david/net-base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 2 Wiki Activity

initial setup

Browse Source
This commit is contained in:
David Claeys 2025-04-01 12:37:47 +02:00
parent f7936a788a
commit db538746ff
3 changed files with 85 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
Dockerfile Normal file
View File

@ -0,0 +1,49 @@
ARG CONFIG_DIRECTORY_ARG=/config
ARG CERT_PASSWORD_FILE_ARG=$CONFIG_DIRECTORY_ARG/password
FROM mcr.microsoft.com/dotnet/sdk:8.0-alpine-amd64 AS build-env
ARG CERT_PASSWORD_FILE_ARG
ENV CERT_PASSWORD_FILE=$CERT_PASSWORD_FILE_ARG
ARG CONFIG_DIRECTORY_ARG
ENV CONFIG_DIRECTORY=$CONFIG_DIRECTORY_ARG
RUN mkdir $CONFIG_DIRECTORY \
&& apk upgrade --update-cache --available \
&& apk add openssl \
&& rm -rf /var/cache/apk/* \
&& openssl rand -base64 12 >> "$CERT_PASSWORD_FILE" \
&& CERT_PASSWORD=$(cat $CERT_PASSWORD_FILE) \
&& dotnet dev-certs https --export-path /config/aspnetapp.pem --password "$CERT_PASSWORD" --format PEM
FROM mcr.microsoft.com/dotnet/aspnet:8.0-alpine-amd64
ARG CERT_PASSWORD_FILE_ARG
ENV CERT_PASSWORD_FILE=$CERT_PASSWORD_FILE_ARG
ARG CONFIG_DIRECTORY_ARG
ENV CONFIG_DIRECTORY=$CONFIG_DIRECTORY_ARG
ENV DOTNET_CLI_TELEMETRY_OPTOUT=1
ENV ASPNETCORE_ENVIRONMENT=Production
ENV ASPNETCORE_URLS=http://+:80;https://+:443
ENV CERTIFICATES_DIRECTORY=/usr/local/share/ca-certificates
ENV ASPNETCORE_Kestrel__Certificates__Default__Path=$CERTIFICATES_DIRECTORY/aspnetapp.crt
ENV ASPNETCORE_Kestrel__Certificates__Default__KeyPath=$CERTIFICATES_DIRECTORY/aspnetapp.key
ENV TZ = Europe/Brussels
RUN apk update \
&& apk upgrade --available \
&& apk add ca-certificates \
&& apk add tzdata \
&& rm -rf /var/cache/apk/* \
&& mkdir -p $CERTIFICATES_DIRECTORY \
&& mkdir -p $CONFIG_DIRECTORY
COPY --from=build-env $CONFIG_DIRECTORY $CONFIG_DIRECTORY
RUN CERT_PASSWORD=$(cat $CERT_PASSWORD_FILE) \
&& cp $CONFIG_DIRECTORY/aspnetapp.pem $ASPNETCORE_Kestrel__Certificates__Default__Path \
&& cp $CONFIG_DIRECTORY/aspnetapp.key $ASPNETCORE_Kestrel__Certificates__Default__KeyPath \
&& rm -rf $CONFIG_DIRECTORY \
&& chmod 755 $ASPNETCORE_Kestrel__Certificates__Default__Path \
&& chmod +x $ASPNETCORE_Kestrel__Certificates__Default__Path \
&& cat $ASPNETCORE_Kestrel__Certificates__Default__Path >> /etc/ssl/certs/ca-certificates.crt \
&& chmod 755 $ASPNETCORE_Kestrel__Certificates__Default__KeyPath \
&& chmod +x $ASPNETCORE_Kestrel__Certificates__Default__KeyPath \
&& update-ca-certificates
ENV ASPNETCORE_Kestrel__Certificates__Default__Password=$CERT_PASSWORD
EXPOSE 80
EXPOSE 443

2
LICENSE
View File

@ -1,6 +1,6 @@
MIT License MIT License
Copyright (c) 2025 david Copyright (c) 2025 David Claeys
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

36
README.md
View File

@ -1,3 +1,37 @@
# net-base # net-base
Base docker file for .Net applications Base docker file that allows you to deploy .NET wit ease.
Microsoft makes some images available to deploy .NET applications in Docker.
However in order to use them, there is need for some tweaking.
This image is based on the *mcr.microsoft.com/dotnet/aspnet* image, but includes these tweaks.
Among other things these tweaks are included :
- automatic generation of certificate for the web server
- disable telemetry
- inclusion of tzdata for time setup
## Docker image
### Environment Variables
| Variable | Description | Default |
|-----------------------------------------------------|-------------------------------------------------------------------------|----------------------------------------------------------------------------------------------|
| ASPNETCORE_Kestrel__Certificates__Default__Path | The path containing the server certificate | /usr/local/share/ca-certificates/aspnetapp.crt |
| ASPNETCORE_Kestrel__Certificates__Default__KeyPath | The path containing the key for the server certificate | /usr/local/share/ca-certificates/aspnetapp.key |
| ASPNETCORE_Kestrel__Certificates__Default__Password | The password for required for the server key | N/A (generated at build time) |
| CERTIFICATES_DIRECTORY | The directory where the certificate files are stored for the web server | /usr/local/share/ca-certificates |
| ASPNETCORE_URLS | Specifies at which urls and ports the Kestrel server should listen | http://+:80;https://+:443 |
| DOTNET_CLI_TELEMETRY_OPTOUT | Disables telemetry | 1 |
| TZ | Time zone ([list](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List)) | Europe/Brussels | |
### Security implications
This images uses the system provided by Microsoft to generate a development certificate and uses the [Kestrel](https://learn.microsoft.com/en-us/aspnet/core/fundamentals/servers/?view=aspnetcore-9.0&tabs=windows) webserver.
In previous .NET versions it was not recommended to expose Kestrel directly to the internet. Now Microsoft claims you can do that.
However you never should use the included development certificate if you want to do that.
If you want to expose the Kestrel server you should use the *ASPNETCORE_Kestrel__Certificates__Default__Path*, *ASPNETCORE_Kestrel__Certificates__Default__KeyPath* and *ASPNETCORE_Kestrel__Certificates__Default__Password* variables to correclty setup a certificate. The _dotnet dev-certs_ command is not really suited for production environments.
In practice it's much easier to expose the server through a proxy to the public (hence the recommended method).
And depending on your use-case you event might consider to use docker networking in order to accomplish proper isolation.