Is it a good practice to use ESI's or is that an older technology? are there alternatives that would be better. I am familiar with the use of CDN's and cache servers but this ESI was typically for applications that do more than just load the front end.
ESI is fairly unknown outside the CDN context. However, I think there are a number of interesting use cases for its use 'closer' to the origin servers now that we see a lot more interest in splitting the applications that deliver Web sites into several self-contained services. An ESI-enabled cache is a good means to integrate these services into a single Web site.
Related
I have been getting a bit lost in the creation of my program architecture and I want to take a step back to see if I'm approaching it correctly.
I am wondering if my setup makes sense. I'm starting to think it doesn't.
I am creating intranet applications (We were creating Internet applications, but now the scope has changed). We use an onsite Active Directory (Windows Server 2012 R2). We have a SQL Server Database.
I have been building Front End Angular applications and ASP.NET Web API's to push and pull data. I am now implementing Authentication with Auth0 and it's been a nightmare.
What kind of program architecture would you setup in this scenario?
Much Appreciated.
SQL Server + Asp.Net Web Api + Angular JS forms a perfect architecture for building Single Page Applications (SPAs). This architecture is useful for building desktop like web applications, i.e. apps that runs over web but works like desktop apps.
If you can be more specific about the problem you are facing, you will be able to get better recommendations from so.
This architecture is widely adopted in many scenarios such as SPAs. With it, you will be able to keep your front-end highly decoupled from your backend services being able to support multiple front-ends on the same set of services and run quite a few integration scenarios.
Some of the downsides of such an approach will be the extra layer of complexity added to the application (which might force you to write more tests and handle different failure scenarios that wouldn't happen otherwise, for an example) and authentication routines since you will need to authenticate two heterogeneous environments (the .NET/IIS one and the JS/Angular one).
As for the authentication pain, token-based auth schemes seem the current way to go (such as Auth0) since they let you keep and send an environment-agnostic token which will be used by different layers of your architecture.
In that sense, your architecture makes sense.
However, since you're feeling some pain in its implementation, you might want to ask yourself if you really needed all of these. When you choose an architecture, you do so trying to accomplish some specific goals (multiple front-ends? specific performance requirements? maintainability? auditability?) and the more goals you try to accommodate in your architecture the more complex will become up to a point where the pains start outweighing the benefits.
So, what were you trying to achieve in the first place?
While working on one ASP.NET project hosted within web farm including two front ends and load balancing, we got one issue regarding ASP.NET session state while being set to be "InProc", and we found that it's not working properly with load balancing., and we should consider using of "SQLServer" mode.
So, I'm wondering if there are any other points (Sessions, Caching, Security, file uploading, SQL Connections ...), we should take in consideration while development and deployment in such environment.
Microsoft offers some guidance on this. They have a knowledge base article with links to other resources you'll need.
http://support.microsoft.com/kb/815162
Oh, and as always, ScottGu has an excellent article and a cooler way of doing it. I just found this and it looks very promising:
The Microsoft Web Farm Framework
http://weblogs.asp.net/scottgu/archive/2010/09/08/introducing-the-microsoft-web-farm-framework.aspx
and the more recent Web Farm Framework Site has plenty of resources available. http://www.iis.net/download/webfarmframework
Although I never used it, I found out that the articles of Omar Al Zabir over at CodeProject.com seem to be rather helpful.
His article "99.99% available ASP.NET and SQL Server SaaS Production Architecture" covers some load balancing topics.
See my answer here regarding things to keep in mind with session state.
It references this article that has lots of good information on session state.
On my development server, I've configured IIS to use 3 worker processes (web garden) as a poor mans test for our load balanced environment, worked a treat.
We dont use session/application data. Our load balancer is configured with address affinity, so requests from the same IP go to the same server, thus allowing us to cache some user data. Our biggest gotcha was with cached data across the farm not being in sync, solved by wrapping the cache with a simple network library to send 'cached item changed' messages to other servers.
