xTr1m/GameList
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ae85c369ba6bd7313a4ff79a7f47f2cf5e2106da
GameList/IIS.md

2.5 KiB
Raw Blame History

IIS Deployment Notes

  • ASP.NET Core out-of-process behind IIS
  • HTTPS termination at IIS
  • SQLite DB stored in App_Data
  • App pool identity must have write access
  • Admin password via environment variable

Publish

  • From repo root: dotnet publish -c Release -o publish
  • Before first start (and after every new migration): run dotnet ef database update from repo root against the target environment.
  • Copy publish/ contents to site directory (keep App_Data writable by the app pool user).
  • Set environment variables in web.config or IIS config:
  • ASPNETCORE_ENVIRONMENT=Production
  • ADMIN_PASSWORD=<your-secret>
  • BasePath=/picknplay (only if the site is under a subfolder; omit for root)
  • Configure trusted reverse proxies/networks for forwarded headers (do not trust all sources):
  • ForwardedHeaders__KnownProxies__0=10.0.0.10
  • ForwardedHeaders__KnownNetworks__0=10.0.0.0/24
  • Configure allowed hostnames explicitly (do not use wildcard in production):
  • AllowedHosts=picknplay.example.com;www.picknplay.example.com
  • Optional: enable stdout logging in web.config during troubleshooting only; disable afterward.
  • Data protection keys are persisted to App_Data/keys; ensure this folder is deployed and writable so auth cookies stay valid across app pool recycles.
  • Frontend base path is injected during deployment by scripts/deploy-ftp.ps1 using deploy profile BasePath (falls back to last RemoteDir segment if omitted). This keeps local wwwroot/index.html unchanged while production API calls target /picknplay/api.
  • Deployment script: copy scripts/deploy-ftp.profile.sample.psd1 to scripts/deploy-ftp.profile.psd1, fill environment values, then run pwsh ./scripts/deploy-ftp.ps1 -ProfilePath ./scripts/deploy-ftp.profile.psd1.
  • Shortcut command: run pwsh ./deploy.ps1 from repo root to deploy with the local profile directly.
  • Prefer WinScpSessionName in the deploy profile to avoid embedding FTP credentials in scripted URLs.

Permissions

  • Grant modify rights to the app pool identity on App_Data (DB file + wal).
  • Ensure firewall/HTTPS bindings match applicationUrl configured in IIS.

Security Checklist

  • Verify HTTPS binding/certificate is active before exposing the site publicly.
  • Confirm Strict-Transport-Security is present in production responses.
  • Confirm baseline headers are present (Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy).
  • Confirm AllowedHosts contains only your actual IIS hostnames.
  • Confirm trusted proxy lists are explicit and minimal.
Reference in New Issue View Git Blame Copy Permalink