--- title: Kestrel web server implementation in ASP.NET Core author: guardrex description: Learn about Kestrel, the cross-platform web server for ASP.NET Core. ms.author: tdykstra ms.custom: mvc ms.date: 03/28/2019 uid: fundamentals/servers/kestrel --- # Kestrel web server implementation in ASP.NET Core By [Tom Dykstra](https://github.com/tdykstra), [Chris Ross](https://github.com/Tratcher), and [Stephen Halter](https://twitter.com/halter73) ::: moniker range="<= aspnetcore-1.1" For the 1.1 version of this topic, download [Kestrel web server implementation in ASP.NET Core (version 1.1, PDF)](https://webpifeed.blob.core.windows.net/webpifeed/Partners/Kestrel_1.1.pdf). ::: moniker-end Kestrel is a cross-platform [web server for ASP.NET Core](xref:fundamentals/servers/index). Kestrel is the web server that's included by default in ASP.NET Core project templates. Kestrel supports the following scenarios: ::: moniker range=">= aspnetcore-2.2" * HTTPS * Opaque upgrade used to enable [WebSockets](https://github.com/aspnet/websockets) * Unix sockets for high performance behind Nginx * HTTP/2 (except on macOS†) †HTTP/2 will be supported on macOS in a future release. ::: moniker-end ::: moniker range="< aspnetcore-2.2" * HTTPS * Opaque upgrade used to enable [WebSockets](https://github.com/aspnet/websockets) * Unix sockets for high performance behind Nginx ::: moniker-end Kestrel is supported on all platforms and versions that .NET Core supports. [View or download sample code](https://github.com/aspnet/AspNetCore.Docs/tree/master/aspnetcore/fundamentals/servers/kestrel/samples) ([how to download](xref:index#how-to-download-a-sample)) ::: moniker range=">= aspnetcore-2.2" ## HTTP/2 support [HTTP/2](https://httpwg.org/specs/rfc7540.html) is available for ASP.NET Core apps if the following base requirements are met: * Operating system† * Windows Server 2016/Windows 10 or later‡ * Linux with OpenSSL 1.0.2 or later (for example, Ubuntu 16.04 or later) * Target framework: .NET Core 2.2 or later * [Application-Layer Protocol Negotiation (ALPN)](https://tools.ietf.org/html/rfc7301#section-3) connection * TLS 1.2 or later connection †HTTP/2 will be supported on macOS in a future release. ‡Kestrel has limited support for HTTP/2 on Windows Server 2012 R2 and Windows 8.1. Support is limited because the list of supported TLS cipher suites available on these operating systems is limited. A certificate generated using an Elliptic Curve Digital Signature Algorithm (ECDSA) may be required to secure TLS connections. If an HTTP/2 connection is established, [HttpRequest.Protocol](xref:Microsoft.AspNetCore.Http.HttpRequest.Protocol*) reports `HTTP/2`. HTTP/2 is disabled by default. For more information on configuration, see the [Kestrel options](#kestrel-options) and [ListenOptions.Protocols](#listenoptionsprotocols) sections. ::: moniker-end ## When to use Kestrel with a reverse proxy You can use Kestrel by itself or with a *reverse proxy server*, such as [Internet Information Services (IIS)](https://www.iis.net/), [Nginx](http://nginx.org), or [Apache](https://httpd.apache.org/). A reverse proxy server receives HTTP requests from the network and forwards them to Kestrel. Kestrel used as an edge (Internet-facing) web server: ![Kestrel communicates directly with the Internet without a reverse proxy server](kestrel/_static/kestrel-to-internet2.png) Kestrel used in a reverse proxy configuration: ![Kestrel communicates indirectly with the Internet through a reverse proxy server, such as IIS, Nginx, or Apache](kestrel/_static/kestrel-to-internet.png) Either configuration—with or without a reverse proxy server—is a supported hosting configuration for ASP.NET Core 2.1 or later apps that receive requests from the Internet. Kestrel used as an edge server without a reverse proxy server doesn't support sharing the same IP and port among multiple processes. When Kestrel is configured to listen on a port, Kestrel handles all of the traffic for that port regardless of requests' `Host` headers. A reverse proxy that can share ports has the ability to forward requests to Kestrel on a unique IP and port. Even if a reverse proxy server isn't required, using a reverse proxy server might be a good choice. A reverse proxy: * Can limit the exposed public surface area of the apps that it hosts. * Provide an additional layer of configuration and defense. * Might integrate better with existing infrastructure. * Simplify load balancing and secure communication (HTTPS) configuration. Only the reverse proxy server requires an X.509 certificate, and that server can communicate with your app servers on the internal network using plain HTTP. > [!WARNING] > Hosting in a reverse proxy configuration requires [host filtering](#host-filtering). ## How to use Kestrel in ASP.NET Core apps The [Microsoft.AspNetCore.Server.Kestrel](https://www.nuget.org/packages/Microsoft.AspNetCore.Server.Kestrel/) package is included in the [Microsoft.AspNetCore.App