There are LOTS of things that you need to take into consideration. Here is an article which goes over the many considerations when moving into a distributed environment:
http://eralokpandey.wordpress.com/2010/03/31/load-balancing-in-asp-net-and-web-farm/
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 4 years ago.
Improve this question
I want to hardening my website against simple dos/xss/sqli/etc...
but I don't want to delve into security programming for now so I want to use a ready made class or library something like "mod_security" in linux.
about a year ago I'd found a project like modsec for asp.net but right now in google I've searched too much but nothing interesting.
anyone knows anything about WAF in .net ?
regards.
You're never going to find a 'one size fits all' security package. However, a step in the right direction could be to take a look at Microsoft's Anti-XSS library and Security Runtime Engine. Both projects can be found on CodePlex.
Description:
(Anti-XSS)
AntiXSS provides a myriad of encoding
functions for user input, including
HTML, HTML attributes, XML, CSS and
JavaScript.
White Lists: AntiXSS differs from the standard .NET framework encoding
by using a white list approach. All
characters not on the white list will
be encoded using the correct rules for
the encoding type. Whilst this comes
at a performance cost AntiXSS has been
written with performance in mind.
Secure Globalization: The web is a global market place, and cross-site
scripting is a global issue. An attack
can be coded anywhere, and Anti-XSS
now protects against XSS attacks coded
in dozens of languages.
(SRE)
The Security Runtime Engine (SRE)
provides a wrapper around your
existing web sites, ensuring that
common attack vectors to not make it
to your application. Protection is
provided as standard for
Cross Site Scripting
SQL Injection
As with all web security the WPL is
part of a defense in depth strategy,
adding an extra layer to any
validation or secure coding practices
you have already adopted.
There is no WAF that will work out of the box for your specific application. You will need a lot of fine tuning to secure a web application with a WAF. In many cases it will be easier to implement the application with security in mind than making it secure with an additional layer. Using a prepared statement for a SQL statement is much easier than trying to identify and filter bad input. Usually you want to do both (defense in depth) but the use of a prepared statement is the better option if you want to rely on a single protection measure.
If you really want to try securing your application with a WAF and you are familiar with mod_security, you can use it for your ASP.NET application. You need a dedicated server that acts as a reverse proxy in front of your application. Mod_security can filter ingoing and outgoing requests there. I fetched the pros and cons from the official mod_security website concerning the reverse proxy setup for you:
Advantages
Single point of access – functions as a choke point so you consolidate applying security settings and makes management easier.
Network topology is hidden from the outside world - so it will be more difficult for attackers to enumerate your web platforms.
Increased performance – if SSL accelerators/caching used.
You can implement vulnerability filters to protect and vulnerable web server or application on the backend (IIS, Netscape, ASP, PHP, etc...).
Disadvantages
A potential traffic bottleneck if the reverse proxy can not handle the network load.
A potential point of failure - if the reverse proxy goes down it may cause a denial of service to the web applications that are behind it.
Requires changes to the network.
My product, ServerDefender VP will work out of the box with ASP.NET (you just need to let the software run in "Log Only" mode for a period of time to let it learn about the traffic coming to your site or app). This web application firewall that was new around the time the question was originally asked, but is fairly mature now.
In terms of security, ServerDefender VP protects again common threats like XSS, SQL inject, and others. It also helps achieve PCI compliance and features powerful logging and alerting functionality. What likely sets it apart from some other WAF options is it's usability and simple user-interface.
There is no WAF that will work out of the box for your specific application
Sorry to disagree.
Incapsula Cloud based WAF will provide you with an out of the box plug-and-play solution, and it will work for every platform (including, of course, asp.net). It will require no maintenance/customization on your end (this is done on a Global-level by a dedicated security team) and the initial set-up itself will take only 5 min (done via simple DNS data change).
Having said that:
This is no a part of the Free plan. So, unlike "mod_security", this will cost you a few dozen dollars a month.
