web app running inside a container and I'm having a hard time to configure Kestrel to run http/2 with my self-signed certificates.
What I want to ask is, is there a difference running Kestrel behind Nginx and handling all http/2 communication on Nginx and supporting http/2 at Kestrel level?
To summarize there are two options:
1. Run Asp.Net Core app behind Nginx and on http. Http/2 is handled by Nginx.
2. Run Asp.Net Core with http/2 support.
Which way should I prefer?
For any production environment, it is better to use a dedicated reverse proxy (like Nginx) instead of exposing the application directly. They are more specialized for this purpose and usually provide better security and performance. ASP.NET Core documentation also recommends using separate reverse proxy for these reasons https://learn.microsoft.com/en-US/aspnet/core/fundamentals/servers/kestrel?view=aspnetcore-3.1
Related
I have a website on blazor server that will need to scale in the future i.e. there will be several servers. How to do balancing on blazor server using Nginx? In this case, it is necessary that the session is also saved, i.e. did not throw out in case of turning off one of the servers.
Microsoft describes how to load-balance on Linux using NGINX on the following page:
ASP.NET Core SignalR hosting and scaling
I have a .net core based micro service architecture.
I chose ocelot as api gateway. My frontend application is vue js based and hosted on nginx container. During a discussion today, I learned that nginx can already be used as a gateway.it was suggested that "you should use nginx for a gateway because you already use for serving frontend, nginx could deploying as a gateway too" I searched the internet to compare the two gateways (I know the main purpose of nginx is not a gateway) but couldn't find any information about their pros and cons like performance,scalability availability etc...
Can someone who uses the 2 technologies share information with me about which one I should choose?
Ocelot is .NET API gateway but cloud agnostic. It has following features as mentioned in article here. It is a free simple Nuget package for simple installations and not too advanced features or performance requirements, but it beautifully does the job always in .net environment, and provides some features also. It is lightweight, fast, scalable and provides routing and authentication also besides all gateway features. On Azure, Azure API management provides these features plus many more advanced gateway features.
NGinx has a open source version and a plus version.
NGINX is a high‑performance, scalable, secure, and reliable web server
and a reverse proxy. NGINX enables all the main web acceleration
techniques for managing HTTP connections and traffic. For many years,
NGINX capabilities such as load balancing, SSL termination, connection
and request policing, static content offload, and content caching have
helped NGINX users to build reliable and fast websites quickly and
efficiently.
NGINX can also act as a secure application gateway, offering a number of specialized built‑in interfaces to pass traffic from users to applications. So, as you see NGinx is much more than just an API gateway. With a server, you can integrate many other services like traffic distribution, policies, monitoring, alerts, notifications, custom configurations etc. Ocelot may have limited performance or configurability for an enterprise grade application.
Nginx is a different software than Ocelot. Kong on NGinx is more popular software for API management gateway and is not .NET specific.
If your company already is using it, and has it already for deployment, you should continue with Nginx.
Ocelot vs Kong vs Azure API management vs Nginx
In normal circumstances, Ocelot may appear better software than Nginx. But Nginx is a full fledged software. Few reasons: a. Your company has a license for Nginx plus already, why use another software for API management. b. Nginx is configurable for high performance, ocelot is not. If you use thread pool is nginx, performance can be tuned. Ten Nginx performance tuning tips.. You can do limited to none such things in Ocelot. It has its own bunch of open issues for a gateway. NGinx plus users will have training as well as team support already available. Nginx will be one API Gateway for all of Your applications (technology independent). Ocelot is technology dependent. Given the pros and cons, your company might already be having a Nginx plus license and a common API for multiple applications, and that's why they might be pushing for it.
First and foremost Nginx and Ocelot are very different software.
using Nginx will eventually be good for your infra as it can be used as an API gateway and it's open-source, secure, and offers many other benefits.
Using Ocelot will have disadvantages in long run. You'll need to handle one more software extra. Why would one waste time on that? and the developer will need to understand both of them.