metapackage](xref:fundamentals/metapackage-app) (ASP.NET Core 2.1 or later). ASP.NET Core project templates use Kestrel by default. In *Program.cs*, the template code calls , which calls behind the scenes. [!code-csharp[](kestrel/samples/2.x/KestrelSample/Program.cs?name=snippet_DefaultBuilder&highlight=7)] ::: moniker range=">= aspnetcore-2.2" To provide additional configuration after calling `CreateDefaultBuilder`, use `ConfigureKestrel`: ```csharp public static IWebHostBuilder CreateWebHostBuilder(string[] args) => WebHost.CreateDefaultBuilder(args) .UseStartup() .ConfigureKestrel((context, options) => { // Set properties and call methods on options }); ``` If the app doesn't call `CreateDefaultBuilder` to set up the host, call **before** calling `ConfigureKestrel`: ```csharp public static void Main(string[] args) { var host = new WebHostBuilder() .UseContentRoot(Directory.GetCurrentDirectory()) .UseKestrel() .UseIISIntegration() .UseStartup() .ConfigureKestrel((context, options) => { // Set properties and call methods on options }) .Build(); host.Run(); } ``` ::: moniker-end ::: moniker range="< aspnetcore-2.2" To provide additional configuration after calling `CreateDefaultBuilder`, call : ```csharp public static IWebHostBuilder CreateWebHostBuilder(string[] args) => WebHost.CreateDefaultBuilder(args) .UseStartup() .UseKestrel(options => { // Set properties and call methods on options }); ``` ::: moniker-end ## Kestrel options The Kestrel web server has constraint configuration options that are especially useful in Internet-facing deployments. Set constraints on the property of the class. The `Limits` property holds an instance of the class. ### Maximum client connections The maximum number of concurrent open TCP connections can be set for the entire app with the following code: ::: moniker range=">= aspnetcore-2.2" [!code-csharp[](kestrel/samples/2.x/KestrelSample/Program.cs?name=snippet_Limits&highlight=3)] ::: moniker-end ::: moniker range="< aspnetcore-2.2" ```csharp public static IWebHostBuilder CreateWebHostBuilder(string[] args) => WebHost.CreateDefaultBuilder(args) .UseStartup() .UseKestrel(options => { options.Limits.MaxConcurrentConnections = 100; }); ``` ::: moniker-end There's a separate limit for connections that have been upgraded from HTTP or HTTPS to another protocol (for example, on a WebSockets request). After a connection is upgraded, it isn't counted against the `MaxConcurrentConnections` limit. ::: moniker range=">= aspnetcore-2.2" [!code-csharp[](kestrel/samples/2.x/KestrelSample/Program.cs?name=snippet_Limits&highlight=4)] ::: moniker-end ::: moniker range="< aspnetcore-2.2" ```csharp public static IWebHostBuilder CreateWebHostBuilder(string[] args) => WebHost.CreateDefaultBuilder(args) .UseStartup() .UseKestrel(options => { options.Limits.MaxConcurrentUpgradedConnections = 100; }); ``` ::: moniker-end The maximum number of connections is unlimited (null) by default. ### Maximum request body size The default maximum request body size is 30,000,000 bytes, which is approximately 28.6 MB. The recommended approach to override the limit in an ASP.NET Core MVC app is to use the attribute on an action method: ```csharp [RequestSizeLimit(100000000)] public IActionResult MyActionMethod() ``` Here's an example that shows how to configure the constraint for the app on every request: ::: moniker range=">= aspnetcore-2.2" [!code-csharp[](kestrel/samples/2.x/KestrelSample/Program.cs?name=snippet_Limits&highlight=5)] ::: moniker-end ::: moniker range="< aspnetcore-2.2" ```csharp public static IWebHostBuilder CreateWebHostBuilder(string[] args) => WebHost.CreateDefaultBuilder(args) .UseStartup() .UseKestrel(options => { options.Limits.MaxRequestBodySize = 10 * 1024; }); ``` You can override the setting on a specific request in middleware: [!code-csharp[](kestrel/samples/2.x/KestrelSample/Startup.cs?name=snippet_Limits&highlight=3-4)] ::: moniker-end An exception is thrown if you attempt to configure the limit on a request after the app has started to read the request. There's an `IsReadOnly` property that indicates if the `MaxRequestBodySize` property is in read-only state, meaning it's too late to configure the limit. ### Minimum request body data rate Kestrel checks every second if data is arriving at the specified rate in bytes/second. If the rate drops below the minimum, the connection is timed out. The grace period is the amount of time that Kestrel gives the client to increase its send rate up to the minimum; the rate isn't checked during that time. The grace period helps avoid dropping connections that are initially sending data at a slow rate due to TCP slow-start. The default minimum rate is 240 bytes/second with a 5 second grace period. A minimum rate also applies to the response. The code to set the request limit and the response limit is the same except for having `RequestBody` or `Response` in the property and interface names. Here's an example that shows how