Running .NET Core app on AWS Lightsail Linux instance. Part 3
Previous part is here.
Next step will be to run dotnet application in service that starts with your virtual PC and system will restart it if application crashes. We will create specific user (www.example.com) that will run dotnet application. Why do we need specific user? Answer is quite simple – security.
Let me elaborate on that. Nginx is running from specific user (www-data). Service will run from another user that we will create (www.example.com). Surely you can run everything from root account, but if nginx or dotnet has some vulnerability then hacker will get access to whole system. If each service has own quite limited account that not even able to login. Moreover, you will be quite suspicious if you see another process that under user www-data or www.example.com, as you know that no other processes should use these users. This is continuation of layered defense.
To create user, execute following commands:
# Create user to run service sudo useradd www.example.com #Block shell access for that user sudo usermod -s /sbin/nologin www.example.com
Now copy your web site to /var/www/www.example.com
As next step I allow only towwww.example.com user to access this directory and everybody else will not have any access. Perhaps I am paranoid but again, if one web site will be hacked, I do not want that user to be able to read configuration files from another web site. In this case I will create different account for each web site, and they are not able to read each other files.
To setup ownership execute this command:
sudo chown -R www.example.com: /var/www/www.example.com
This will transfer ownership of that directory and everything under it to user www.example.com. Next step is to set proper permissions:
# Read and execute rights for owner, no access for group and others sudo chmod -R 500 /var/www/www.example.com # Read, write, and execute rights for owner, no access for group and others sudo chmod -R 700 /var/www/www.example.com /writeabledir
Next step to create service file. Create file /etc/systemd/system/www.example.com.service with following content:
[Unit] Description=Example service [Service] WorkingDirectory=/var/www/www.example.com ExecStart=/usr/bin/dotnet /var/www/www.example.com/Project.dll Restart=always # Restart service after 10 seconds if the dotnet service crashes: RestartSec=10 KillSignal=SIGINT SyslogIdentifier=www-example-com User=www.example.com Environment=ASPNETCORE_ENVIRONMENT=Production Environment=DOTNET_PRINT_TELEMETRY_MESSAGE=false [Install] WantedBy=multi-user.target
Now enable service, start it and check its status with following commands:
# Enable service sudo systemctl enable www.example.com # Start service sudo systemctl start www.example.com # Check status of service sudo systemctl status www.example.com
If everything working correctly you will be able to see that service is active and running and few lines from log of your application. If it does not work, check Syslog. Perhaps you mistype username, or path is incorrect. Syslog entries will be marked with www-example-com tag. To display Syslog execute following command:
If you change anything in service file then run following command:
If you come back to your browser and refresh you should be able to see your web site.
At this stage you have working site that setup correctly and securely.
Next part is here.