使用 IIS 在 Windows 上托管 ASP.NET CoreHost ASP.NET Core on Windows with IIS

作者:Luke LathamBy Luke Latham

安装 .NET Core 托管捆绑包Install the .NET Core Hosting Bundle

支持的操作系统Supported operating systems

支持下列操作系统:The following operating systems are supported:

  • Windows 7 或更高版本Windows 7 or later
  • Windows Server 2008 R2 或更高版本Windows Server 2008 R2 or later

HTTP.sys 服务器(以前称为 WebListener)无法以反向代理配置形式与 IIS 结合使用。HTTP.sys server (formerly called WebListener) doesn't work in a reverse proxy configuration with IIS. 请使用 Kestrel 服务器Use the Kestrel server.

有关在 Azure 上托管的信息,请参阅将 ASP.NET Core 应用部署到 Azure 应用服务For information on hosting in Azure, see 将 ASP.NET Core 应用部署到 Azure 应用服务.

受支持的平台Supported platforms

支持针对 32 位 (x86) 和 64 位 (x64) 部署发布应用。Apps published for 32-bit (x86) and 64-bit (x64) deployment are supported. 除非应用符合以下条件,否则部署 32 位应用:Deploy a 32-bit app unless the app:

  • 需要适用于 64 位应用的更大虚拟内存地址空间。Requires the larger virtual memory address space available to a 64-bit app.
  • 需要更大 IIS 堆栈大小。Requires the larger IIS stack size.
  • 具有 64 位本机依赖项。Has 64-bit native dependencies.

应用程序配置Application configuration

启用 IISIntegration 组件Enable the IISIntegration components

典型的 Program.cs 调用 CreateDefaultBuilder 以开始设置主机:A typical Program.cs calls CreateDefaultBuilder to begin setting up a host:

public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
    WebHost.CreateDefaultBuilder(args)
        ...

典型的 Program.cs 调用 CreateDefaultBuilder 以开始设置主机:A typical Program.cs calls CreateDefaultBuilder to begin setting up a host:

public static IWebHost BuildWebHost(string[] args) =>
    WebHost.CreateDefaultBuilder(args)
        ...

进程内承载模型In-process hosting model

CreateDefaultBuilder 调用 UseIIS 方法以启动 CoreCLR 并在 IIS 工作进程(w3wp.exe 或 iisexpress.exe)内托管应用。CreateDefaultBuilder calls the UseIIS method to boot the CoreCLR and host the app inside of the IIS worker process (w3wp.exe or iisexpress.exe). 性能测试表明,与在进程外托管应用并将请求代理到 Kestrel 服务器相比,在进程中托管 .NET Core 应用可以大大提升请求吞吐量。Performance tests indicate that hosting a .NET Core app in-process delivers significantly higher request throughput compared to hosting the app out-of-process and proxying requests to Kestrel server.

定目标到 .NET Framework 的 ASP.NET Core 应用不支持进程内托管模型。The in-process hosting model isn't supported for ASP.NET Core apps that target the .NET Framework.

进程外承载模型Out-of-process hosting model

对于使用 IIS 的进程外托管,CreateDefaultBuilderKestrel 服务器配置为 Web 服务器,并通过配置 ASP.NET Core 模块的基础路径和端口来启用 IIS 集成。For out-of-process hosting with IIS, CreateDefaultBuilder configures Kestrel server as the web server and enables IIS Integration by configuring the base path and port for the ASP.NET Core Module.

ASP.NET Core 模块生成分配给后端进程的动态端口。The ASP.NET Core Module generates a dynamic port to assign to the backend process. CreateDefaultBuilder 调用 UseIISIntegration 方法。CreateDefaultBuilder calls the UseIISIntegration method. UseIISIntegration 配置在 localhost IP 地址 (127.0.0.1) 中的动态端口上侦听的 Kestrel。UseIISIntegration configures Kestrel to listen on the dynamic port at the localhost IP address (127.0.0.1). 如果动态端口为 1234,则 Kestrel 在 127.0.0.1:1234 中侦听。If the dynamic port is 1234, Kestrel listens at 127.0.0.1:1234. 此配置将替换以下 API 提供的其他 URL 配置:This configuration replaces other URL configurations provided by:

使用模块时,不需要调用 UseUrls 或 Kestrel 的 Listen API。Calls to UseUrls or Kestrel's Listen API aren't required when using the module. 如果调用 UseUrlsListen,则 Kestrel 仅会侦听在没有 IIS 的情况下运行应用时指定的端口。If UseUrls or Listen is called, Kestrel listens on the ports specified only when running the app without IIS.

有关进程内和进程外托管模型的详细信息,请参阅 ASP.NET Core 模块ASP.NET Core 模块配置参考For more information on the in-process and out-of-process hosting models, see ASP.NET Core Module and ASP.NET Core Module configuration reference.

CreateDefaultBuilderKestrel 服务器配置为 Web 服务器,并通过配置 ASP.NET Core 模块的基础路径和端口来启用 IIS 集成。CreateDefaultBuilder configures Kestrel server as the web server and enables IIS Integration by configuring the base path and port for the ASP.NET Core Module.

ASP.NET Core 模块生成分配给后端进程的动态端口。The ASP.NET Core Module generates a dynamic port to assign to the backend process. CreateDefaultBuilder 调用 UseIISIntegration 方法。CreateDefaultBuilder calls the UseIISIntegration method. UseIISIntegration 配置在 localhost IP 地址 (127.0.0.1) 中的动态端口上侦听的 Kestrel。UseIISIntegration configures Kestrel to listen on the dynamic port at the localhost IP address (127.0.0.1). 如果动态端口为 1234,则 Kestrel 在 127.0.0.1:1234 中侦听。If the dynamic port is 1234, Kestrel listens at 127.0.0.1:1234. 此配置将替换以下 API 提供的其他 URL 配置:This configuration replaces other URL configurations provided by:

使用模块时,不需要调用 UseUrls 或 Kestrel 的 Listen API。Calls to UseUrls or Kestrel's Listen API aren't required when using the module. 如果调用 UseUrlsListen,则 Kestrel 仅会侦听在没有 IIS 的情况下运行应用时指定的端口。If UseUrls or Listen is called, Kestrel listens on the port specified only when running the app without IIS.

CreateDefaultBuilderKestrel 服务器配置为 Web 服务器,并通过配置 ASP.NET Core 模块的基础路径和端口来启用 IIS 集成。CreateDefaultBuilder configures Kestrel server as the web server and enables IIS Integration by configuring the base path and port for the ASP.NET Core Module.

ASP.NET Core 模块生成分配给后端进程的动态端口。The ASP.NET Core Module generates a dynamic port to assign to the backend process. CreateDefaultBuilder 调用 UseIISIntegration 方法。CreateDefaultBuilder calls the UseIISIntegration method. UseIISIntegration 配置在 localhost IP 地址 (localhost) 中的动态端口上侦听的 Kestrel。UseIISIntegration configures Kestrel to listen on the dynamic port at the localhost IP address (localhost). 如果动态端口为 1234,则 Kestrel 在 localhost:1234 中侦听。If the dynamic port is 1234, Kestrel listens at localhost:1234. 此配置将替换以下 API 提供的其他 URL 配置:This configuration replaces other URL configurations provided by:

使用模块时,不需要调用 UseUrls 或 Kestrel 的 Listen API。Calls to UseUrls or Kestrel's Listen API aren't required when using the module. 如果调用 UseUrlsListen,则 Kestrel 仅会侦听在没有 IIS 的情况下运行应用时指定的端口。If UseUrls or Listen is called, Kestrel listens on the port specified only when running the app without IIS.

