So I’m pretty decent at using nginx and dotnetcore to setup a secure server on bare metal or a virtual machine. My new company uses Azure and I mostly use AWS at home. I’m still a little green when it comes to docker and containerizing applications. I tested a container locally that works, this is the docker file:
FROM mcr.microsoft.com/dotnet/core/aspnet:2.2 AS base WORKDIR /app EXPOSE 5000 FROM mcr.microsoft.com/dotnet/core/sdk:2.2 AS build WORKDIR /src COPY ["BrandArmorRest.csproj", "./"] RUN dotnet restore "./BrandArmorRest.csproj" COPY . . WORKDIR "/src/." RUN dotnet build "BrandArmorRest.csproj" -c Release -o /app/build FROM build AS publish RUN dotnet publish "BrandArmorRest.csproj" -c Release -o /app/publish FROM base AS final WORKDIR /app COPY --from=publish /app/publish . ENTRYPOINT ["dotnet", "BrandArmorRest.dll"]
While I was playing with containers, I needed to get something online to test with, so I have an nginx application running in the way I normally push to the cloud with an AWS EC2 instance. I configure nginx with the cert and the key, get the TLS to an A-rating, etc. Dotnet core runs as a system service behind the reverse proxy.
But now I’m not sure of the next steps. I basically am tired of manually doing this setup everytime I make a website, so I felt like containers would be a great way to reuse my configuration code. I lost my private key once to my AWS instance and then had to reconfigure everything, so it put me in the mood to upgrade my skill set.
So locally I would do
docker build -t idfk . docker run --rm -d -p 5000:80/tcp brandarmor:latest
Then navigate to localhost:5000 and everything is good. I saw this post about just adding nginx on top of it Install nginx on an existing asp.net core docker container. But then I wasn’t sure about the security aspects. Like what about the TLS. I mainly use nginx to terminate the encryption, but maybe docker / azure / kubernetes already has a system for doing that, thereby making the need for nginx not really there. I just want to deploy a simple web api that isn’t in production yet, so the whole scaling/load balancing thing isn’t really important at this stage. I guess my question is this. How do I go from this container, developed locally, to azure without building a sky scraper. Do I need the nginx layer, or does azure have its own internal way of doing that? If I do need the nginx layer, how do I keep the RSA encryption secure? In other words, dropping the private key and cert in my git repo sounds like an awful idea, but what are the alternatives. I don’t have any DNS requirements, so it could have some generic azure name, as long as it’s https. Thanks in advance for any advice.