none
Security Question About Hosting .Net Core 2.1 RRS feed

  • Question

  • Hello, 

    Due to security concerns, my organization has deemed .Net Core 2.1 insecure due to the fact that Kestral to IIS communications are HTTP. Unless I can provide security on that HTTP transfer between IIS and Kestral, I will not be able to continue using .Net Core 2.1.

    Is there a way to secure or do anything at all to that HTTP transfer from Kestral to IIS? Microsoft docs aspnet/core/host-and-deploy .Net Core 2.1 has a good diagram on what I am describing above.

    Thank you.






    Monday, September 30, 2019 8:13 PM

All replies

  • Hi friend,

    Welcome to the MSDN forum.

    Could you please share the link of the Microsoft docs that you mentioned? That will help us better analysis this issue, thanks for your understanding.

    Best regards,

    Sara


    MSDN Community Support Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com

    Tuesday, October 1, 2019 2:40 AM
  • docs.microsoft.com/en-us/aspnet/core/host-and-deploy/iis/?view=aspnetcore-2.1
    Tuesday, October 1, 2019 7:17 PM
  • Https:// is missing in the link, my account verification is being slow so I cannot add a link or image at this time, that was my workaround.

    Tuesday, October 1, 2019 7:18 PM
  • For your description, do you mean statement below?

    The module specifies the port via an environment variable at startup, and the IIS Integration Middleware configures the server to listen on http://localhost:{port}. Additional checks are performed, and requests that don't originate from the module are rejected. The module doesn't support HTTPS forwarding, so requests are forwarded over HTTP even if received by IIS over HTTPS.

    If so, there is nothing you can do since this communication is between IIS and Kestrel by Asp.Net Core module.

    But, I am wondering why you think it has security concerns. 

    Do you think anyone could catch the request between IIS and Kestrel in your server?

    As far as I know, there is no securiy issue during IIS and Kestrel.


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Thursday, October 3, 2019 7:36 AM
  • Hi friend,

    Do you have any updates? If this issue persists, please feel free to let us know and share more information that Tao Zhou asked, thanks in advance.

    Since our forum is to discuss the .NET Framework installation, if you have any other issue about the .NET Core or IIS, please redirect to this appropriate forums: https://forums.asp.net/1255.aspx/1?ASP+NET+Core or https://forums.iis.net/ for better support, thanks for your understanding.

    Best regards,

    Sara


    MSDN Community Support Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com

    Friday, October 11, 2019 9:20 AM