在应用依赖项中加入对 Microsoft.AspNetCore.Server.IISIntegration 包的依赖项。Include a dependency on the Microsoft.AspNetCore.Server.IISIntegration package in the app's dependencies. 通过向 WebHostBuilder 添加 UseIISIntegration 扩展方法来使用 IIS 集成中间件:Use IIS Integration middleware by adding the UseIISIntegration extension method to WebHostBuilder:

var host = new WebHostBuilder()
    .UseKestrel()
    .UseIISIntegration()
    ...

UseKestrelUseIISIntegration 均为必需。Both UseKestrel and UseIISIntegration are required. 调用 UseIISIntegration 的代码不会影响代码可移植性。Code calling UseIISIntegration doesn't affect code portability. 如果应用不在 IIS 后面运行(例如,应用直接在 Kestrel 上运行),则 UseIISIntegration 不会运行。If the app isn't run behind IIS (for example, the app is run directly on Kestrel), UseIISIntegration doesn't operate.

ASP.NET Core 模块生成分配给后端进程的动态端口。The ASP.NET Core Module generates a dynamic port to assign to the backend process. UseIISIntegration 配置在 localhost IP 地址 (localhost) 中的动态端口上侦听的 Kestrel。UseIISIntegration configures Kestrel to listen on the dynamic port at the localhost IP address (localhost). 如果动态端口为 1234,则 Kestrel 在 localhost:1234 中侦听。If the dynamic port is 1234, Kestrel listens at localhost:1234. 此配置将替换以下 API 提供的其他 URL 配置:This configuration replaces other URL configurations provided by:

使用模块时无需调用 UseUrlsA call to UseUrls isn't required when using the module. 如果调用 UseUrls,则 Kestrel 仅会侦听在没有 IIS 的情况下运行应用时指定的端口。If UseUrls is called, Kestrel listens on the port specified only when running the app without IIS.

如果在 ASP.NET Core 1.0 应用中调用 UseUrls,请在调用 UseIISIntegration 前调用它,使模块配置的端口不会被覆盖。If UseUrls is called in an ASP.NET Core 1.0 app, call it before calling UseIISIntegration so that the module-configured port isn't overwritten. ASP.NET Core 1.1 不需要此调用顺序,因为模块设置会重写 UseUrlsThis calling order isn't required with ASP.NET Core 1.1 because the module setting overrides UseUrls.

有关托管的详细信息,请参阅在 ASP.NET Core 中托管For more information on hosting, see Host in ASP.NET Core.

IIS 选项IIS options

进程内承载模型In-process hosting model

要配置 IIS 服务器选项,请在 ConfigureServices 中包括 IISServerOptions 的服务配置。To configure IIS Server options, include a service configuration for IISServerOptions in ConfigureServices. 下面的示例禁用 AutomaticAuthentication:The following example disables AutomaticAuthentication:

services.Configure<IISServerOptions>(options => 
{
    options.AutomaticAuthentication = false;
});
选项Option 默认Default 设置Setting
AutomaticAuthentication true 若为 true,IIS 服务器将设置经过 Windows 身份验证进行身份验证的 HttpContext.UserIf true, IIS Server sets the HttpContext.User authenticated by Windows Authentication. 若为 false,服务器仅提供 HttpContext.User 的标识并在 AuthenticationScheme 显式请求时响应质询。If false, the server only provides an identity for HttpContext.User and responds to challenges when explicitly requested by the AuthenticationScheme. 必须在 IIS 中启用 Windows 身份验证使 AutomaticAuthentication 得以运行。Windows Authentication must be enabled in IIS for AutomaticAuthentication to function. 有关详细信息,请参阅 Windows 身份验证For more information, see Windows Authentication.
AuthenticationDisplayName null 设置在登录页上向用户显示的显示名。Sets the display name shown to users on login pages.
AllowSynchronousIO false HttpContext.RequestHttpContext.Response 是否允许同步 IO。Whether synchronous IO is allowed for the HttpContext.Request and the HttpContext.Response.
MaxRequestBodySize 30000000 获取或设置 HttpRequest 的最大请求正文大小。Gets or sets the the max request body size for the HttpRequest. 请注意,IIS 本身有限制 maxAllowedContentLength,这一限制将在 IISServerOptions 中设置 MaxRequestBodySize 之前进行处理。Note that IIS itself has the limit maxAllowedContentLength which will be processed before the MaxRequestBodySize set in the IISServerOptions. 更改 MaxRequestBodySize 不会影响 maxAllowedContentLengthChanging the MaxRequestBodySize won't affect the maxAllowedContentLength. 若要增加 maxAllowedContentLength,请在 web.config 中添加一个条目,将 maxAllowedContentLength 设置为更高值。To increase maxAllowedContentLength, add an entry in the web.config to set maxAllowedContentLength to a higher value. 有关更多详细信息,请参阅配置For more details, see Configuration.

进程外承载模型Out-of-process hosting model

选项Option 默认Default 设置Setting
AutomaticAuthentication true 若为 true,IIS 服务器将设置经过 Windows 身份验证进行身份验证的 HttpContext.UserIf true, IIS Server sets the HttpContext.User authenticated by Windows Authentication. 若为 false,服务器仅提供 HttpContext.User 的标识并在 AuthenticationScheme 显式请求时响应质询。If false, the server only provides an identity for HttpContext.User and responds to challenges when explicitly requested by the AuthenticationScheme. 必须在 IIS 中启用 Windows 身份验证使 AutomaticAuthentication 得以运行。Windows Authentication must be enabled in IIS for AutomaticAuthentication to function. 有关详细信息,请参阅 Windows 身份验证For more information, see Windows Authentication.
AuthenticationDisplayName null 设置在登录页上向用户显示的显示名。Sets the display name shown to users on login pages.

进程外承载模型Out-of-process hosting model

要配置 IIS 选项,请在 ConfigureServices 中包括 IISOptions 的服务配置。To configure IIS options, include a service configuration for IISOptions in ConfigureServices. 下面的示例阻止应用填充 HttpContext.Connection.ClientCertificateThe following example prevents the app from populating HttpContext.Connection.ClientCertificate:

services.Configure<IISOptions>(options => 
{
    options.ForwardClientCertificate = false;
});
选项Option 默认Default 设置Setting
AutomaticAuthentication true 若为 true,IIS 集成中间件将设置经过 Windows 身份验证进行身份验证的 HttpContext.UserIf true, IIS Integration Middleware sets the HttpContext.User authenticated by Windows Authentication. 若为 false,中间件仅提供 HttpContext.User 的标识并在 AuthenticationScheme 显式请求时响应质询。If false, the middleware only provides an identity for HttpContext.User and responds to challenges when explicitly requested by the AuthenticationScheme. 必须在 IIS 中启用 Windows 身份验证使 AutomaticAuthentication 得以运行。Windows Authentication must be enabled in IIS for AutomaticAuthentication to function. 有关详细信息,请参阅 Windows 身份验证主题。For more information, see the Windows Authentication topic.
AuthenticationDisplayName null 设置在登录页上向用户显示的显示名。Sets the display name shown to users on login pages.
ForwardClientCertificate true 若为 true,且存在 MS-ASPNETCORE-CLIENTCERT 请求头,则填充 HttpContext.Connection.ClientCertificateIf true and the MS-ASPNETCORE-CLIENTCERT request header is present, the HttpContext.Connection.ClientCertificate is populated.