to configure the minimum data rates in *Program.cs*: ::: moniker range=">= aspnetcore-2.2" [!code-csharp[](kestrel/samples/2.x/KestrelSample/Program.cs?name=snippet_Limits&highlight=6-9)] ::: moniker-end ::: moniker range="< aspnetcore-2.2" ```csharp public static IWebHostBuilder CreateWebHostBuilder(string[] args) => WebHost.CreateDefaultBuilder(args) .UseStartup() .UseKestrel(options => { options.Limits.MinRequestBodyDataRate = new MinDataRate(bytesPerSecond: 100, gracePeriod: TimeSpan.FromSeconds(10)); options.Limits.MinResponseDataRate = new MinDataRate(bytesPerSecond: 100, gracePeriod: TimeSpan.FromSeconds(10)); }); ``` ::: moniker-end You can override the minimum rate limits per request in middleware: [!code-csharp[](kestrel/samples/2.x/KestrelSample/Startup.cs?name=snippet_Limits&highlight=6-21)] ::: moniker range=">= aspnetcore-2.2" Neither rate feature referenced in the prior sample are present in `HttpContext.Features` for HTTP/2 requests because modifying rate limits on a per-request basis isn't supported for HTTP/2 due to the protocol's support for request multiplexing. Server-wide rate limits configured via `KestrelServerOptions.Limits` still apply to both HTTP/1.x and HTTP/2 connections. ::: moniker-end ::: moniker range=">= aspnetcore-2.2" ### Maximum streams per connection `Http2.MaxStreamsPerConnection` limits the number of concurrent request streams per HTTP/2 connection. Excess streams are refused. ```csharp public static IWebHostBuilder CreateWebHostBuilder(string[] args) => WebHost.CreateDefaultBuilder(args) .UseStartup() .ConfigureKestrel((context, options) => { options.Limits.Http2.MaxStreamsPerConnection = 100; }); ``` The default value is 100. ### Header table size The HPACK decoder decompresses HTTP headers for HTTP/2 connections. `Http2.HeaderTableSize` limits the size of the header compression table that the HPACK decoder uses. The value is provided in octets and must be greater than zero (0). ```csharp public static IWebHostBuilder CreateWebHostBuilder(string[] args) => WebHost.CreateDefaultBuilder(args) .UseStartup() .ConfigureKestrel((context, options) => { options.Limits.Http2.HeaderTableSize = 4096; }); ``` The default value is 4096. ### Maximum frame size `Http2.MaxFrameSize` indicates the maximum size of the HTTP/2 connection frame payload to receive. The value is provided in octets and must be between 2^14 (16,384) and 2^24-1 (16,777,215). ```csharp public static IWebHostBuilder CreateWebHostBuilder(string[] args) => WebHost.CreateDefaultBuilder(args) .UseStartup() .ConfigureKestrel((context, options) => { options.Limits.Http2.MaxFrameSize = 16384; }); ``` The default value is 2^14 (16,384). ### Maximum request header size `Http2.MaxRequestHeaderFieldSize` indicates the maximum allowed size in octets of request header values. This limit applies to both name and value together in their compressed and uncompressed representations. The value must be greater than zero (0). ```csharp public static IWebHostBuilder CreateWebHostBuilder(string[] args) => WebHost.CreateDefaultBuilder(args) .UseStartup() .ConfigureKestrel((context, options) => { options.Limits.Http2.MaxRequestHeaderFieldSize = 8192; }); ``` The default value is 8,192. ### Initial connection window size `Http2.InitialConnectionWindowSize` indicates the maximum request body data in bytes the server buffers at one time aggregated across all requests (streams) per connection. Requests are also limited by `Http2.InitialStreamWindowSize`. The value must be greater than or equal to 65,535 and less than 2^31 (2,147,483,648). ```csharp public static IWebHostBuilder CreateWebHostBuilder(string[] args) => WebHost.CreateDefaultBuilder(args) .UseStartup() .ConfigureKestrel((context, options) => { options.Limits.Http2.InitialConnectionWindowSize = 131072; }); ``` The default value is 128 KB (131,072). ### Initial stream window size `Http2.InitialStreamWindowSize` indicates the maximum request body data in bytes the server buffers at one time per request (stream). Requests are also limited by `Http2.InitialStreamWindowSize`. The value must be greater than or equal to 65,535 and less than 2^31 (2,147,483,648). ```csharp public static IWebHostBuilder CreateWebHostBuilder(string[] args) => WebHost.CreateDefaultBuilder(args) .UseStartup() .ConfigureKestrel((context, options) => { options.Limits.Http2.InitialStreamWindowSize = 98304; }); ``` The default value is 96 KB (98,304). ::: moniker-end For information about other Kestrel options and limits, see: * * * ## Endpoint configuration By default, ASP.NET Core binds to: * `http://localhost:5000` * `https://localhost:5001` (when a local development certificate is present) Specify URLs using the: * `ASPNETCORE_URLS` environment variable. * `--urls` command-line argument. * `urls` host configuration key. * `UseUrls` extension method. The value provided using these approaches can be one or more HTTP and HTTPS endpoints (HTTPS if a default cert is available). Configure