Outline of all components that need specific web-farm configuration

[Tratcher]

It's standard practice to deploy web apps on multiple instances with shared resources. It would be helpful to have a consolidated list of components and configuration that need special attention in this scenario:

Needs configuration:

• DataProtection (IDataProtectionProvider)
• Caching (IDistributedCache)
• Databases (EF/SQL)

Dependent Components:

• Authentication - Depends on DataProtection for Cookies, temp state, etc.
• Session - Depends on DataProtection and Caching for the cookie and the data store - Issue: Session Middleware with Redis Distributed Caching not working in web farm aspnet/Session#159
• Identity - Depends on DataProtection, Databases (@HaoK?)
• TempData provider - Various implementations, some depend on DataProtection, and others depend on Session (@kichalla?)
• Anti-forgery - Depends on DataProtection

Cross link from https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/proxy-load-balancer?view=aspnetcore-2.1#troubleshoot

@rick-anderson edit:
For a web-farm, you need to do these things.
We have all this information, we need to put it together in one doc (web-farm/multi-machine config) with:

• Links to each article
• Notes on what breaks when you don't. That might help SEO

[Rick-Anderson]

@Tratcher can you draft this article and we'll take it from there? We don't have the expertise to write this. cc @danroth27 @tdykstra

[Tratcher]

@danroth27 do you want to schedule a meeting for this? Include Hao.

[Rick-Anderson]

See "C:\Dropbox\wrk\Outline of all components that need s. . . - Thursday, April 27, 2017 10.32.36 AM.mp4" for meeting.

[Vinhaman]

I've spent over half a day trying to make my Session Management using the Redis Cache on our .Net Core 1.1 Application. I'm still not doing it on the web farm because it still fails on my Dev Machine with the following:

            var connectCS = Configuration["ConnectionsString:CS_RedisCache"];
            var redis = ConnectionMultiplexer.Connect(connectCS);
            services.AddDataProtection().PersistKeysToRedis(redis, "Master_DataProtectionKeys");
            services.AddOptions();
            services.AddDistributedRedisCache(option =>
            {
                option.Configuration = connectCS;
                option.InstanceName = "Master_";
            });            

            services.AddSession(options =>
            {
                options.IdleTimeout = TimeSpan.FromMinutes(appSetting.SessionMinutesIdleTimeout);
                options.CookieName = appSetting.SessionCookieName;
            });

This seems to to half the trick since on my login controller i have access to a brand new session and set information nicely. When my middleware triggers (when the login is over) the "context.Session" doesn't exists with the Redis implementation (using services.AddDistributedMemoryCache(); works great)

            app.Use(async (context, next) =>
            {
                    //session is not available probably because of the Data Protection...
                    var logged = context.Session.GetBool("Login");
            }

I see you guys probably did some beta documentation already that i would be deeply thankfull to try.

[Tratcher]

Bump, hit this again today. aspnet/Security#1755 (comment)

[Tratcher]

Bump: aspnet/Security#1805

[guardrex]

@Tratcher We're moving this up to Next 🎉.

[guardrex]

@Tratcher

Title: Host ASP.NET Core in a web farm
Description: Learn how to host multiple instances of an ASP.NET Core app with shared resources in a web farm environment.
TOC: aspnetcore\host-and-deploy\web-farm
UID: host-and-deploy/web-farm

Outline

• Introduction
• General configuration
  • Process manager/reverse proxy (external links)
  • Hosting bundle/runtime (external links)
  • Host, scheme, IP, and port forwarding (proxy/LB config topic)
  • Mention Azure App Service (external link)
• Required configuration
  • Data Protection (IDataProtectionProvider)
  • Caching (IDistributedCache) - Depends on Redis or database
• Dependent Components
  • Cookie Authentication - Depends on DP
  • Identity - Depends on DP and database
  • Session - Depends on DP and caching
  • TempData - Depends on Session or DP
  • Anti-forgery - Depends on DP
• Troubleshoot

Create reciprocal links for each subject matter area. This topic's sections will link to the relevant content areas. Content areas will link back to this topic from their Additional resources sections.

[Tratcher]

Cookies in this context is CookieAuth, it's redundant with your Authentication entry.

[guardrex]

Outline modified. I'm set to work on it tomorrow. I anticipate having it Friday morning; but if it lands on Saturday or Sunday, I suppose that would be ok.

[Tratcher]

See my outline above. There are things that need configuration (DP, caching), and then there are things that depend on them but don't need any additional config (Auth, Session). The doc should keep these separate so users can focus on changes they need to make.

Database doesn't seem to fit here, it's already a resource external to your application. If anything you may need to introduce a database to exchange data that you were previously storing in memory like caching, app state, etc..

[Tratcher]

We may also want a troubleshooting section (or troubleshooting notes in each topic) about what symptoms you'd see if that component wasn't properly configured for multiple agents. E.g. for Auth you would randomly be asked to sign in again depending on which instance you accessed.

[guardrex]

Can try Troubleshoot as a section. I think devs would find that handy ... go to one spot ... find the symptom and get directed to the cure.

I updated the outline. ☝️

[guardrex]

Roll ...

• Host, scheme, IP, and port forwarding (proxy/LB config topic, cross-link both ways)

... in to one of the sub-categories (Requires configuration or Dependent configuration)?

[Tratcher]

forwarding isn't directly related to multi agent, it's a general reverse proxy concern. Move it up into the General configuration?

[guardrex]

Yes, this is coming along well. I think there will be a PR on Friday afternoon.

... and I'll squeeze an important update in there soon. #7589

[guardrex]

@Tratcher

what symptoms you'd see if that component wasn't properly configured for multiple agents. E.g. for Auth you would randomly be asked to sign in again depending on which instance you accessed

In a Troubleshoot section, I'm going to end up listing a fairly obvious set of scenarios:

• Authentication breaks (auth cookie misconfigured or not decryptable)
• Authorization breaks (identity lost)
• Session loses data
• Cached items disappear
• TempData fails
• POST's fail (anti-forgery)

Seems like we should just have a bulleted list here. If any of these systems break, the dev is probably going to either look in that subject matter topic or consult troubleshooting topics. If a dev is looking at this doc first, it's pretty clear based on what broke which topic they should consult for guidance.

Most of the problems will appear as intermittent issues. I'll try a version of the Troubleshoot section that focuses on the concept that if the problem is intermittent in a web farm hosting scenario that either DP or caching isn't configured correctly.

[EDIT] ... and I will list those ☝️ examples.