-
I would love to try out YARP on Ubuntu 20.04 and use it for 2 live .NET 5 (preview) Blazor WASM/gRPC websites (live but prototypes). So, not for load balancing, but just to be able to host 2 instances of Kestrel (serving different domainnames on (internal) different ports) on one VPS with YARP in front of it serving those websites on one https (433) external port with http2 for gRPC. Getting an A+ grade at Qualys SSL labs (and a 100% score at https://en.internet.nl/) is really important to me, and if the sample could contain code on how to achieve this with sample code from this discussion (Cipher Suit Preference) it would be very helpful to me and imo to others to use it. I know (from that same issue) how to setup I did this previously with NGINX, but as I said I would love to try out YARP in this configuration so I could use Microsoft software only (and because YARP is pretty, pretty fast so I'm told 😉) |
Beta Was this translation helpful? Give feedback.
Replies: 6 comments 22 replies
-
Good questions, these are all things we still need docs for (#305). Let's take this as three different parts. A) A+ TLS config scores on linux: We're tracking that over at dotnet/runtime#30767 as you've noticed. Its a long conversation but I think the highlights are dotnet/runtime#30767 (comment) and dotnet/runtime#30767 (comment). Please give those options a try and ask any questions you need on that issue. You shouldn't need to do anything YARP specific. B) Hosting multiple domains on the same port: The TLS feature for this is called SNI and is something you configure in Kestrel. Kestrel has a new config feature for this in 5.0.0-RC1, which isn't quite out yet but you should be able to try a daily build. If you need to do this in any prior version then you can use the ServerCertificateSelector callback. It lets you check the incoming domain name for each new connection and provided the matching certificate. C) Configure YARP to route by domain name: Run through the getting started guide and then tweak the config like this: {
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft": "Warning",
"Microsoft.Hosting.Lifetime": "Information"
}
},
"AllowedHosts": "*",
"ReverseProxy": {
"Routes": [
{
"RouteId": "route1",
"ClusterId": "cluster1",
"Match": {
"Hosts": [ "PublicDomain1" ]
},
},
{
"RouteId": "route2",
"ClusterId": "cluster2",
"Match": {
"Hosts": [ "PublicDomain2" ]
},
}
],
"Clusters": {
"cluster1": {
"Destinations": {
"cluster1/destination1": {
"Address": "https://internal.domain.1.name.or.ip/"
}
}
},
"cluster2": {
"Destinations": {
"cluster2/destination1": {
"Address": "https://internal.domain.2.name.or.ip/"
}
}
}
}
}
} Try it out and let me know how it goes. |
Beta Was this translation helpful? Give feedback.
-
Thank you for your answer. If I understand correctly, with the new Kestrel config feature in 5.0.0-RC1 I can configure YARP (also a Kestrel instance) to handle the TLS connections (SSL certs) for SNI/multiple domains (dotnet/aspnetcore#24286) and configure the routing in YARP as you described in your answer above/and by following the YARP Getting Started guide? From the comments in dotnet/runtime#30767 I know how to configure Kestrel to get an SSL Labs A+ score. I've 2 websites (prototypes / Preview 8) running with an A+ score, but now on 2 different VPS's because I stopped using NGINX. I'm in no hurry, I can wait until RC1 is released, which will be next month I guess, as Preview 8 just has been released. Below ( a top/down incoming traffic presentation) is what I want to achieve, a basic setup using one server (Ubuntu VPS) on which I'll be running 3 Kestrel instances. 1 for YARP en 2 for the different domains. Internet (ports 51433, 52443 are just examples) |
Beta Was this translation helpful? Give feedback.
-
Sounds right. |
Beta Was this translation helpful? Give feedback.
-
Should this get moved over to discussions? |
Beta Was this translation helpful? Give feedback.
-
@samsp-msft Oh right, I forgot about the 'discussions' option in GitHub. I should've created a discussion instead of an issue. Chris' answer and example answered what I wanted to know to get started with YARP, looking forward doing it actually, but I've to finish some other code I'm working on at the moment first. But as soon I've something to show, or maybe have another question, I'll certainly come back here (in discussions). So if you want you can close this issue and/or move it to discussions. |
Beta Was this translation helpful? Give feedback.
-
Hi @Tratcher, This weekend I got finally some time free to experiment with YARP and to look into the links you provided and tried to setup YARP with Kestrel's SSL SNI feature so I can use multiple domains names on one server listening on one port. My config: (Dev PC) Windows 10 Pro, Visual Studio Preview (latest) and (ASP).NET 6 Preview 3. (This YARP config is meant to run, eventually, on an Ubuntu 20.04 co-located VPS, which I'm using for my Blazor WASM sites). YARP is listening on Here's my I'm testing it with the 'production' url. It's a Kestrel Hosted Blazor WASM site listening on In YARP's command windows it says it's YARP is unable to find the host, but the host is running. When you look at the Screenshot command window YARP's error messages": Screenshot Browser YARP The Blazor site is running at Screenshot command window Kestrel Hosted Blazor WASM site (when I enter the url manually in the browser) Screenshot Browser Blazor (when I enter the url manually in the browser) |
Beta Was this translation helpful? Give feedback.
Good questions, these are all things we still need docs for (#305). Let's take this as three different parts.
A) A+ TLS config scores on linux: We're tracking that over at dotnet/runtime#30767 as you've noticed. Its a long conversation but I think the highlights are dotnet/runtime#30767 (comment) and dotnet/runtime#30767 (comment). Please give those options a try and ask any questions you need on that issue. You shouldn't need to do anything YARP specific.
B) Hosting multiple domains on the same port: The TLS feature for this is called SNI and is something you configure in Kestrel.
Kestrel has a new config feature for this in 5.0.0-RC1, which isn't quite out yet but you should be able to …