When to use Kestrel with a reverse proxy

Kestrel can be used by itself or with a reverse proxy server, such as Internet Information Services (IIS), Nginx, or Apache. A reverse proxy server receives HTTP requests from the network and forwards them to Kestrel.

Kestrel used as an edge (Internet-facing) web server:

Kestrel communicates directly with the Internet without a reverse proxy server

Kestrel used in a reverse proxy configuration:

Kestrel communicates indirectly with the Internet through a reverse proxy server, such as IIS, Nginx, or Apache

Either configuration, with or without a reverse proxy server, is a supported hosting configuration.

When Kestrel is used as an edge server without a reverse proxy server, sharing of the same IP address and port among multiple processes is unsupported. When Kestrel is configured to listen on a port, Kestrel handles all traffic for that port regardless of requests' Host headers. A reverse proxy that can share ports can forward requests to Kestrel on a unique IP and port.

Even if a reverse proxy server isn't required, using a reverse proxy server might be a good choice.

A reverse proxy:

  • Can limit the exposed public surface area of the apps that it hosts.
  • Provide an additional layer of configuration and defense.
  • Might integrate better with existing infrastructure.
  • Simplify load balancing and secure communication (HTTPS) configuration. Only the reverse proxy server requires an X.509 certificate, and that server can communicate with the app's servers on the internal network using plain HTTP.

Warning

Hosting in a reverse proxy configuration requires host filtering.

Additional resources

Configure ASP.NET Core to work with proxy servers and load balancers