the value as a semicolon-separated list (for example, `"Urls": "http://localhost:8000;http://localhost:8001"`). For more information on these approaches, see [Server URLs](xref:fundamentals/host/web-host#server-urls) and [Override configuration](xref:fundamentals/host/web-host#override-configuration). A development certificate is created: * When the [.NET Core SDK](/dotnet/core/sdk) is installed. * The [dev-certs tool](xref:aspnetcore-2.1#https) is used to create a certificate. Some browsers require that you grant explicit permission to the browser to trust the local development certificate. ASP.NET Core 2.1 and later project templates configure apps to run on HTTPS by default and include [HTTPS redirection and HSTS support](xref:security/enforcing-ssl). Call or methods on to configure URL prefixes and ports for Kestrel. `UseUrls`, the `--urls` command-line argument, `urls` host configuration key, and the `ASPNETCORE_URLS` environment variable also work but have the limitations noted later in this section (a default certificate must be available for HTTPS endpoint configuration). ASP.NET Core 2.1 or later `KestrelServerOptions` configuration: ### ConfigureEndpointDefaults(Action<ListenOptions>) Specifies a configuration `Action` to run for each specified endpoint. Calling `ConfigureEndpointDefaults` multiple times replaces prior `Action`s with the last `Action` specified. ::: moniker range=">= aspnetcore-3.0" ```csharp Host.CreateDefaultBuilder(args) .ConfigureWebHostDefaults(webBuilder => { webBuilder.ConfigureKestrel(serverOptions => { serverOptions.ConfigureEndpointDefaults(configureOptions => { configureOptions.NoDelay = true; }); }); webBuilder.UseStartup(); }); ``` ::: moniker-end ::: moniker range="< aspnetcore-3.0" ```csharp public static IWebHostBuilder CreateWebHostBuilder(string[] args) => WebHost.CreateDefaultBuilder(args) .UseStartup() .ConfigureKestrel((context, options) => { options.ConfigureEndpointDefaults(configureOptions => { configureOptions.NoDelay = true; }); }); ``` ::: moniker-end ### ConfigureHttpsDefaults(Action<HttpsConnectionAdapterOptions>) Specifies a configuration `Action` to run for each HTTPS endpoint. Calling `ConfigureHttpsDefaults` multiple times replaces prior `Action`s with the last `Action` specified. ::: moniker range=">= aspnetcore-3.0" ```csharp Host.CreateDefaultBuilder(args) .ConfigureWebHostDefaults(webBuilder => { webBuilder.ConfigureKestrel(serverOptions => { serverOptions.ConfigureHttpsDefaults(options => { // certificate is an X509Certificate2 options.ServerCertificate = certificate; }); }); webBuilder.UseStartup(); }); ``` ::: moniker-end ::: moniker range="< aspnetcore-3.0" ```csharp public static IWebHostBuilder CreateWebHostBuilder(string[] args) => WebHost.CreateDefaultBuilder(args) .UseStartup() .ConfigureKestrel((context, options) => { options.ConfigureHttpsDefaults(httpsOptions => { // certificate is an X509Certificate2 httpsOptions.ServerCertificate = certificate; }); }); ``` ::: moniker-end ### Configure(IConfiguration) Creates a configuration loader for setting up Kestrel that takes an as input. The configuration must be scoped to the configuration section for Kestrel. ### ListenOptions.UseHttps Configure Kestrel to use HTTPS. `ListenOptions.UseHttps` extensions: * `UseHttps` – Configure Kestrel to use HTTPS with the default certificate. Throws an exception if no default certificate is configured. * `UseHttps(string fileName)` * `UseHttps(string fileName, string password)` * `UseHttps(string fileName, string password, Action configureOptions)` * `UseHttps(StoreName storeName, string subject)` * `UseHttps(StoreName storeName, string subject, bool allowInvalid)` * `UseHttps(StoreName storeName, string subject, bool allowInvalid, StoreLocation location)` * `UseHttps(StoreName storeName, string subject, bool allowInvalid, StoreLocation location, Action configureOptions)` * `UseHttps(X509Certificate2 serverCertificate)` * `UseHttps(X509Certificate2 serverCertificate, Action configureOptions)` * `UseHttps(Action configureOptions)` `ListenOptions.UseHttps` parameters: * `filename` is the path and file name of a certificate file, relative to the directory that contains the app's content files. * `password` is the password required to access the X.509 certificate data. * `configureOptions` is an `Action` to configure the `HttpsConnectionAdapterOptions`. Returns the `ListenOptions`. * `storeName` is the certificate store from which to load the certificate. * `subject` is the subject name for the certificate. * `allowInvalid` indicates if invalid certificates should be considered, such as self-signed certificates. * `location` is the store location to load the certificate from. * `serverCertificate` is the X.509 certificate. In production, HTTPS must be explicitly configured. At a minimum, a default certificate must be provided. Supported configurations described next: * No configuration * Replace the default certificate from