ict.ken.be

Delivering solid user friendly software solutions since the dawn of time.

Configuration of pools and asp.net 

Categories: .Net IIS

.Net 4 repair

  • winver.exe
  • %windir%\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\setup.exe /repair /x86 /x64 /ia64 /parameterfolder Client /norestart
  • %windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe –i

Setting up permissions and pools on iis (eg. mojoPortal)

  • Create a new Web Site in IIS and name it mojoportal, leave the IP address as "All Unassigned" but add the host name "mojoportal"
  • Point the web site root to the mojoportal folder and choose a .NET 4 Integrated application pool. 
  • Make note of the user that is the identity on the application pool
  • In Windows Explorer, right click the mojoportal folder and choose properties, on the security tab click Edit..., then click Add..., then click Advanced..., then click Find Now
  • Select the user that is the identity on the application pool, then click OK, give the user read permissions here and click OK.

Cache insert vs add 

Categories: .Net

Cache.Add

Calling the Add method returns an object that represents the cached item. If the key already exists in the Cache the method will fail.

Cache.Insert

Calling the Insert method does not return an object. If the key already exists in the Cache it will overwrite the copy in the Cache.

Fix for pages that contain a lot of POST data 

Categories: .Net

<appSettings>

<add key="aspnet:MaxHttpCollectionKeys" value="1001" />

</appSettings>

A security update of Microsoft aspnet breaks pages that contain more then 1000 post items. If you have pages likes this, the web.config key will fix it. Then again, maybe better to change the page?

Microsoft recently (12-29-2011) released an update to address several serious security vulnerabilities in the .NET Framework. One of the fixes introduced by MS11-100 temporarily mitigates a potential DoS attack involving hash table collisions. It appears this fix breaks pages that contain a lot of POST data.

If your application stashes page information into ASP.NET ViewState, and exceeds the web server threshold, you're going to run into this problem. Rather than applying the web.config fix problem straight away you might want to take a look at optimizing your code first.

more on stackoverflow

 

Open source projects I like(d) to use 

Categories: .Net Patterns

Web Pro Series by Scott Forsyth 

Categories: IIS Network

These are some notes from the 'Web Pro Series' by Scott Forsyth. The series is a good start for IIS developers.

Forever Penguin

  • most big sites you can't ping, to limit DoS attacks
  • ping www.google.com -t

Tracert

  • Tracert sends an ICMP echo packet, but it takes advantage of the fact that most Internet routers will send back an ICMP 'TTL expired in transit' message if the TTL field is ever decremented to zero by a router.

DNS

  • Primary zone authoritavie answer
  • Host or A-record
  • Alias or CName
  • Mail or MX (lower number is higher priority, same priority then load balance)
  • TXT mainly used for SPF
  • * wildcard has lowest priority

NsLookup

  • set type=ns
  • set type=mx
  • set type=a
  • set type=ptr
  • + yourdomain.com.
  • server
  • lserver
  • ls (mostly zone transfers no longer allowed)

Cmd Capturing

  • dir /od | clip (copy to clipboard)
  • ipconfig /all > ipconfig.txt (use >> to append to the file)
  • echo "--- end ---" >> ipconfig.txt 
  • copy and paste : properties - enable QuickEdit mode

IIS Bindings

  • Type can be left blank
  • All assigned is a wildcard
  • You can specify the ip manually
  • Port must be specified
  • Hostname left blank will catch everything

SSL Bindings

  • Hostheader lives at application layer, so can not know before decryption
  • Assign a dedicated ip for each website that needs ssl
  • If sharing ip, you must share cert (only one cert per IP)
  • Wildcard certificate
  • Unified Communications Certificate (SAN)
    • Certificates - Computer Account - Local - Properties - Friendlyname put * in front - Hostname will be selectable
    • Select one site as master binding - system32\inetsrv\appcmd set site /site.name:"<SiteName>" /+bindings.[protocol='https',bindinginformation='*:443:<HostHeader>']
    • eg. appcmd set site /site.name:"ict.ken.be" /+bindings.[protocol='https',bindinginformation='10.240.5.22:443:ict.ken.be']
    • Prevent non-https to goto wrong https - On Master - Edit Inbound Rule - Matches the Pattern - .* - Match All - HTTP_HOST Does Not Match the Pattern - ^ict\.ken\.be& - Abort Request

URL Rewrite

  • iis.net - download url rewrite module
<configuration>
<system.webServer>
<rules>
<rule name="Redirect to google">
<match url=".*" />
<action type="None" />
</rule>
</rules>
</system.webServer>
</configuration>
  • global level vs site level
  • {HTTP_HOST} - Matches Regular Expression - ^ken\.be$
  • {REMOTE_HOST} - eg. allow only one specific ip
  • Edit Inbound Rule - login\.aspx$ - {HTTP_HOST} - ^ict\.ken\.be$ - {HTTPS} off - redirect https://ict.ken.be/{R:0}

