Running .NET Core app on AWS Lightsail Linux instance. Part 3

Previous part is here.

Web service

Next step will be to run dotnet application in service that starts with your virtual PC and system will restart it if application crashes. We will create specific user (www.example.com) that will run dotnet application. Why do we need specific user? Answer is quite simple – security.

Let me elaborate on that. Nginx is running from specific user (www-data). Service will run from another user that we will create (www.example.com). Surely you can run everything from root account, but if nginx or dotnet has some vulnerability then hacker will get access to whole system. If each service has own quite limited account that not even able to login. Moreover, you will be quite suspicious if you see another process that under user www-data or www.example.com, as you know that no other processes should use these users. This is continuation of layered defense.

To create user, execute following commands:

# Create user to run service
sudo useradd www.example.com

#Block shell access for that user
sudo usermod -s /sbin/nologin www.example.com

Now copy your web site to /var/www/www.example.com

As next step I allow only towwww.example.com user to access this directory and everybody else will not have any access. Perhaps I am paranoid but again, if one web site will be hacked, I do not want that user to be able to read configuration files from another web site. In this case I will create different account for each web site, and they are not able to read each other files.

To setup ownership execute this command:

sudo chown -R www.example.com: /var/www/www.example.com

This will transfer ownership of that directory and everything under it to user www.example.com. Next step is to set proper permissions:

# Read and execute rights for owner, no access for group and others
sudo chmod -R 500 /var/www/www.example.com

# Read, write, and execute rights for owner, no access for group and others
sudo chmod -R 700 /var/www/www.example.com /writeabledir

Next step to create service file. Create file /etc/systemd/system/www.example.com.service with following content:

[Unit]
Description=Example service

[Service]
WorkingDirectory=/var/www/www.example.com
ExecStart=/usr/bin/dotnet /var/www/www.example.com/Project.dll
Restart=always
# Restart service after 10 seconds if the dotnet service crashes:
RestartSec=10
KillSignal=SIGINT
SyslogIdentifier=www-example-com
User=www.example.com
Environment=ASPNETCORE_ENVIRONMENT=Production
Environment=DOTNET_PRINT_TELEMETRY_MESSAGE=false

[Install]
WantedBy=multi-user.target

Now enable service, start it and check its status with following commands:

# Enable service
sudo systemctl enable www.example.com

# Start service
sudo systemctl start www.example.com

# Check status of service
sudo systemctl status www.example.com

If everything working correctly you will be able to see that service is active and running and few lines from log of your application. If it does not work, check Syslog. Perhaps you mistype username, or path is incorrect. Syslog entries will be marked with www-example-com tag. To display Syslog execute following command:

cat /var/log/syslog

If you change anything in service file then run following command:

systemctl daemon-reload

If you come back to your browser and refresh you should be able to see your web site.

At this stage you have working site that setup correctly and securely.

Next part is here.

Comments

Post comment