configuration * Change the defaults in code *No configuration* Kestrel listens on `http://localhost:5000` and `https://localhost:5001` (if a default cert is available). *Replace the default certificate from configuration* calls `serverOptions.Configure(context.Configuration.GetSection("Kestrel"))` by default to load Kestrel configuration. A default HTTPS app settings configuration schema is available for Kestrel. Configure multiple endpoints, including the URLs and the certificates to use, either from a file on disk or from a certificate store. In the following *appsettings.json* example: * Set **AllowInvalid** to `true` to permit the use of invalid certificates (for example, self-signed certificates). * Any HTTPS endpoint that doesn't specify a certificate (**HttpsDefaultCert** in the example that follows) falls back to the cert defined under **Certificates** > **Default** or the development certificate. ```json { "Kestrel": { "EndPoints": { "Http": { "Url": "http://localhost:5000" }, "HttpsInlineCertFile": { "Url": "https://localhost:5001", "Certificate": { "Path": "", "Password": "" } }, "HttpsInlineCertStore": { "Url": "https://localhost:5002", "Certificate": { "Subject": "", "Store": "", "Location": "", "AllowInvalid": "" } }, "HttpsDefaultCert": { "Url": "https://localhost:5003" }, "Https": { "Url": "https://*:5004", "Certificate": { "Path": "", "Password": "" } } }, "Certificates": { "Default": { "Path": "", "Password": "" } } } } ``` An alternative to using **Path** and **Password** for any certificate node is to specify the certificate using certificate store fields. For example, the **Certificates** > **Default** certificate can be specified as: ```json "Default": { "Subject": "", "Store": "", "Location": "", "AllowInvalid": "" } ``` Schema notes: * Endpoints names are case-insensitive. For example, `HTTPS` and `Https` are valid. * The `Url` parameter is required for each endpoint. The format for this parameter is the same as the top-level `Urls` configuration parameter except that it's limited to a single value. * These endpoints replace those defined in the top-level `Urls` configuration rather than adding to them. Endpoints defined in code via `Listen` are cumulative with the endpoints defined in the configuration section. * The `Certificate` section is optional. If the `Certificate` section isn't specified, the defaults defined in earlier scenarios are used. If no defaults are available, the server throws an exception and fails to start. * The `Certificate` section supports both **Path**–**Password** and **Subject**–**Store** certificates. * Any number of endpoints may be defined in this way so long as they don't cause port conflicts. * `options.Configure(context.Configuration.GetSection("Kestrel"))` returns a `KestrelConfigurationLoader` with an `.Endpoint(string name, options => { })` method that can be used to supplement a configured endpoint's settings: ```csharp options.Configure(context.Configuration.GetSection("Kestrel")) .Endpoint("HTTPS", opt => { opt.HttpsOptions.SslProtocols = SslProtocols.Tls12; }); ``` You can also directly access `KestrelServerOptions.ConfigurationLoader` to keep iterating on the existing loader, such as the one provided by . * The configuration section for each endpoint is a available on the options in the `Endpoint` method so that custom settings may be read. * Multiple configurations may be loaded by calling `options.Configure(context.Configuration.GetSection("Kestrel"))` again with another section. Only the last configuration is used, unless `Load` is explicitly called on prior instances. The metapackage doesn't call `Load` so that its default configuration section may be replaced. * `KestrelConfigurationLoader` mirrors the `Listen` family of APIs from `KestrelServerOptions` as `Endpoint` overloads, so code and config endpoints may be configured in the same place. These overloads don't use names and only consume default settings from configuration. *Change the defaults in code* `ConfigureEndpointDefaults` and `ConfigureHttpsDefaults` can be used to change default settings for `ListenOptions` and `HttpsConnectionAdapterOptions`, including overriding the default certificate specified in the prior scenario. `ConfigureEndpointDefaults` and `ConfigureHttpsDefaults` should be called before any endpoints are configured. ```csharp options.ConfigureEndpointDefaults(opt => { opt.NoDelay = true; }); options.ConfigureHttpsDefaults(httpsOptions => { httpsOptions.SslProtocols = SslProtocols.Tls12; }); ``` *Kestrel support for SNI* [Server Name Indication (SNI)](https://tools.ietf.org/html/rfc6066#section-3) can be used to host multiple domains on the same IP address and port. For SNI to function, the client sends the host name for the secure session to the server during the TLS handshake so that the server can provide the correct certificate. The client uses the furnished certificate for encrypted communication with the server during the secure session