I’m sure that many of you heard about a backdoor in xz util that allows specific people to get root access if Linux is configured to allow incoming SSH connections. There are a lot of systems like that because it is a typical configuration for pretty much every Linux machine. Fortunately, it was caught quickly, and as far as we know there were no real hacks made via that backdoor.

But it reveals a lot of problems and most of them are typical for open-source development.  I would like to review them and to explore if these problems apply to the closed-source world.

Let’s start with the obvious problem. You rarely get paid for developing open-source projects. Most of

Previous part is here. This post will explain, how to restart your web site at specific intervals without returning errors to clients. You can scroll to solution, if you are no interested in my thoughts and to see what I try.

Thoughts and research

As I mentioned in this post, I decided to restart my web site periodically to avoid out of memory issue. And I would like to mention that it wasn’t easy to do. Obviously, restarting web site is super simple and all you need is to restart its service. But that means that your web site will be unavailable for some time. Depending on size of the web site, we are talking about seconds or

Some time ago, I wrote series of posts on how to run .NET Core app on AWS Lightsail Linux instance. Everything worked nice but sometimes, about once per month my web site stopped responding. And I cannot connect to my instance at all to diagnose that issue. All I can do is just restart my AWS instance. At the beginning I thought it could be AWS issue, or perhaps some issues in .NET. I updated everything I can, but problem persists. And when it happened last time, I decided to check kernel logs and I found this:

Feb 10 07:31:18 ip-1-2-3-4 kernel: [1512878.216567] oom-kill:constraint=CONSTRAINT_NONE,nodemask=(null),cpuset=/,mems_allowed=0,global_oom,task_memcg=/system.slice/www.example.com.service,task=dotnet,pid=511,uid=1001
Feb 10 07:31:18 ip-1-2-3-4 kernel: [1512878.216597] Out of memory: Killed process 511 (dotnet) total-vm:3007440kB, anon-rss:105260kB, file-rss:0kB, shmem-rss:0kB, UID:1001 pgtables:712kB oom_score_adj:0
Feb 10 07:31:18 ip-1-2-3-4 kernel: [1512878.241642] oom_reaper: reaped process 511 (dotnet), now anon-rss:0kB, file-rss:0kB, shmem-rss:0kB

Previous part is here.

I found that I was missed one critical part that I did in my application but forgot to explain here. Let me explain little bit. Effectively secure communication via HTTPS protocol happens between browser and nginx that is web server. Nginx communicates with .NET application via HTTP protocol. And effectively .NET application believes that it is communicating via HTTP. It called SSL termination.

And as result .NET application can return something that is not compatible with HTTPS protocol. In my case it returns link to profile from Gravatar service via HTTP. This in turn leads to complain from web browser that there is mixed content: HTTP and HTTPS. And that one only minor problem but

This is continuation of Running .NET Core app on AWS Lightsail Linux instance.

By this moment everything is working exactly as I want. But I have 2 things that really annoys me: backup and updating web site. Because I revoked access to web site directory for every account except www.example.com I have to run a lot of commands from sudo user to backup and update my web site. I would like to automate these steps.


I have 2 things to backup: web site itself and its data. I separate them because they have different update schedule. For example, I can update web site few times per day and then did not update it for weeks. Obviously, I

This is continuation of Running .NET Core app on AWS Lightsail Linux instance.

One of the useful features I always use for .NET and .NET Core application in IIS is special file app_offline.htm. If this found exist in application’s directory, then .NET module for IIS will return contents of that file for every request. Usually, it used for maintenance. For example, I put some text that web site is under maintenance and that it will be finished in few minutes. Then I am updating all necessary files that are impossible to update while web site is running. When I finished, I will rename it to app_offline.hml_ until next maintenance.

I found like to implement something

Previous part is here.


Firstly, you need domain name. “You can purchase a domain name from Namecheap, get one for free with Freenom, or use the domain registrar of your choice”. Then follow instructions on how to setup A record. Because you have static IP it will be really easy to do. For example from Namecheap instructions are here.

Keep in mind that it could take up to 24 hours to propagate changes. But if you never accessed your domain before, then it should work in few minutes. Remove your changes from hosts file on your computer and when changes are propagated, you should be able to refresh your browser and see your site with

Previous part is here.

Web service

Next step will be to run dotnet application in service that starts with your virtual PC and system will restart it if application crashes. We will create specific user (www.example.com) that will run dotnet application. Why do we need specific user? Answer is quite simple – security.

Let me elaborate on that. Nginx is running from specific user (www-data). Service will run from another user that we will create (www.example.com). Surely you can run everything from root account, but if nginx or dotnet has some vulnerability then hacker will get access to whole system. If each service has own quite limited account that not even able to login. Moreover,

Previous part is here.

Configuring Web Server

I chose nginx as web server because after research it looks like it is gaining a lot of popularity while second contender Apache2 is losing popularity.

First step is to ensure that your web server is working correctly. Because http port is opened in Amazon router and in your virtual PC you should be able to access it from outside from your browser. Just type http://<you static IP address> in your browser and press Enter. You should see standard nginx web page.

Next step is to make sure that nginx will not serve anything that is not specifically added. Edit file /etc/nginx/sites-available/default and replace it content with following:

server {
	listen 80 default_server;
	listen [::]:80 default_server;
	return   444;