代理服务器和负载均衡器方案Proxy server and load balancer scenarios

配置转发头中间件的 IIS 集成中间件和 ASP.NET Core 模块将配置为转发方案 (HTTP/HTTPS) 和发出请求的远程 IP 地址。The IIS Integration Middleware, which configures Forwarded Headers Middleware, and the ASP.NET Core Module are configured to forward the scheme (HTTP/HTTPS) and the remote IP address where the request originated. 对于托管在其他代理服务器和负载均衡器后方的应用,可能需要附加配置。Additional configuration might be required for apps hosted behind additional proxy servers and load balancers. 有关详细信息,请参阅配置 ASP.NET Core 以使用代理服务器和负载均衡器For more information, see Configure ASP.NET Core to work with proxy servers and load balancers.

web.config 文件web.config file

web.config 文件配置 ASP.NET Core 模块The web.config file configures the ASP.NET Core Module. 发布项目时,MSBuild 目标 (_TransformWebConfig) 负责创建、转换和发布 web.config 文件。Creating, transforming, and publishing the web.config file is handled by an MSBuild target (_TransformWebConfig) when the project is published. 此目标位于 Web SDK 目标 (Microsoft.NET.Sdk.Web) 中。This target is present in the Web SDK targets (Microsoft.NET.Sdk.Web). SDK 设置在项目文件的顶部:The SDK is set at the top of the project file:

<Project Sdk="Microsoft.NET.Sdk.Web">

如果项目中不存在 web.config 文件,则会使用正确的 processPath 和参数创建该文件,以便配置 ASP.NET Core 模块,并将该文件移动到已发布的输出If a web.config file isn't present in the project, the file is created with the correct processPath and arguments to configure the ASP.NET Core Module and moved to published output.

如果项目中存在 web.config 文件,则会使用正确的 processPath 和参数转换该文件,以便配置 ASP.NET Core 模块,并将该文件移动到已发布的输出。If a web.config file is present in the project, the file is transformed with the correct processPath and arguments to configure the ASP.NET Core Module and moved to published output. 转换不会修改文件中的 IIS 配置设置。The transformation doesn't modify IIS configuration settings in the file.

web.config 文件可能会提供其他 IIS 配置设置,以控制活动的 IIS 模块。The web.config file may provide additional IIS configuration settings that control active IIS modules. 有关能够处理 ASP.NET Core 应用请求的 IIS 模块的信息,请参阅 IIS 模块主题。For information on IIS modules that are capable of processing requests with ASP.NET Core apps, see the IIS modules topic.

要防止 Web SDK 转换 web.config 文件,请使用项目文件中的 <IsTransformWebConfigDisabled> 属性:To prevent the Web SDK from transforming the web.config file, use the <IsTransformWebConfigDisabled> property in the project file:

<PropertyGroup>
  <IsTransformWebConfigDisabled>true</IsTransformWebConfigDisabled>
</PropertyGroup>

在禁用 Web SDK 转换文件时,开发人员应手动设置 processPath 和参数。When disabling the Web SDK from transforming the file, the processPath and arguments should be manually set by the developer. 有关详细信息,请参阅 ASP.NET Core 模块配置参考For more information, see the ASP.NET Core Module configuration reference.

web.config 文件位置web.config file location

为了正确设置 ASP.NET Core 模块web.config 文件必须存在于已部署应用的内容根路径(通常为应用基路径)中。In order to set up the ASP.NET Core Module correctly, the web.config file must be present at the content root path (typically the app base path) of the deployed app. 该位置与向 IIS 提供的网站物理路径相同。This is the same location as the website physical path provided to IIS. 若要使用 Web 部署发布多个应用,应用的根路径中需要包含 web.config 文件。The web.config file is required at the root of the app to enable the publishing of multiple apps using Web Deploy.

敏感文件存在于应用的物理路径中,如 <assembly>.runtimeconfig.json、<assembly>.xml(XML 文档注释)和 <assembly>.deps.json。Sensitive files exist on the app's physical path, such as <assembly>.runtimeconfig.json, <assembly>.xml (XML Documentation comments), and <assembly>.deps.json. 如果存在 web.config 文件且站点正常启动,则请求获取这些敏感文件时,IIS 不会提供。When the web.config file is present and the site starts normally, IIS doesn't serve these sensitive files if they're requested. 如果缺少 web.config 文件、命名不正确,或无法配置站点以正常启动,IIS 可能会公开提供敏感文件。If the web.config file is missing, incorrectly named, or unable to configure the site for normal startup, IIS may serve sensitive files publicly.

部署中必须始终存在 web.config 文件且正确命名,并可以配置站点以正常启动。请勿从生产部署中删除 web.config 文件。The web.config file must be present in the deployment at all times, correctly named, and able to configure the site for normal start up. Never remove the web.config file from a production deployment.

转换 web.configTransform web.config

如果需要在发布时转换 web.config(例如,基于配置、配置文件或环境设置环境变量),请参阅 转换 web.configIf you need to transform web.config on publish (for example, set environment variables based on the configuration, profile, or environment), see 转换 web.config.

IIS 配置IIS configuration

Windows Server 操作系统Windows Server operating systems

启用 Web 服务器 (IIS) 服务器角色并建立角色服务。Enable the Web Server (IIS) server role and establish role services.

  1. 通过“管理”菜单或“服务器管理器”中的链接使用“添加角色和功能”向导。Use the Add Roles and Features wizard from the Manage menu or the link in Server Manager. 在“服务器角色”步骤中,选中“Web 服务器(IIS)”框。On the Server Roles step, check the box for Web Server (IIS).

    在选择服务器角色步骤中选择了“Web 服务器 IIS”角色。

  2. 在“功能”步骤后,为 Web 服务器 (IIS) 加载“角色服务”步骤。After the Features step, the Role services step loads for Web Server (IIS). 选择所需 IIS 角色服务,或接受提供的默认角色服务。Select the IIS role services desired or accept the default role services provided.

    在选择角色服务步骤中选择了默认角色服务。

    Windows 身份验证(可选)Windows Authentication (Optional)
    若要启用 Windows 身份验证,请依次展开以下节点:“Web 服务器” > “安全”。To enable Windows Authentication, expand the following nodes: Web Server > Security. 选择“Windows 身份验证”功能。Select the Windows Authentication feature. 有关详细信息,请参阅 Windows 身份验证 <windowsAuthentication>配置 Windows 身份验证For more information, see Windows Authentication <windowsAuthentication> and Configure Windows authentication.

    Websocket(可选)WebSockets (Optional)
    Websocket 支持 ASP.NET Core 1.1 或更高版本。WebSockets is supported with ASP.NET Core 1.1 or later. 若要启用 WebSocket,请依次展开以下节点:“Web 服务器” > “应用开发”。To enable WebSockets, expand the following nodes: Web Server > Application Development. 选择“WebSocket 协议”功能。Select the WebSocket Protocol feature. 有关详细信息,请参阅 WebSocketsFor more information, see WebSockets.

  3. 继续执行“确认”步骤,安装 Web 服务器角色和服务。Proceed through the Confirmation step to install the web server role and services. 安装 Web 服务器 (IIS) 角色后无需重启服务器/IIS。A server/IIS restart isn't required after installing the Web Server (IIS) role.

Windows 桌面操作系统Windows desktop operating systems

启用“IIS 管理控制台”和“万维网服务”。Enable the IIS Management Console and World Wide Web Services.

  1. 导航到“控制面板” > “程序” > “程序和功能” > “打开或关闭 Windows 功能”(位于屏幕左侧)。Navigate to Control Panel > Programs > Programs and Features > Turn Windows features on or off (left side of the screen).

  2. 打开“Internet Information Services”节点。Open the Internet Information Services node. 打开“Web 管理工具”节点。Open the Web Management Tools node.

  3. 选中“IIS 管理控制台”框。Check the box for IIS Management Console.

  4. 选中“万维网服务”框。Check the box for World Wide Web Services.