that follows the TLS handshake. Kestrel supports SNI via the `ServerCertificateSelector` callback. The callback is invoked once per connection to allow the app to inspect the host name and select the appropriate certificate. SNI support requires: * Running on target framework `netcoreapp2.1`. On `netcoreapp2.0` and `net461`, the callback is invoked but the `name` is always `null`. The `name` is also `null` if the client doesn't provide the host name parameter in the TLS handshake. * All websites run on the same Kestrel instance. Kestrel doesn't support sharing an IP address and port across multiple instances without a reverse proxy. ::: moniker range=">= aspnetcore-2.2" ```csharp public static IWebHostBuilder CreateWebHostBuilder(string[] args) => WebHost.CreateDefaultBuilder(args) .UseStartup() .ConfigureKestrel((context, options) => { options.ListenAnyIP(5005, listenOptions => { listenOptions.UseHttps(httpsOptions => { var localhostCert = CertificateLoader.LoadFromStoreCert( "localhost", "My", StoreLocation.CurrentUser, allowInvalid: true); var exampleCert = CertificateLoader.LoadFromStoreCert( "example.com", "My", StoreLocation.CurrentUser, allowInvalid: true); var subExampleCert = CertificateLoader.LoadFromStoreCert( "sub.example.com", "My", StoreLocation.CurrentUser, allowInvalid: true); var certs = new Dictionary( StringComparer.OrdinalIgnoreCase); certs["localhost"] = localhostCert; certs["example.com"] = exampleCert; certs["sub.example.com"] = subExampleCert; httpsOptions.ServerCertificateSelector = (connectionContext, name) => { if (name != null && certs.TryGetValue(name, out var cert)) { return cert; } return exampleCert; }; }); }); }); ``` ::: moniker-end ::: moniker range="< aspnetcore-2.2" ```csharp public static IWebHostBuilder CreateWebHostBuilder(string[] args) => WebHost.CreateDefaultBuilder(args) .UseStartup() .UseKestrel((context, options) => { options.ListenAnyIP(5005, listenOptions => { listenOptions.UseHttps(httpsOptions => { var localhostCert = CertificateLoader.LoadFromStoreCert( "localhost", "My", StoreLocation.CurrentUser, allowInvalid: true); var exampleCert = CertificateLoader.LoadFromStoreCert( "example.com", "My", StoreLocation.CurrentUser, allowInvalid: true); var subExampleCert = CertificateLoader.LoadFromStoreCert( "sub.example.com", "My", StoreLocation.CurrentUser, allowInvalid: true); var certs = new Dictionary( StringComparer.OrdinalIgnoreCase); certs["localhost"] = localhostCert; certs["example.com"] = exampleCert; certs["sub.example.com"] = subExampleCert; httpsOptions.ServerCertificateSelector = (connectionContext, name) => { if (name != null && certs.TryGetValue(name, out var cert)) { return cert; } return exampleCert; }; }); }); }) .Build(); ``` ::: moniker-end ### Bind to a TCP socket The method binds to a TCP socket, and an options lambda permits X.509 certificate configuration: ::: moniker range=">= aspnetcore-2.2" [!code-csharp[](kestrel/samples/2.x/KestrelSample/Program.cs?name=snippet_TCPSocket&highlight=9-16)] ::: moniker-end ::: moniker range="< aspnetcore-2.2" ```csharp public static void Main(string[] args) { CreateWebHostBuilder(args).Build().Run(); } public static IWebHostBuilder CreateWebHostBuilder(string[] args) => WebHost.CreateDefaultBuilder(args) .UseStartup() .UseKestrel(options => { options.Listen(IPAddress.Loopback, 5000); options.Listen(IPAddress.Loopback, 5001, listenOptions => { listenOptions.UseHttps("testCert.pfx", "testPassword"); }); }); ``` ```csharp public static void Main(string[] args) { CreateWebHostBuilder(args).Build().Run(); } public static IWebHostBuilder CreateWebHostBuilder(string[] args) => WebHost.CreateDefaultBuilder(args) .UseStartup() .UseKestrel(options => { options.Listen(IPAddress.Loopback, 5000); options.Listen(IPAddress.Loopback, 5001, listenOptions => { listenOptions.UseHttps("testCert.pfx", "testPassword"); }); }); ``` ::: moniker-end The example configures HTTPS for an endpoint with . Use the same API to configure other Kestrel settings for specific endpoints. [!INCLUDE [How to make an X.509 cert](~/includes/make-x509-cert.md)] ### Bind to a Unix socket Listen on a Unix socket with for improved performance with Nginx, as shown in this example: ::: moniker range=">= aspnetcore-2.2" [!code-csharp[](kestrel/samples/2.x/KestrelSample/Program.cs?name=snippet_UnixSocket)] ::: moniker-end ::: moniker range="< aspnetcore-2.2" ```csharp public static IWebHostBuilder CreateWebHostBuilder(string[] args) => WebHost.CreateDefaultBuilder(args) .UseStartup() .UseKestrel(options => { options.ListenUnixSocket("/tmp/kestrel-test.sock"); options.ListenUnixSocket("/tmp/kestrel-test.sock", listenOptions => { listenOptions.UseHttps("testCert.pfx", "testpassword"); }); }); ``` ::: moniker-end ### Port 0 When the port number `0` is specified, Kestrel dynamically binds to an available port. The following example shows how to determine which port Kestrel actually bound at runtime: [!code-csharp[](kestrel/samples/2.x/KestrelSample/Startup.cs?name=snippet_Configure&highlight=3-4,15-21)] When the app is run, the console window output indicates the dynamic port where the app can be reached: ```console Listening on the following addresses: http://127.0.0.1:48508 ``` ### Limitations Configure endpoints with the following approaches: * * `--urls` command-line argument * `urls` host configuration key * `ASPNETCORE_URLS` environment variable These methods are useful for making code work with servers other than Kestrel. However, be aware of the following limitations: * HTTPS can't be used with these approaches unless a default certificate is provided in the HTTPS endpoint configuration (for example, using `KestrelServerOptions` configuration or a configuration file as shown earlier in this topic). * When both the `Listen` and `UseUrls` approaches are used simultaneously, the `Listen` endpoints override the `UseUrls` endpoints. ### IIS endpoint configuration When using IIS, the URL bindings for IIS override bindings are set by either `Listen` or `UseUrls`. For more information, see the [ASP.NET Core Module](xref:host-and-deploy/aspnet-core-module) topic. ::: moniker range=">= aspnetcore-2.2" ### ListenOptions.Protocols The `Protocols` property establishes the HTTP protocols (`HttpProtocols`) enabled on a connection endpoint or for the server. Assign a value to the `Protocols` property from the `HttpProtocols` enum. | `HttpProtocols` enum value | Connection protocol permitted | | -------------------------- | ----------------------------- | | `Http1` | HTTP/1.1 only. Can be used with or without TLS. | | `Http2` | HTTP/2 only. Primarily used with TLS. May be used without TLS only if the client supports a [Prior Knowledge mode](https://tools.ietf.org/html/rfc7540#section-3.4). | | `Http1AndHttp2` | HTTP/1.1 and HTTP/2. Requires a TLS and [Application-Layer Protocol Negotiation (ALPN)](https://tools.ietf.org/html/rfc7301#section-3) connection to negotiate HTTP/2; otherwise, the connection defaults to HTTP/1.1. | The default protocol is HTTP/1.1. TLS restrictions for HTTP/2: * TLS version 1.2 or later * Renegotiation disabled * Compression disabled * Minimum ephemeral key exchange sizes: * Elliptic curve Diffie-Hellman (ECDHE) [[RFC4492](https://www.ietf.org/rfc/rfc4492.txt)] – 224 bits minimum * Finite field Diffie-Hellman (DHE) [`TLS12`] – 2048 bits minimum * Cipher suite not blacklisted `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256` [`TLS-ECDHE`] with the P-256 elliptic curve [`FIPS186`] is supported by default. The following example permits HTTP/1.1 and HTTP/2 connections on port 8000. Connections are secured by TLS with a supplied certificate: ```csharp public static IWebHostBuilder CreateWebHostBuilder(string[] args) => WebHost.CreateDefaultBuilder(args) .UseStartup() .ConfigureKestrel((context, options) => { options.Listen(IPAddress.Any, 8000, listenOptions => { listenOptions.Protocols = HttpProtocols.Http1AndHttp2; listenOptions.UseHttps("testCert.pfx", "testPassword"); }); }); ``` Optionally create an `IConnectionAdapter` implementation to filter TLS handshakes on a per-connection basis for specific ciphers: ```csharp public static IWebHostBuilder CreateWebHostBuilder(string[] args) => WebHost.CreateDefaultBuilder(args) .UseStartup() .ConfigureKestrel((context, options) => { options.Listen(IPAddress.Any, 8000, listenOptions => { listenOptions.Protocols = HttpProtocols.Http1AndHttp2; listenOptions.UseHttps("testCert.pfx", "testPassword"); listenOptions.ConnectionAdapters.Add(new TlsFilterAdapter()); }); }); ``` ```csharp private class TlsFilterAdapter : IConnectionAdapter { public bool IsHttps => false; public Task OnConnectionAsync(ConnectionAdapterContext context) { var tlsFeature = context.Features.Get(); // Throw NotSupportedException for any cipher algorithm that you don't // wish to support. Alternatively, define and compare // ITlsHandshakeFeature.CipherAlgorithm to a list of acceptable cipher // suites. // // A ITlsHandshakeFeature.CipherAlgorithm of CipherAlgorithmType.Null // indicates that no cipher algorithm supported by Kestrel matches the // requested algorithm(s). if (tlsFeature.CipherAlgorithm == CipherAlgorithmType.Null) { throw new NotSupportedException("Prohibited cipher: " + tlsFeature.CipherAlgorithm); } return Task.FromResult(new AdaptedConnection(context.ConnectionStream)); } private class AdaptedConnection : IAdaptedConnection { public AdaptedConnection(Stream adaptedStream) { ConnectionStream = adaptedStream; } public Stream ConnectionStream { get; } public void Dispose() { } } } ``` *Set the protocol from configuration* calls `serverOptions.Configure(context.Configuration.GetSection("Kestrel"))` by default to load Kestrel configuration. In the following *appsettings.json* example, a default connection protocol (HTTP/1.1 and HTTP/2) is established for all of Kestrel's endpoints: ```json { "Kestrel": { "EndPointDefaults": { "Protocols": "Http1AndHttp2" } } } ``` The