简体繁体 English

为什么我不应该将我的asp.net网站或webapp部署到IIS中域的根目录？

[英]Why should I NOT deploy my asp.net website or webapp to the root of a domain in IIS?

原文 2012-05-04 11:16:20 4 2 asp.net/ web-applications/ web/ iis-7.5/ web-deployment

Quite a few years ago, I remember that I struggled with a multiple site under one domain situation, where one of the sites was placed in the root. 几年前，我记得在一个域名情况下我在一个多站点上挣扎，其中一个站点放在根目录中。

At the time I read an authoritative post that clearly explained to me why this was a bad idea, what I remember is the cascading web.config issue being the main reason (forcing you to undeclare conflicting references in child projects that are essentially alien to that project). 当时我读了一篇权威的帖子，清楚地向我解释了为什么这是一个坏主意，我记得的是级联的web.config问题是主要原因（迫使你在子项目中取消相互矛盾的引用，这些引用基本上与项目）。 Henceforth I've always deployed any website in its own virtual path, using a single redirect in the root to point to the default website. 从此以后，我总是在自己的虚拟路径中部署任何网站，使用根目录中的单个重定向指向默认网站。

I can't seem to find that authoritative reference anymore and deployment considerations may have changed since then. 我似乎无法找到权威参考，从那时起部署考虑可能已经改变。

What are the pros and more likely, the cons for this scenario? 这种情况的优点和可能性是什么？ I'm asking because a company I work with frowns on separating the deployments this way and I don't think that's a good idea. 我问，因为我工作的公司对于以这种方式分离部署感到皱眉，我认为这不是一个好主意。

2 个解决方案

Short answer : isolation . 简答：隔离 。 IMO the benefits to host different web site/web applications without isolating them are pointless. IMO在不隔离它们的情况下托管不同网站/ Web应用程序的好处毫无意义。

Long answer : 答案很长：

Pros : 优点：

Using a single port without specific bindings (ie. aliases) : if you don't have access to website bindings, its usefull 使用没有特定绑定的单个端口（即别名）：如果您无法访问网站绑定，则其有用
Rapid-deployment and dynamic web site creation : you can create a new subsite without declaring it on the IIS side 快速部署和动态网站创建：您可以创建新的子网站，而无需在IIS端声明它
Sharing settings : apply web site base settings to all subsites (documents, mime types etc...) 共享设置：将网站基本设置应用于所有子网站（文档，mime类型等...）

Cons : 缺点：

Application pool isolation : no identity isolation, no worker process isolation, no failure/recovery isolation, etc... (time out, memory limit etc...) 应用程序池隔离 ：没有身份隔离，没有工作进程隔离，没有故障/恢复隔离等...（超时，内存限制等...）
AppDomain or lifetime isolation : you'll have to take care of your website AppDomains. AppDomain或终身隔离 ：您必须关注您的网站AppDomains。 If you share the same AppDomain, you'll share the same life cycle : if the AppDomain is unloaded, all the websites under this AppDomain will go down and reloaded (ie. if you touch an AppDomain web.config) 如果您共享相同的AppDomain，您将共享相同的生命周期：如果AppDomain被卸载，此AppDomain下的所有网站都将关闭并重新加载（即，如果您触摸AppDomain web.config）
Architecture isolation : some web application development need some tunning on the IIS side, if you tune your IIS pool or website just for one app, its an impact for all the sites. 架构隔离 ：某些Web应用程序开发需要在IIS端进行一些调整，如果您只针对一个应用程序调整IIS池或网站，则会对所有站点产生影响。 I think about 32-bits and 64-bits setting or wildcard mapping for example. 我想一下例如32位和64位设置或通配符映射。
Code and security isolation : application running in the same worker process and/or AppDomain are less protected against cross-app access/hacks/attacks. 代码和安全隔离 ：在同一工作进程和/或AppDomain中运行的应用程序受到较少的跨应用程序访问/攻击/攻击保护。 You'll have to be more vigilant to ensure that informations from an app cannot be read by another. 您必须更加警惕，以确保来自应用程序的信息无法被其他人阅读。
Audit : it could be more difficult to audit the web sites activity and failure. 审计：审计网站活动和失败可能更加困难。

Web application isolation has always be a goal on mutualised environments to protect applications from each other. Web应用程序隔离始终是共享环境的目标，以保护应用程序彼此之间的联系。

Since IIS 7, application pool isolation go further with the "application pool identity" : http://www.adopenstatic.com/cs/blogs/ken/archive/2008/01/29/15759.aspx 从IIS 7开始，应用程序池隔离与“应用程序池标识”相得益彰： http ： //www.adopenstatic.com/cs/blogs/ken/archive/2008/01/29/15759.aspx

I found this article too : http://searchsecurity.techtarget.com/tip/Web-application-isolation . 我也发现了这篇文章： http ： //searchsecurity.techtarget.com/tip/Web-application-isolation 。

You should look at SharePoint site collections architecture too. 您也应该查看SharePoint网站集架构。 Here's the idea : http://blogs.msdn.com/b/sgoodyear/archive/2011/11/18/9848865.aspx . 这是一个想法： http ： //blogs.msdn.com/b/sgoodyear/archive/2011/11/18/9848865.aspx 。

The main counterindication for hosting multiple "sites" under one domain (and as such as one "website" in IIS) I can think of would be user identity isolation; 在一个域（以及IIS中的一个“网站”）下托管多个“站点”的主要反指示我可以想到的是用户身份隔离; a visitor logged in to /site1 would also be logged in to /site2 when you configure eg Windows authentication and this is something you might not want. 当您配置例如Windows身份验证时，登录到/ site1的访问者也将登录到/ site2，这是您可能不想要的。

The same potentially applies for cookies set at the domain level. 同样可能适用于在域级别设置的cookie。 In IIS a website is a security boundary (for the client as well) and having multiple "sites" in the same domain COULD open you up to security vulnerabilities... 在IIS中，网站是一个安全边界（对于客户端而言），并且在同一个域中有多个“站点”，可能会导致安全漏洞......

As for placing one "site" in the root and others in subfolders; 至于在根目录中放置一个“站点”，在子文件夹中放置其他站点; your appsettings set for the "root site" would cascade to the "subfolder sites"; 为“根网站”设置的appsettings会级联到“子文件夹网站”; again this might be a non-issue but it IS a potential security flaw. 这可能是一个非问题，但它是一个潜在的安全漏洞。