  5. 接受“万维网服务”的默认功能,或自定义 IIS 功能。Accept the default features for World Wide Web Services or customize the IIS features.

    Windows 身份验证(可选)Windows Authentication (Optional)
    若要启用 Windows 身份验证,请依次展开以下节点:“万维网服务” > “安全”。To enable Windows Authentication, expand the following nodes: World Wide Web Services > Security. 选择“Windows 身份验证”功能。Select the Windows Authentication feature. 有关详细信息,请参阅 Windows 身份验证 <windowsAuthentication>配置 Windows 身份验证For more information, see Windows Authentication <windowsAuthentication> and Configure Windows authentication.

    Websocket(可选)WebSockets (Optional)
    Websocket 支持 ASP.NET Core 1.1 或更高版本。WebSockets is supported with ASP.NET Core 1.1 or later. 若要启用 WebSocket,请依次展开以下节点:“万维网服务” > “应用开发功能”。To enable WebSockets, expand the following nodes: World Wide Web Services > Application Development Features. 选择“WebSocket 协议”功能。Select the WebSocket Protocol feature. 有关详细信息,请参阅 WebSocketsFor more information, see WebSockets.

  6. 如果 IIS 安装需要重新启动,则重新启动系统。If the IIS installation requires a restart, restart the system.

在“Windows 功能”中选择了“IIS 管理控制台”和“万维网服务”。

安装 .NET Core 托管捆绑包Install the .NET Core Hosting Bundle

在托管系统上安装 .NET Core 托管捆绑包。Install the .NET Core Hosting Bundle on the hosting system. 捆绑包可安装 .NET Core 运行时、.NET Core 库和 ASP.NET Core 模块The bundle installs the .NET Core Runtime, .NET Core Library, and the ASP.NET Core Module. 该模块允许 ASP.NET Core 应用在 IIS 后面运行。The module allows ASP.NET Core apps to run behind IIS. 如果系统没有 Internet 连接,请先获取并安装 Microsoft Visual C++ 2015 Redistributable,然后再安装 .NET Core 托管捆绑包。If the system doesn't have an Internet connection, obtain and install the Microsoft Visual C++ 2015 Redistributable before installing the .NET Core Hosting Bundle.

重要

如果在 IIS 之前安装了托管捆绑包,则必须修复捆绑包安装。If the Hosting Bundle is installed before IIS, the bundle installation must be repaired. 在安装 IIS 后再次运行托管捆绑包安装程序。Run the Hosting Bundle installer again after installing IIS.

如果在安装 64 位 (x64) 版本的 .NET Core 之后安装了 Hosting Bundle,则可能看上去缺少 SDK(未检测到 .NET Core SDK)。If the Hosting Bundle is installed after installing the 64-bit (x64) version of .NET Core, SDKs might appear to be missing (No .NET Core SDKs were detected). 要解决此问题,请参阅 解决 ASP.NET Core 项目To resolve the problem, see 解决 ASP.NET Core 项目.

直接下载(当前版本)Direct download (current version)

使用以下链接下载安装程序:Download the installer using the following link:

当前 .NET Core 托管捆绑包安装程序(直接下载)Current .NET Core Hosting Bundle installer (direct download)

先前版本的安装程序Earlier versions of the installer

若要获取先前版本的安装程序:To obtain an earlier version of the installer:

  1. 导航到 .NET 下载存档Navigate to the .NET download archives.
  2. 在“.NET Core”下,选择 .NET Core 版本。Under .NET Core, select the .NET Core version.
  3. 在“运行应用 - 运行时”列中,查找所需的 .NET Core 运行时版本的那一行。In the Run apps - Runtime column, find the row of the .NET Core runtime version desired.
  4. 使用“运行时和托管捆绑包”链接下载安装程序。Download the installer using the Runtime & Hosting Bundle link.

警告

某些安装程序包含已到达其生命周期结束 (EOL) 且不再受 Microsoft 支持的发行版本。Some installers contain release versions that have reached their end of life (EOL) and are no longer supported by Microsoft. 有关详细信息,请参阅支持策略For more information, see the support policy.

安装托管捆绑包Install the Hosting Bundle

  1. 在服务器上运行安装程序。Run the installer on the server. 通过管理员命令行界面运行安装程序时,以下参数可用:The following parameters are available when running the installer from an administrator command shell:

    • OPT_NO_ANCM=1 – 跳过安装 ASP.NET Core 模块。OPT_NO_ANCM=1 – Skip installing the ASP.NET Core Module.
    • OPT_NO_RUNTIME=1 – 跳过安装 .NET Core 运行时。OPT_NO_RUNTIME=1 – Skip installing the .NET Core runtime.
    • OPT_NO_SHAREDFX=1 – 跳过安装 ASP.NET 共享框架(ASP.NET 运行时)。OPT_NO_SHAREDFX=1 – Skip installing the ASP.NET Shared Framework (ASP.NET runtime).
    • OPT_NO_X86=1 – 跳过安装 x86 运行时。OPT_NO_X86=1 – Skip installing x86 runtimes. 确定不会托管 32 位应用时,请使用此参数。Use this parameter when you know that you won't be hosting 32-bit apps. 如果有可能会同时托管 32 位和 64 位应用,请勿使用此参数,并安装两个运行时。If there's any chance that you will host both 32-bit and 64-bit apps in the future, don't use this parameter and install both runtimes.
    • OPT_NO_SHARED_CONFIG_CHECK=1 – 当共享配置 (applicationHost.config) 与 IIS 安装位于同一台计算机上时,禁用检查使用的是否是 IIS 共享配置。OPT_NO_SHARED_CONFIG_CHECK=1 – Disable the check for using an IIS Shared Configuration when the shared configuration (applicationHost.config) is on the same machine as the IIS installation. 仅适用于 ASP.NET Core 2.2 或更高版本托管捆绑程序安装程序。Only available for ASP.NET Core 2.2 or later Hosting Bundler installers. 有关更多信息,请参见ASP.NET Core 模块For more information, see ASP.NET Core 模块.
  2. 重启系统或在命令行界面中执行 net stop was /y,后跟 net start w3svc。Restart the system or execute net stop was /y, followed by net start w3svc from a command shell. 重启 IIS 会选取安装程序对系统 PATH(环境变量)所作的更改。Restarting IIS picks up a change to the system PATH, which is an environment variable, made by the installer.

备注

有关 IIS 共享配置的信息,请参阅使用 IIS 共享配置的 ASP.NET Core 模块For information on IIS Shared Configuration, see ASP.NET Core Module with IIS Shared Configuration.

使用 Visual Studio 进行发布时安装 Web 部署Install Web Deploy when publishing with Visual Studio

使用 Web 部署将应用部署到服务器时,请在服务器上安装最新版本的 Web 部署。When deploying apps to servers with Web Deploy, install the latest version of Web Deploy on the server. 要安装 Web 部署,请使用 Web 平台安装程序 (WebPI) 或直接从 Microsoft 下载中心获取安装程序。To install Web Deploy, use the Web Platform Installer (WebPI) or obtain an installer directly from the Microsoft Download Center. 建议使用 WebPI。The preferred method is to use WebPI. WebPI 为托管提供程序提供独立的安装程序和配置。WebPI offers a standalone setup and a configuration for hosting providers.

创建 IIS 站点Create the IIS site

  1. 在托管系统上,创建一个文件夹以包含应用已发布的文件夹和文件。On the hosting system, create a folder to contain the app's published folders and files. 目录结构主题中介绍了应用的部署布局。An app's deployment layout is described in the Directory Structure topic.

  2. 在 IIS 管理器中,打开“连接”面板中的服务器节点。In IIS Manager, open the server's node in the Connections panel. 右键单击“站点”文件夹。Right-click the Sites folder. 选择上下文菜单中的“添加网站”。Select Add Website from the contextual menu.