following configuration file example establishes a connection protocol for a specific endpoint: ```json { "Kestrel": { "EndPoints": { "HttpsDefaultCert": { "Url": "https://localhost:5001", "Protocols": "Http1AndHttp2" } } } } ``` Protocols specified in code override values set by configuration. ::: moniker-end ## Transport configuration With the release of ASP.NET Core 2.1, Kestrel's default transport is no longer based on Libuv but instead based on managed sockets. This is a breaking change for ASP.NET Core 2.0 apps upgrading to 2.1 that call and depend on either of the following packages: * [Microsoft.AspNetCore.Server.Kestrel](https://www.nuget.org/packages/Microsoft.AspNetCore.Server.Kestrel/) (direct package reference) * [Microsoft.AspNetCore.App](https://www.nuget.org/packages/Microsoft.AspNetCore.App/) For ASP.NET Core 2.1 or later projects that use the [Microsoft.AspNetCore.App metapackage](xref:fundamentals/metapackage-app) and require the use of Libuv: * Add a dependency for the [Microsoft.AspNetCore.Server.Kestrel.Transport.Libuv](https://www.nuget.org/packages/Microsoft.AspNetCore.Server.Kestrel.Transport.Libuv/) package to the app's project file: ```xml ``` * Call : ```csharp public class Program { public static void Main(string[] args) { CreateWebHostBuilder(args).Build().Run(); } public static IWebHostBuilder CreateWebHostBuilder(string[] args) => WebHost.CreateDefaultBuilder(args) .UseLibuv() .UseStartup(); } ``` ### URL prefixes When using `UseUrls`, `--urls` command-line argument, `urls` host configuration key, or `ASPNETCORE_URLS` environment variable, the URL prefixes can be in any of the following formats. Only HTTP URL prefixes are valid. Kestrel doesn't support HTTPS when configuring URL bindings using `UseUrls`. * IPv4 address with port number ``` http://65.55.39.10:80/ ``` `0.0.0.0` is a special case that binds to all IPv4 addresses. * IPv6 address with port number ``` http://[0:0:0:0:0:ffff:4137:270a]:80/ ``` `[::]` is the IPv6 equivalent of IPv4 `0.0.0.0`. * Host name with port number ``` http://contoso.com:80/ http://*:80/ ``` Host names, `*`, and `+`, aren't special. Anything not recognized as a valid IP address or `localhost` binds to all IPv4 and IPv6 IPs. To bind different host names to different ASP.NET Core apps on the same port, use [HTTP.sys](xref:fundamentals/servers/httpsys) or a reverse proxy server, such as IIS, Nginx, or Apache. > [!WARNING] > Hosting in a reverse proxy configuration requires [host filtering](#host-filtering). * Host `localhost` name with port number or loopback IP with port number ``` http://localhost:5000/ http://127.0.0.1:5000/ http://[::1]:5000/ ``` When `localhost` is specified, Kestrel attempts to bind to both IPv4 and IPv6 loopback interfaces. If the requested port is in use by another service on either loopback interface, Kestrel fails to start. If either loopback interface is unavailable for any other reason (most commonly because IPv6 isn't supported), Kestrel logs a warning. ## Host filtering While Kestrel supports configuration based on prefixes such as `http://example.com:5000`, Kestrel largely ignores the host name. Host `localhost` is a special case used for binding to loopback addresses. Any host other than an explicit IP address binds to all public IP addresses. `Host` headers aren't validated. As a workaround, use Host Filtering Middleware. Host Filtering Middleware is provided by the [Microsoft.AspNetCore.HostFiltering](https://www.nuget.org/packages/Microsoft.AspNetCore.HostFiltering) package, which is included in the [Microsoft.AspNetCore.App metapackage](xref:fundamentals/metapackage-app) (ASP.NET Core 2.1 or later). The middleware is added by , which calls : [!code-csharp[](kestrel/samples-snapshot/2.x/KestrelSample/Program.cs?name=snippet_Program&highlight=9)] Host Filtering Middleware is disabled by default. To enable the middleware, define an `AllowedHosts` key in *appsettings.json*/*appsettings.\.json*. The value is a semicolon-delimited list of host names without port numbers: *appsettings.json*: ```json { "AllowedHosts": "example.com;localhost" } ``` > [!NOTE] > [Forwarded Headers Middleware](xref:host-and-deploy/proxy-load-balancer) also has an option. Forwarded Headers Middleware and Host Filtering Middleware have similar functionality for different scenarios. Setting `AllowedHosts` with Forwarded Headers Middleware is appropriate when the `Host` header isn't preserved while forwarding requests with a reverse proxy server or load balancer. Setting `AllowedHosts` with Host Filtering Middleware is appropriate when Kestrel is used as a public-facing edge server or when the `Host` header is directly forwarded. > > For more information on Forwarded Headers Middleware, see . ## Additional resources * * * * [Kestrel source code](https://github.com/aspnet/AspNetCore/tree/master/src/Servers/Kestrel) * [RFC 7230: Message Syntax and Routing (Section 5.4: Host)](https://tools.ietf.org/html/rfc7230#section-5.4)