Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

ProGet IP binding issues



  • On a server with multiple IPs, I tried to bind ProGet only to one of those IPs with Port 80 and 443 while using the integrated webserver and bind another webserver to the same ports of a 2nd IP.

    <WebServer Enabled="true" Urls="https://192.168.0.1:443;http://192.168.0.1:80" Subject="mycert" Store="My" Location="LocalMachine" AllowInvalid="True" />
    

    I observed that for some reason ProGet is using the Kestrel server when the binding a port on all IPs (https://*:443 ) but switches to HTTP.sys when binding a specific IP like I tried with the config above. This can be observed with tools like netstat or TcpView. With Kestrel the ports are held by the application exe itself, while with HTTP.sys hosting the ports are occupied by the System process.

    The problem with HTTP.sys-based hosting seems to be, that even though the ports are only bound on one IP, they are also blocked from being used by another process on another IP. Once the ProGet service starts, both ports show up in the port exclusion list netsh int ipv4 show excludedportrange protocol=tcp.

    As far as I know there usually is no reason to use HTTP.sys unless specific features are required (see here). Kestrel should also be capable of binding to concrete IP:Port combinations.
    Also with Kestrel all these netsh http add urlacl settings don't seem to be required anymore. I made a small test app and I could bind my process to a port below 1024 without urlacls just fine when using Kestrel and running the process as Network Service.

    I'd be interested to learn why ProGet is switching between Kestrel and HTTP.sys for these two IP binding scenarios. Also any pointers how to reuse the ports on another IP would be very welcome.


  • inedo-engineer

    Hi @jw,

    According to the comments in our code...

       // kestrel will not do port sharing in .NET6 (despite what docs imply), so use http.sys
       // Revisit in .NET8 - https://github.com/dotnet/aspnetcore/issues/39640
       foreach (var u in urls)
       {
           var m = urlRegex.Match(u);
           if (m.Success && m.Groups[1].Value is not "*" and not "localhost")
           {
               useHttpSys = true;
               break;
           }
       }
    

    This was something that was considered for .NET7, but clearly that never happened :)

    The general suggestion is to use a reverse proxy to reuse the ports.

    Cheers,
    Alana



  • Hey @atripp,

    Thank you for that snippet, very insightful.

    Oddly enough that issue is still on the .NET 8 Planning milestone, even though .NET 8 was already released this November. Ah.. one shall not question Microsoft's planning... ;)


Log in to reply
 

Inedo Website HomeSupport HomeCode of ConductForums GuideDocumentation