  3. 提供网站名称,并将物理路径设置为应用的部署文件夹。Provide a Site name and set the Physical path to the app's deployment folder. 提供“绑定”配置,并通过选择“确定”创建网站:Provide the Binding configuration and create the website by selecting OK:

    在“添加网站”步骤中提供网站名称、物理路径和主机名。

    警告

    不应使用顶级通配符绑定(http://*:80/http://+:80)。Top-level wildcard bindings (http://*:80/ and http://+:80) should not be used. 顶级通配符绑定可能会为应用带来安全漏洞。Top-level wildcard bindings can open up your app to security vulnerabilities. 此行为同时适用于强通配符和弱通配符。This applies to both strong and weak wildcards. 使用显式主机名而不是通配符。Use explicit host names rather than wildcards. 如果可控制整个父域(区别于易受攻击的 *.com),则子域通配符绑定(例如,*.mysub.com)不具有此安全风险。Subdomain wildcard binding (for example, *.mysub.com) doesn't have this security risk if you control the entire parent domain (as opposed to *.com, which is vulnerable). 有关详细信息,请参阅 rfc7230 第 5.4 条See rfc7230 section-5.4 for more information.

  4. 在服务器节点下,选择“应用程序池”。Under the server's node, select Application Pools.

  5. 右键单击站点的应用池,然后从上下文菜单中选择“基本设置”。Right-click the site's app pool and select Basic Settings from the contextual menu.

  6. 在“编辑应用程序池”窗口中,将“.NET CLR 版本”设置为“无托管代码”:In the Edit Application Pool window, set the .NET CLR version to No Managed Code:

    将“.NET CLR 版本”设置为“无托管代码”。

    ASP.NET Core 在单独的进程中运行,并管理运行时。ASP.NET Core runs in a separate process and manages the runtime. ASP.NET Core 不依赖加载桌面 CLR。ASP.NET Core doesn't rely on loading the desktop CLR. 将“.NET CLR 版本”设置为“无托管代码”为可选步骤。Setting the .NET CLR version to No Managed Code is optional.

  7. ASP.NET Core 2.2 或更高版本:对于使用进程内托管模型的 64 位 (x64) 独立部署,为 32 位 (x86) 进程禁用应用池。ASP.NET Core 2.2 or later: For a 64-bit (x64) self-contained deployment that uses the in-process hosting model, disable the app pool for 32-bit (x86) processes.

    在 IIS 管理器 >“应用程序池”的“操作”侧栏中,选择“设置应用程序池默认设置”或“高级设置”。In the Actions sidebar of IIS Manager > Application Pools, select Set Application Pool Defaults or Advanced Settings. 找到“启用 32 位应用程序”并将值设置为 FalseLocate Enable 32-Bit Applications and set the value to False. 此设置不会影响针对进程外托管部署的应用。This setting doesn't affect apps deployed for out-of-process hosting.

  8. 确认进程模型标识拥有适当的权限。Confirm the process model identity has the proper permissions.

    如果将应用池的默认标识(“进程模型” > “标识”)从 ApplicationPoolIdentity 更改为另一标识,请验证新标识拥有所需的权限,可访问应用的文件夹、数据库和其他所需资源。If the default identity of the app pool (Process Model > Identity) is changed from ApplicationPoolIdentity to another identity, verify that the new identity has the required permissions to access the app's folder, database, and other required resources. 例如,应用池需要对文件夹的读取和写入权限,以便应用在其中读取和写入文件。For example, the app pool requires read and write access to folders where the app reads and writes files.

Windows 身份验证配置(可选)Windows Authentication configuration (Optional)
有关详细信息,请参阅配置 Windows 身份验证For more information, see Configure Windows authentication.

部署应用Deploy the app

将应用部署到在托管系统上创建的文件夹。Deploy the app to the folder created on the hosting system. 建议使用的部署机制是 Web 部署Web Deploy is the recommended mechanism for deployment.

在 Visual Studio 内使用 Web 部署Web Deploy with Visual Studio

要了解如何创建用于 Web 部署的发布配置文件,请参阅用于 ASP.NET Core 应用部署的 Visual Studio 发布配置文件See the Visual Studio publish profiles for ASP.NET Core app deployment topic to learn how to create a publish profile for use with Web Deploy. 如果托管提供程序提供了发布配置文件或支持创建发布配置文件,请下载配置文件并使用 Visual Studio 的“发布”对话框将其导入。If the hosting provider provides a Publish Profile or support for creating one, download their profile and import it using the Visual Studio Publish dialog.

“发布”对话框页

在 Visual Studio 之外使用 Web 部署Web Deploy outside of Visual Studio

也可以在 Visual Studio 之外从命令行使用 Web 部署Web Deploy can also be used outside of Visual Studio from the command line. 有关详细信息,请参阅 Web Deployment Tool(Web 部署工具)。For more information, see Web Deployment Tool.

Web 部署的替代方法Alternatives to Web Deploy

有多种方法可将应用移动到托管系统,例如手动复制、Xcopy、Robocopy 或 PowerShell,可使用其中任何一种方法。Use any of several methods to move the app to the hosting system, such as manual copy, Xcopy, Robocopy, or PowerShell.

有关将 ASP.NET Core 部署到 IIS 的详细信息,请参阅面向 IIS 管理员的部署资源部分。For more information on ASP.NET Core deployment to IIS, see the Deployment resources for IIS administrators section.

浏览网站Browse the website

Microsoft Edge 浏览器已加载 IIS 启动页。

锁定的部署文件Locked deployment files

如果应用正在运行,部署文件夹中的文件会被锁定。Files in the deployment folder are locked when the app is running. 在部署期间,无法覆盖已锁定的文件。Locked files can't be overwritten during deployment. 若要在部署中解除已锁定的文件,请使用以下方法之一停止应用池:To release locked files in a deployment, stop the app pool using one of the following approaches:

  • 使用 Web 部署并在项目文件中引用 Microsoft.NET.Sdk.WebUse Web Deploy and reference Microsoft.NET.Sdk.Web in the project file. 系统会在 Web 应用目录的根目录中放置一个 app_offline.htm 文件。An app_offline.htm file is placed at the root of the web app directory. 该文件存在时,ASP.NET Core 模块会在部署过程中正常关闭该应用并提供 app_offline.htm 文件。When the file is present, the ASP.NET Core Module gracefully shuts down the app and serves the app_offline.htm file during the deployment. 有关详细信息,请参阅 ASP.NET Core 模块配置参考For more information, see the ASP.NET Core Module configuration reference.

  • 在服务器上的 IIS 管理器中手动停止应用池。Manually stop the app pool in the IIS Manager on the server.

  • 使用 PowerShell 删除 app_offline.html(需要使用 PowerShell 5 或更高版本):Use PowerShell to drop app_offline.html (requires PowerShell 5 or later):

    $pathToApp = 'PATH_TO_APP'
    
    # Stop the AppPool
    New-Item -Path $pathToApp app_offline.htm
    
    # Provide script commands here to deploy the app
    
    # Restart the AppPool
    Remove-Item -Path $pathToApp app_offline.htm
    
    

数据保护Data protection

ASP.NET Core 数据保护堆栈由多个 ASP.NET Core 中间件使用,包括用于身份验证的中间件。The ASP.NET Core Data Protection stack is used by several ASP.NET Core middlewares, including middleware used in authentication. 即使用户代码不调用数据保护 API,也应该使用部署脚本或在用户代码中配置数据保护,以创建持久的加密密钥存储Even if Data Protection APIs aren't called by user code, data protection should be configured with a deployment script or in user code to create a persistent cryptographic key store. 如果不配置数据保护,则密钥存储在内存中。重启应用时,密钥会被丢弃。If data protection isn't configured, the keys are held in memory and discarded when the app restarts.