I suggest you go with Nginx as it's already implemented and do your work
Yes you can use nginx as a gateway. But Apache APISIX is even a better option to use compared to Nginx and Kong. I found this article helpful while searching for a better API Gateway option to use.
https://api7.ai/blog/why-choose-apisix-instead-of-nginx-or-kong/
What is a good, lightweight http proxy I can use during development on my machine? I have to bring up two HTTP servers locally that should look as if they were one to the external user. We have a proper proxy setup for prod, but I would need something lightweight for development to test things.
What is the reason for two separate but similar servers?
What are the differences?
Can I run both in docker?
Do both support same things, like all authentication types?
Kestrel vs HTTP.sys - I've highlighted the fundamental differences below.
(The words are Microsoft's and I've only edited it for brevity and clarity. See the sources linked at the bottom).
Update:
Kestrel previously always required the use of a reverse proxy with edge deployments (exposed to traffic from the Internet) for security reasons. With Kestrel in ASP.Net Core 2.x this is no longer the case. Take a look at the documentation for more information. Kestrel Web Server Documentation
Weblistener was renamed HTTP.sys in ASP.NET Core 2.0
Sources:
Docs.Microsoft.com Web server implementations in ASP.NET Core
Docs.Microsoft.com HTTP.sys web server implementation in ASP.NET Core
HTTP.sys is windows-only HTTP / Web Server for ASP.NET Core that allows you to expose the server directly to the Internet without needing to use IIS. HTTP.sys is built on top of Http.Sys ( the same mature technology that also powers IIS' HTTP Listener) as is as such very feature rich and provides protection against various attacks.
Kestrel on the other hand, is a cross-platform web server for ASP.NET Core that is designed to be run behind a proxy (for example IIS or Nginx) and should not be deployed directly facing the Internet. Kestrel is relatively new and does not have a full complement of defenses against attacks. It's also not as feature rich as HTTP.sys and comes with timeout limits, size limits and concurrent user limits.
In essence, the choice comes down to your web application's Deployment scenario.
HTTP.sys Use Cases :
Kestrel Use Cases :
Following comparison will help you to choose which one is better
The ASP.NET 5 documentation (created by Microsoft on August 25, 2015) found here lists the chart found in the other answer (see page 107 of the bottom right book pages, but page 111 of the PDF): https://media.readthedocs.org/pdf/aspnet/theming/aspnet.pdf
Kestrel in general has better performance, if you used for one of the following below:
Great option if used in conjunction with a reverse proxy for apps exposed to Internet
Internal apps connecting with other internal apps on a private virtual network (not exposed to Internet)
WebListener is more secure, slower, and has more features. It is used in these cases:
Expose app to the Internet but can't use IIS
Require higher security and exposing server directly to Internet.
Additional features: List item, Windows Authentication, Port sharing, HTTPS with SNI, HTTP/2 over TLS (Windows 10), Direct file transmission, Response caching
I'm currently using Nginx as a web server for Openerp. It's used to handle SSL and cache static data.
I'm considering extending it's use to also handle fail over and load balancing with a second server, using the upstream module.
In the process, it occurred to me that Nginx could also do this on multiple Openerp servers on the same machine, so I can take advantage of multiple cores. But Gunicorn seems to the the preferred tool for this.
The question is: can Nginx do a good job handling traffic to multiple local OpenERP servers, bypassing completely the need for Gunicorn?
Let first talk what they both are bascially.
Nginx is a pure web server that's intended for serving up static content and/or redirecting the request to another socket to handle the request.
Gunicorn is based on the pre-fork worker model. This means that there is a central master process that manages a set of worker processes. The master never knows anything about individual clients. All requests and responses are handled completely by worker processes.
If you see closely Gunicorn is Designed from Unicron, Follow the link for the detail more diff
which show the ngix and unicrom same model work on Gunicron also.
nginx is not a "pure web server" :) It's rather a web accelerator capable of doing load balancing, caching, SSL termination, request routing AND static content. A "pure web server" would be something like Apache - historically a web server for static content, CGIs and later for mod_something.