On the plus side, unlike "mod_security" and other OS and/or Cloud solutions, this is a PCI compliant WAF, which says something about the level of security it provides. Alto this is especially crucial if you are thinking about handling you own transactions.
Again, on a plus side, this is a highly customizable solution that comes with easy-to-use GUI and API for high-end users with specific needs.
As an added bonus, because this is a Cloud CDN based solution, you`ll get a significant performance boost, due to Global-Proxy and CDN Caching features.
We are building a large scale web platform where we try to use Caching to speed up things - though now it's a single server, we'll probably upgrade it to a cluster. Will the Caching work there? Should we consider anything special?
Thanks1
You will need to use a distributed cache. You can find implementations for different caching providers such as memcached or Velocity.
Our company currently runs two Windows 2003 servers (a web server & a MSSQL 8 database server). We're planning to add another couple of servers for redundancy / availability purposes in a web farm setup. Our web sites are predominately ASP.NET, we do have a few PHP sites, but these are mainly static with no DB.
Does anyone who has been through this process have any gotchas or other points I should be aware of? And would using Windows Server 2008 offer any additional advantages for this situation (so I can convince my boss to upgrade :) ?
Thanks.
If you have dynamic load balancing (i.e. My first request goes to server X, but my next Request may go to server Y or Z), you will find out that In-Proc Sessions do not work. So you will either need sticky Sessions (your load balancer will ALWAYS send me (=my session) to server X) or out-of-process sessions (i.e. stored in an SQL Server).
Like Michael says, you'll need to take care of your session. Ideally make it lean and store out of process. You'll have similar challenge with cache depending on how you use it and might be interested in looking towards a more robust caching technology if you only use asp caching.
Don't forget things like machine keys and validation in your web.config. The machineKeys need to be consistant across your servers.
Read up on IIS7 and you should be able to pick out several good examples to show off to your boss.
A web farm can give you opportunities and challenges with deployment that should not be overlooked.
Without specifc experience to the setup above but to general moves of this kind. I would recommend phasing the approach. That is, move to Windows 2008 first and then farm.
One additional thing to look at is your deployment plan. Deployment plans seem to be sadly overlooked and/or undervalued. Remember that you are deploying to multiple nodes and you want to take into account how you want to deploy and test in a logical fashion.
For example, assume you have four nodes in your farm. Do you pull two out of the cluster and update and test, then swapping out the other two to repeat? Determine if your current deployment process fits in with the answer you provide. Just because you have X times the amount of servers does not mean that you want or need to do X times the amount of work.
Just revisiting the caching part of the conversation for a moment. You should definitely take a look at a distributed caching solution. If you are pre-caching data and using callbacks with cache removals, you can really put a pounding on the database if you are not careful. Also, a lot of the distributed caching solutions offer some level of session state management, as well. I have been very much enjoying Microsoft's Velocity project, although it is just a second CTP release and not ready for production.
In addition to what others have said, you might want to consider looking into Richard Campbell's (of .NET Rocks!) product:
http://www.strangeloopnetworks.com/
We use the ASP.NET State Server for handling out sessions. This comes free with windows server 2003/2008.
We then have to make sure the machine key's are the same (a setting in your web.config files).
I then manually take each site offline (using app.offline or whatever the magic file is called). Alternatively, u can use IIS and just turn the site off and the offline site 'on'.
That's about it. You could worry about distributed caching, but that's pretty hard-core stuff. You can get a lot of good millage out of the default Output Caching with ASP.NET. I'd start there, before you delve into the complexity (and cost, for some products) if you're going to do distributed caching.
Oh, we're using an F5 load balancer that does NOT do sticky sessions, so we need to maintain our sessions .. which is why we're using the ASP.NET state server.
One other gotcha aside from the Session issues described by the other posters is if the apps are writing to the local file system. Scaling out to a web farm would break the apps if they assume the files are on the local PC. For example, uploaded files might be available or not depending on which server is hit. Changing the paths to point to a shared drive should fix this.