如果密钥环存储于内存中,则在应用重启时:If the key ring is stored in memory when the app restarts:

  • 所有基于 cookie 的身份验证令牌都无效。All cookie-based authentication tokens are invalidated.
  • 用户需要在下一次请求时再次登录。Users are required to sign in again on their next request.
  • 无法再解密使用密钥环保护的任何数据。Any data protected with the key ring can no longer be decrypted. 这可能包括 CSRF 令牌ASP.NET Core MVC TempData cookieThis may include CSRF tokens and ASP.NET Core MVC TempData cookies.

若要在 IIS 下配置数据保护以持久化密钥环,请使用以下方法之一:To configure data protection under IIS to persist the key ring, use one of the following approaches:

  • 创建数据保护注册表项Create Data Protection Registry Keys

    ASP.NET Core 应用使用的数据保护密钥存储在应用外部的注册表中。Data protection keys used by ASP.NET Core apps are stored in the registry external to the apps. 要持久保存给定应用的密钥,需为应用池创建注册表项。To persist the keys for a given app, create registry keys for the app pool.

    对于独立的非 Web 场 IIS 安装,可以对用于 ASP.NET Core 应用的每个应用池使用数据保护 Provision-AutoGenKeys.ps1 PowerShell 脚本For standalone, non-webfarm IIS installations, the Data Protection Provision-AutoGenKeys.ps1 PowerShell script can be used for each app pool used with an ASP.NET Core app. 此脚本在 HKLM 注册表中创建注册表项,仅应用程序的应用池工作进程帐户可对其进行访问。This script creates a registry key in the HKLM registry that's accessible only to the worker process account of the app's app pool. 通过计算机范围的密钥使用 DPAPI 对密钥静态加密。Keys are encrypted at rest using DPAPI with a machine-wide key.

    在 web 场方案中,可以将应用配置为使用 UNC 路径存储其数据保护密钥环。In web farm scenarios, an app can be configured to use a UNC path to store its data protection key ring. 默认情况下,数据保护密钥未加密。By default, the data protection keys aren't encrypted. 确保网络共享的文件权限仅限于应用在其下运行的 Windows 帐户。Ensure that the file permissions for the network share are limited to the Windows account the app runs under. 可使用 X509 证书来保护静态密钥。An X509 certificate can be used to protect keys at rest. 考虑允许用户上传证书的机制:将证书置于用户信任的证书存储中,并确保这些证书对所有运行用户应用的计算机都可用。Consider a mechanism to allow users to upload certificates: Place certificates into the user's trusted certificate store and ensure they're available on all machines where the user's app runs. 有关详细信息,请参阅配置 ASP.NET Core 数据保护See Configure ASP.NET Core Data Protection for details.

  • 配置 IIS 应用程序池以加载用户配置文件Configure the IIS Application Pool to load the user profile

    此设置位于应用池“高级设置”下的“进程模型”部分。This setting is in the Process Model section under the Advanced Settings for the app pool. 将“加载用户配置文件”设置为 TrueSet Load User Profile to True. 如果设置为 True,会将密钥存储在用户配置文件目录中,并使用 DPAPI 和特定于用户帐户的密钥进行保护。When set to True, keys are stored in the user profile directory and protected using DPAPI with a key specific to the user account. 密钥保存在 %LOCALAPPDATA%/ASP.NET/DataProtection-Keys 文件夹中。Keys are persisted to the %LOCALAPPDATA%/ASP.NET/DataProtection-Keys folder.

    同时还必须启用应用池的 setProfileEnvironment attributeThe app pool's setProfileEnvironment attribute must also be enabled. setProfileEnvironment 的默认值为 trueThe default value of setProfileEnvironment is true. 在某些情况下(例如,Windows 操作系统),将 setProfileEnvironment 设置为 falseIn some scenarios (for example, Windows OS), setProfileEnvironment is set to false. 如果密钥未按预期存储在用户配置文件目录中,请执行以下操作:If keys aren't stored in the user profile directory as expected:

    1. 导航到 %windir%/system32/inetsrv/config 文件夹。Navigate to the %windir%/system32/inetsrv/config folder.
    2. 打开 applicationHost.config 文件。Open the applicationHost.config file.
    3. 查找 <system.applicationHost><applicationPools><applicationPoolDefaults><processModel> 元素。Locate the <system.applicationHost><applicationPools><applicationPoolDefaults><processModel> element.
    4. 确认 setProfileEnvironment 属性不存在,这会将值默认设置为 true,或者将属性的值显式设置为 trueConfirm that the setProfileEnvironment attribute isn't present, which defaults the value to true, or explicitly set the attribute's value to true.
  • 将文件系统用作密钥环存储Use the file system as a key ring store

    调整应用代码,将文件系统用作密钥环存储Adjust the app code to use the file system as a key ring store. 使用 X509 证书保护密钥环,并确保该证书是受信任的证书。Use an X509 certificate to protect the key ring and ensure the certificate is a trusted certificate. 如果它是自签名证书,则将该证书放置于受信任的根存储中。If the certificate is self-signed, place the certificate in the Trusted Root store.

    当在 Web 场中使用 IIS 时:When using IIS in a web farm:

  • 设置用于数据保护的计算机范围的策略Set a machine-wide policy for data protection

    数据保护系统对以下操作提供有限支持:为使用数据保护 API 的所有应用设置默认计算机范围的策略The data protection system has limited support for setting a default machine-wide policy for all apps that consume the Data Protection APIs. 有关更多信息,请参见ASP.NET Core 数据保护For more information, see ASP.NET Core 数据保护.

虚拟目录Virtual Directories

ASP.NET Core 应用不支持 IIS 虚拟目录IIS Virtual Directories aren't supported with ASP.NET Core apps. 可将应用托管为子应用程序An app can be hosted as a sub-application.

子应用程序Sub-applications

可将 ASP.NET Core 应用托管为 IIS 子应用程序(子应用)An ASP.NET Core app can be hosted as an IIS sub-application (sub-app). 子应用的路径成为根应用 URL 的一部分。The sub-app's path becomes part of the root app's URL.

子应用不应将 ASP.NET Core 模块作为处理程序包含在其中。A sub-app shouldn't include the ASP.NET Core Module as a handler. 如果在子应用的 web.config 文件中将该模块添加为处理程序,则在尝试浏览子应用时会收到“500.19 内部服务器错误”,即引用错误的配置文件。If the module is added as a handler in a sub-app's web.config file, a 500.19 Internal Server Error referencing the faulty config file is received when attempting to browse the sub-app.

以下示例显示 ASP.NET Core 子应用的已发布 web.config 文件:The following example shows a published web.config file for an ASP.NET Core sub-app:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.webServer>
    <aspNetCore processPath="dotnet" 
      arguments=".\MyApp.dll" 
      stdoutLogEnabled="false" 
      stdoutLogFile=".\logs\stdout" />
  </system.webServer>
</configuration>

在 ASP.NET Core 应用下托管非 ASP.NET Core 子应用时,需在子应用的 web.config 文件中显式删除继承的处理程序:When hosting a non-ASP.NET Core sub-app underneath an ASP.NET Core app, explicitly remove the inherited handler in the sub-app's web.config file:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.webServer>
    <handlers>
      <remove name="aspNetCore" />
    </handlers>
    <aspNetCore processPath="dotnet" 
      arguments=".\MyApp.dll" 
      stdoutLogEnabled="false" 
      stdoutLogFile=".\logs\stdout" />
  </system.webServer>
</configuration>

子应用内的静态资产链接应使用波形符-斜杠 (~/) 符号。Static asset links within the sub-app should use tilde-slash (~/) notation. 波形符-斜杠符号触发标记帮助器,来将子应用的基路径追加到呈现的相关链接前面。Tilde-slash notation triggers a Tag Helper to prepend the sub-app's pathbase to the rendered relative link. 对于 /subapp_path 处的子应用,使用 src="~/image.png" 链接的图像将呈现为 src="/subapp_path/image.png"For a sub-app at /subapp_path, an image linked with src="~/image.png" is rendered as src="/subapp_path/image.png". 根应用的静态文件中间件不处理静态文件请求。The root app's Static File Middleware doesn't process the static file request. 此请求由子应用的静态文件中间件处理。The request is processed by the sub-app's Static File Middleware.

