Set Up Linux Host for PTS Application

Follow the outlined steps to create a production ready .net core hosting environment for PTS applications. The guide assumes that you have a newly created instance of Ubuntu 18.04 LTS operating system with root privileges.

Register Microsoft Feed

Before installing .NET, you'll need to register the Microsoft key, register the product repository, and install required dependencies. This only needs to be done once.

Open a terminal and run the following commands

wget -q https://packages.microsoft.com/config/ubuntu/18.04/packages-microsoft-prod.deb
sudo dpkg -i packages-microsoft-prod.deb

Install the .NET Runtime

Update the products available for installation, then install the .NET Runtime.

In your terminal, run the following commands:

sudo add-apt-repository universe
sudo apt-get install apt-transport-https
sudo apt-get update
sudo apt-get install aspnetcore-runtime-2.2

Deploy Your Web Application

This guide assumes that we are deploying a web application. If your app is not a web app you can skip this step.

Create Working Directory

Since this is the first time we are deploying the web app, we need to create the working directory:

sudo mkdir /var/www/myapp.com

Upload Your Web Application Project Output

This can be done manually through file managers such as FileZilla, or you can upload the files directly via SSH. Replace /path/to/local/outputdir/ with the actual path of the project output on your file system and user@remotehost with the credential applicable to your remote environment:

scp -r /path/to/local/outputdir/ user@remotehost:/var/www/myapp.com/

Compile and Start The Application

Now that the files are in place, run dotnet restore to start the application.

cd /var/www/myapp.com
dotnet restore
$ dotnet run

You should see the following output:

Project myapp.com (.NETCoreApp,Version=v2.2) was previously compiled. Skipping compilation.
Hosting environment: Production
Content root path: /var/www/myapp.com
Now listening on: http://localhost:5000

In this example we are assuming the application is configured to listen on localhost:5000 - note the port number as we will be using it in subsequent configuration steps.

Add Nginx Server For Reverse Proxy

Adding Nginx as reverse proxy in front of .net core application gives us more control over domain mapping and ssl, also letting us to host multiple applications on single host.

Install Nginx Server

Use apt-get to install Nginx. The installer creates a systemd init script that runs Nginx as daemon on system startup:

sudo apt-get install nginx
sudo service nginx start

Start Nginx Service

After the Nginx was installed, explicitly start it by running:

sudo service nginx start

Create Nginx App Configuration File

Start your favorite editor to create a new configuration file for your web application. Replace myapp.com with the url you will be using for your application:

sudo nano /etc/nginx/sites-available/myapp.com.conf

Specify the configuration:

server {
    listen        80;
    server_name   myapp.com *.myapp.com;
    location / {
        proxy_pass         http://localhost:5000;
        proxy_http_version 1.1;
        proxy_set_header   Upgrade $http_upgrade;
        proxy_set_header   Connection keep-alive;
        proxy_set_header   Host $host;
        proxy_cache_bypass $http_upgrade;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
    }
}

Enable App Configuration

Now that you crated the configuration file, we need to create a symlink to active configuration folder:

ln -s /etc/nginx/sites-available/myapp.com.conf /etc/nginx/sites-enabled/

For the configuration to take effect we need to reloud the configuration:

sudo service nginx reload

Set Up Let's Encrypt for SSL

We will use Certbot to obtain a free SSL certificate for the Nginx we just installed and set up the certificate to renew automatically.

Install Certbot

Add the certbot repository:

sudo add-apt-repository ppa:certbot/certbot

Install Certbot's Nginx package:

sudo apt install python-certbot-nginx

Allow HTTPS Through the Firewall

This steps is required only if you have the ufw firewall enabled. The following steps adjust the settings to allow for HTTPS traffic.

sudo ufw allow 'Nginx Full'
sudo ufw delete allow 'Nginx HTTP'

Validate the firewall settings with the following command:

sudo ufw status

You should see the following output:

Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere
Nginx Full                 ALLOW       Anywhere
OpenSSH (v6)               ALLOW       Anywhere (v6)
Nginx Full (v6)            ALLOW       Anywhere (v6)

If you are not using firewall you will see:

Status: inactive

Both outcomes are acceptable for the set up.

Obtain an SSL Certificate

Certbot provides convenient way to obtain SSL certificates through Nginx plugin. The will take care of reconfiguring Nginx and reloading the config whenever necessary:

sudo certbot --nginx -d myapp.com -d www.myapp.com

If this is the first time you are running certbot on the host, you will be prompted to enter an email address:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):

Type in your email address and hit Enter to continue. You will be promted to agree to the terms of service:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel:

If you agree to the ToS, type A and hit Enter to continue.

Certbot will communicate with the Let's Encrypt server, then run a challenge to verify that you control the domain you're requesting a certificate for. You shouls see the following output:

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for docs.ptsframework.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/myapp.com.conf

After domain verification, certbot will ask how you want to handle non HTTPS traffic:

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

Make a choice that matches your needs and hit Enter to continue.

At this point the certificates are downloaded, installed, and loaded. Reload the web app in your web browser with https:// prefix to validate the set up.