Regex

  • http://www.ultrapico.com/expresso.htm
  • http://regexlib.com
 ^ start 
$ end
. any single char (not line breaks like \r & \n)
\ to escape special characters
.+ 1 or more
.* 0 or more
| or
? optional
() to create section for back references
(^&) anything but a &
[] character class
/w alphanumeric
/d digit
{n} repeat n times
{R:0} backreference to url
{C:0} backreference to condition

AppDomain will be recycled when

  • iis settings that affect application pool
  • web.config changes (notepad ctrl-s is enough, no need for change)
  • App_* are touched 
  • bin folder is touched
  • adding a folder
  • change the default document order (changes web.config)
  • web.config or machine.config in .Net framework folder
  • not when changing applicationHost.config (system32\inetsrv\config\applicationHost.config)

IIS Outbound Rules

  • update pages and headers on the way out
  • rewrite outbound rule
  • (.*)google\.com(.*) -> {R:1}bing.com{R:2}
  • not possible for static compression
  • Server Variable: RESPONSE_X_Server_Name -> Your domain name is {HTTP_HOST}

IIS Folders

  • Normal folder
  • Application folder (separate bounderies)
  • vDir Only Folder (when folder has different physical location)
  • vDir with Application

Overlapping App Pools (90 seconds)

  • w3wp.exe
  • appcmd list wp
  • http.sys -> w3wp.exe

IIS 7 - Configuration System

redirection.config -> applicationHost.config -> administration.config -> web.config (site) -> web.config (app)
machine.config -> web.config (root) -> web.config (site) -> web.config (app) -> web.config (subfolders)

c:\windows\system32\inetsrv\config

  • Anything on read/write in feature delegation can be changed through the web.config (also for remote configuration)
  • You can see in the statusbar if web.config will be changed.
  • SSL is not delegated by default.

Gotcha's:

  • Easy to overwrite settings
  • AppDomain recycle on change of web.config
  • Configuration is 'all over the place'
  • Not replicated with shared config

applicationHost.config Editing

  • <applicationPools>
  • <sites>
  • <system.webServer>
  • <webFarms>
  • <location>

IIS Schemas: c:\windows\system32\inetsrv\config\schema

Process Monitor: http://www.sysinternals.com

IUSR is used for anonymous access, unless you set it on the pool.

IIS Runtime page requests

  • rsca
  • Worker Processes - Running Pools - Click - View Current Requests
  • appcmd /?
  • appcmd list request /?
  • appcmd list request | clip
  • appcmd list request /site.name:foo.com /eleapsed:5000

Application Pools Identity

  • Remove users for file permissions
  • iis apppool\foo.com (virtual account)
  • Object Types - Make sure built-in security is checked

for iis 7 : icacls c:\inetpub\wwwroot /grant "iis apppool\foo.com":(IO)(IO)(RX)

  • network service controls the iis apppool user
  • User mapping is done by the AppHostSvc on creation.
  • Use custom user when the account needs network access.

Securing IIS

  • LocalService
  • LocalSystem
  • NetworkService
  • ApplicationPoolIdentity (no password needed)
  • Custom Account, no need to add to a group.

Disk Permissions:

  • No need for inheritance, creator owner, users, trustedinstaller.
  • So we have SYSTEM, ADMINISTRATOR and CUSTOM USER
  • Prefer local user to a domain user.

Website - Authentication - Anonymous Access - Set on pool if all individual pools

Web Gardens

Maximum Worker Process defaults to 1 (no garden)

pro

  • Remove contention with concurrent requests
  • PHP ISAPI Mode may benefit (or com+) -> move to FastCGI
  • Troubleshooting measure

con

  • In-proc session state won't work
  • Shared memory/cache is duplicated
  • First hit per worker process
  • Base memory adds up
  • More processes to monitor

There is no real need to use web gardens.

Better performance tuning: http://support.microsoft.com/kb/821268

IP restrictions with URL rewrite

Old fashion way:
IP Address and Domain restrictions feautre.
Add Allow Range - 10.240.0.0 - 255.255.0.0
Feature by default deny

New for example for staging:
eg. <% If Request("HTTP_HOST") = "staging.contoso.com" %>...<% End If %>

(only static rules)
Url Rewrite at global level
Add Rewrite Map - Authorized Admin IP - Add Mapping Entry - Some IP + New Value = 1
If Add Rule - Flag Authorized Admins - Pattern * - {Authorized Admin IP:{REMOTE_ADDR}} - Matches Pattern - 1
Then sdd server variable HTTP_X_AUTHORIZED_ADMIN - yes
Action Type - None
Add Rule - Block unauthorized users
{HTTP_HOST} - Matches - ^staging\..*
{HTTP_X_AUTHORIZED_ADMIN} - Not Match - yes
Custom Response 403 Forbidden

Page 40 of 42 << < 20 33 34 35 36 37 38 39 40 41 42 > >>