若将静态资产的 src 属性设置为绝对路径(如 src="/image.png"),则呈现的链接不包含子应用的基路径。If a static asset's src attribute is set to an absolute path (for example, src="/image.png"), the link is rendered without the sub-app's pathbase. 根应用的静态文件中间件试图从根应用的 web 根目录提供资产,这会导致“404 - 找不到”响应生成,除非可以从根应用获得静态资产。The root app's Static File Middleware attempts to serve the asset from the root app's web root, which results in a 404 - Not Found response unless the static asset is available from the root app.

若要将 ASP.NET Core 应用作为子应用托管在其他 ASP.NET Core 应用下:To host an ASP.NET Core app as a sub-app under another ASP.NET Core app:

  1. 为此子应用创建应用池。Establish an app pool for the sub-app. 将“.NET CLR 版本”设置为“无托管代码”。Set the .NET CLR Version to No Managed Code.

  2. 在 IIS 管理器中添加根网站,并且此子应用在根网站的某个文件夹中。Add the root site in IIS Manager with the sub-app in a folder under the root site.

  3. 在 IIS 管理器中右击此子应用文件夹,并选择“转换为应用程序”。Right-click the sub-app folder in IIS Manager and select Convert to Application.

  4. 在“添加应用程序”对话框中,使用“应用程序池”的“选择”按钮来分配为子应用创建的应用池。In the Add Application dialog, use the Select button for the Application Pool to assign the app pool that you created for the sub-app. 选择“确定”。Select OK.

使用进程内托管模型时,需要向子应用分配单独的应用池。The assignment of a separate app pool to the sub-app is a requirement when using the in-process hosting model.

有关进程内托管模型及 ASP.NET Core 模块配置的详细信息,请参阅 ASP.NET Core 模块ASP.NET Core 模块For more information on the in-process hosting model and configuring the ASP.NET Core Module, see ASP.NET Core 模块 and ASP.NET Core 模块.

使用 web.config 配置 IISConfiguration of IIS with web.config

IIS 配置受用于 IIS 方案(适用于包含 ASP.NET Core 模块的 ASP.NET Core 应用)的 web.config 的 <system.webServer> 部分影响。IIS configuration is influenced by the <system.webServer> section of web.config for IIS scenarios that are functional for ASP.NET Core apps with the ASP.NET Core Module. 例如,IIS 配置适用于动态压缩。For example, IIS configuration is functional for dynamic compression. 如果在服务器一级将 IIS 配置为使用动态压缩,可通过应用的 web.config 文件中的 <urlCompression> 元素,对 ASP.NET Core 应用禁用它。If IIS is configured at the server level to use dynamic compression, the <urlCompression> element in the app's web.config file can disable it for an ASP.NET Core app.

有关详细信息,请参阅 <system.webServer> 的配置参考ASP.NET Core 模块配置参考使用 ASP.NET Core 的 IIS 模块For more information, see the configuration reference for <system.webServer>, ASP.NET Core Module Configuration Reference, and IIS Modules with ASP.NET Core. 若要为在独立应用池中运行的各应用设置环境变量(IIS 10.0 或更高版本中支持此操作),请参阅 IIS 参考文档的环境变量 <environmentVariables> 主题中的“AppCmd.exe 命令”部分。To set environment variables for individual apps running in isolated app pools (supported for IIS 10.0 or later), see the AppCmd.exe command section of the Environment Variables <environmentVariables> topic in the IIS reference documentation.

web.config 的配置节Configuration sections of web.config

ASP.NET Core 应用不会使用 web.config 中的 ASP.NET 4.x 应用的配置部分进行配置:Configuration sections of ASP.NET 4.x apps in web.config aren't used by ASP.NET Core apps for configuration:

  • <system.web>
  • <appSettings>
  • <connectionStrings>
  • <location>

会使用其他的配置提供程序配置 ASP.NET Core 应用。ASP.NET Core apps are configured using other configuration providers. 有关详细信息,请参阅配置For more information, see Configuration.

应用程序池Application Pools

由托管模型决定应用池隔离:App pool isolation is determined by the hosting model:

  • 进程内托管 – 应用都需要在单独的应用池中运行。In-process hosting – Apps are required to run in separate app pools.
  • 进程外托管 – 建议在每个应用自己的应用池中运行各应用,以彼此隔离。Out-of-process hosting – We recommend isolating the apps from each other by running each app in its own app pool.

IIS“添加网站”对话框默认为每应用一个应用池。The IIS Add Website dialog defaults to a single app pool per app. 提供了站点名称时,该文本会自动传输到“应用程序池”文本框。When a Site name is provided, the text is automatically transferred to the Application pool textbox. 添加站点时,会使用该站点名称创建新的应用池。A new app pool is created using the site name when the site is added.

在服务器上托管多个网站时,建议在每个应用自己的应用池中运行各应用,以彼此隔离。When hosting multiple websites on a server, we recommend isolating the apps from each other by running each app in its own app pool. IIS“添加网站”对话框默认执行此配置。The IIS Add Website dialog defaults to this configuration. 提供了站点名称时,该文本会自动传输到“应用程序池”文本框。When a Site name is provided, the text is automatically transferred to the Application pool textbox. 添加站点时,会使用该站点名称创建新的应用池。A new app pool is created using the site name when the site is added.

应用程序池标识Application Pool Identity

通过应用池标识帐户,可以在唯一帐户下运行应用,而无需创建和管理域或本地帐户。An app pool identity account allows an app to run under a unique account without having to create and manage domains or local accounts. 在 IIS 8.0 或更高版本上,IIS 管理员工作进程 (WAS) 将使用新应用池的名称创建一个虚拟帐户,并默认在此帐户下运行应用池的工作进程。On IIS 8.0 or later, the IIS Admin Worker Process (WAS) creates a virtual account with the name of the new app pool and runs the app pool's worker processes under this account by default. 在 IIS 管理控制台中,确保应用池“高级设置”下的“标识”设置为使用 ApplicationPoolIdentity:In the IIS Management Console under Advanced Settings for the app pool, ensure that the Identity is set to use ApplicationPoolIdentity:

应用程序池“高级设置”对话框

IIS 管理进程使用 Windows 安全系统中应用池的名称创建安全标识符。The IIS management process creates a secure identifier with the name of the app pool in the Windows Security System. 可使用此标识保护资源。Resources can be secured using this identity. 但是,此标识不是真实的用户帐户,不会在 Windows 用户管理控制台中显示。However, this identity isn't a real user account and doesn't show up in the Windows User Management Console.

如果 IIS 工作进程需要对应用的高级访问权限,请为包含该应用的目录修改访问控制列表 (ACL):If the IIS worker process requires elevated access to the app, modify the Access Control List (ACL) for the directory containing the app:

  1. 打开 Windows 资源管理器并导航到目录。Open Windows Explorer and navigate to the directory.

  2. 右键单击该目录,然后选择“属性”。Right-click on the directory and select Properties.

  3. 在“安全”选项卡下,选择“编辑”按钮,然后单击“添加”按钮。Under the Security tab, select the Edit button and then the Add button.

  4. 选择“位置”按钮,并确保该系统处于选中状态。Select the Locations button and make sure the system is selected.

  5. 在“输入要选择的对象名称”区域中输入IIS AppPool\<app_pool_name>Enter IIS AppPool\<app_pool_name> in Enter the object names to select area. 选择“检查名称”按钮。Select the Check Names button. 有关 DefaultAppPool,请检查使用 IIS AppPool\DefaultAppPool 的名称。For the DefaultAppPool check the names using IIS AppPool\DefaultAppPool. 当选择“检查名称”按钮时,对象名称区域中会显示 DefaultAppPool 的值。When the Check Names button is selected, a value of DefaultAppPool is indicated in the object names area. 无法直接在对象名称区域中输入应用池名称。It isn't possible to enter the app pool name directly into the object names area. 检查对象名称时,请使用 IIS AppPool\<app_pool_name> 格式。Use the IIS AppPool\<app_pool_name> format when checking for the object name.

    应用文件夹的“选择用户或组”对话框:在选择“检查名称”前,将“DefaultAppPool”的应用池名称追加到对象名称区域中的“IIS AppPool”。

  6. 选择“确定”。Select OK.

    应用文件夹的“选择用户或组”对话框:在你选择“检查名称”后,对象名称“DefaultAppPool”显示在对象名称区域中。

  7. 默认情况下应授予读取 & 执行权限。Read & execute permissions should be granted by default. 根据需要请提供其他权限。Provide additional permissions as needed.

也可使用 ICACLS 工具在命令提示符处授予访问权限。Access can also be granted at a command prompt using the ICACLS tool. 以 DefaultAppPool 为例,使用以下命令:Using the DefaultAppPool as an example, the following command is used:

ICACLS C:\sites\MyWebApp /grant "IIS AppPool\DefaultAppPool":F

有关详细信息,请参阅 icacls 主题。For more information, see the icacls topic.

HTTP/2 支持HTTP/2 support

以下 IIS 部署方案中的 ASP.NET Core 支持 HTTP/2HTTP/2 is supported with ASP.NET Core in the following IIS deployment scenarios:

  • 进程内In-process
    • Windows Server 2016/Windows 10 或更高版本;IIS 10 或更高版本Windows Server 2016/Windows 10 or later; IIS 10 or later
    • TLS 1.2 或更高版本的连接TLS 1.2 or later connection
  • 进程外Out-of-process
    • Windows Server 2016/Windows 10 或更高版本;IIS 10 或更高版本Windows Server 2016/Windows 10 or later; IIS 10 or later
    • 面向公众的边缘服务器连接使用 HTTP/2,但与 Kestrel 服务器的反向代理连接使用 HTTP/1.1。Public-facing edge server connections use HTTP/2, but the reverse proxy connection to the Kestrel server uses HTTP/1.1.
    • TLS 1.2 或更高版本的连接TLS 1.2 or later connection

对于已建立 HTTP/2 连接时的进程内部署,HttpRequest.Protocol 会报告 HTTP/2For an in-process deployment when an HTTP/2 connection is established, HttpRequest.Protocol reports HTTP/2. 对于已建立 HTTP/2 连接时的进程外部署,HttpRequest.Protocol 会报告 HTTP/1.1For an out-of-process deployment when an HTTP/2 connection is established, HttpRequest.Protocol reports HTTP/1.1.

若要详细了解进程内和进程外托管模型,请参阅 ASP.NET Core 模块For more information on the in-process and out-of-process hosting models, see ASP.NET Core 模块.

满足以下基本要求的进程外部署支持 HTTP/2HTTP/2 is supported for out-of-process deployments that meet the following base requirements:

  • Windows Server 2016/Windows 10 或更高版本;IIS 10 或更高版本Windows Server 2016/Windows 10 or later; IIS 10 or later
  • 面向公众的边缘服务器连接使用 HTTP/2,但与 Kestrel 服务器的反向代理连接使用 HTTP/1.1。Public-facing edge server connections use HTTP/2, but the reverse proxy connection to the Kestrel server uses HTTP/1.1.
  • 目标框架:不适用于进程外部署,因为 HTTP/2 连接完全由 IIS 处理。Target framework: Not applicable to out-of-process deployments, since the HTTP/2 connection is handled entirely by IIS.
  • TLS 1.2 或更高版本的连接TLS 1.2 or later connection

如果已建立 HTTP/2 连接,HttpRequest.Protocol 会报告 HTTP/1.1If an HTTP/2 connection is established, HttpRequest.Protocol reports HTTP/1.1.

默认情况下将启用 HTTP/2。HTTP/2 is enabled by default. 如果未建立 HTTP/2 连接,连接会回退到 HTTP/1.1。Connections fall back to HTTP/1.1 if an HTTP/2 connection isn't established. 有关使用 IIS 部署的 HTTP/2 配置的详细信息,请参阅 IIS 上的 HTTP/2For more information on HTTP/2 configuration with IIS deployments, see HTTP/2 on IIS.

CORS 预检请求CORS preflight requests

本部分仅适用于面向 .NET Framework 的 ASP.NET Core 应用程序。This section only applies to ASP.NET Core apps that target the .NET Framework.

对于面向 .NET Framework 的 ASP.NET Core 应用程序,默认情况下,IIS 不会将 OPTIONS 请求传递给应用程序。For an ASP.NET Core app that targets the .NET Framework, OPTIONS requests aren't passed to the app by default in IIS. 若要了解如何在 web.config 中配置应用程序的 IIS 处理程序以传递 OPTIONS 请求,请参阅在 ASP.NET Web API 2 中启用跨域请求:CORS 的工作原理To learn how to configure the app's IIS handlers in web.config to pass OPTIONS requests, see Enable cross-origin requests in ASP.NET Web API 2: How CORS Works.

面向 IIS 管理员的部署资源Deployment resources for IIS administrators

在 IIS 文档中深入了解 IIS。Learn about IIS in-depth in the IIS documentation.
IIS 文档IIS documentation

了解 .NET Core 应用部署模型。Learn about .NET Core app deployment models.
.NET Core 应用程序部署.NET Core application deployment

了解 ASP.NET Core 模块如何使 Kestrel Web 服务器将 IIS 或 IIS Express 用作反向代理服务器。Learn how the ASP.NET Core Module allows the Kestrel web server to use IIS or IIS Express as a reverse proxy server.
ASP.NET Core 模块ASP.NET Core Module

了解如何配置 ASP.NET Core 模块以托管 ASP.NET Core 应用。Learn how to configure the ASP.NET Core Module for hosting ASP.NET Core apps.
ASP.NET Core 模块配置参考ASP.NET Core Module configuration reference

了解已发布的 ASP.NET Core 应用的目录结构。Learn about the directory structure of published ASP.NET Core apps.
目录结构Directory structure

了解适用于 ASP.NET Core 应用的活动和非活动 IIS 模块以及如何管理 IIS 模块。Discover active and inactive IIS modules for ASP.NET Core apps and how to manage IIS modules.
IIS 模块IIS modules

了解如何诊断 ASP.NET Core 应用的 IIS 部署的问题。Learn how to diagnose problems with IIS deployments of ASP.NET Core apps.
疑难解答Troubleshoot

了解在 IIS 上托管 ASP.NET Core 应用的常见错误。Distinguish common errors when hosting ASP.NET Core apps on IIS.
Azure 应用服务和 IIS 的常见错误参考Common errors reference for Azure App Service and IIS

其他资源Additional resources