Saturday, May 30, 2015

VISIO Stencils references

Tuesday, May 26, 2015

Production Incident 10: Default Proxy Or Proxy Or CORS When Remote Name Cannot be resolved

Issue: Remote Name cannot be resolved.

Scenario: When we call third party or cross domain api within our web api.

Resolution :
  1. Enable CORs at third party api Or
  2. Try to include default proxy
  3. Or specific proxy at your client web APi

<system.net>
    
    

  </system.net>
 
Or
<system.net>

http://proxy.XYZ
"usesystemdefault="True" />

</system.net>
 
Or
Enable Cors
 
Error Slab:

 

Friday, May 1, 2015

Production Support Incident 6: Bad Architecture Design Database server Box having IIS webserver

Architecture Scenario:
A shared database SQL Server physical box or VM contains shared databases which is connected to different web servers hosted with different website. Lets assume within that database box we have IIS configured with WCF hosted service. The initial objective would be the wcf service which is present within database server must be using database table for storing service data. This is bad design.

What is the problem?
Now when we allocate RAM to SQL server box , sql server consumes all the RAM and keep very little RAM for OS activity. Now lets assume we have IIS configured with wcf service with database server and there is very little RAM available for IIS and OS as SQL server consumes most of the RAM memory . In such case there is going to be memory overflow or Network IO wait conditions for website request that are sending requests to this wcf service hosted in IIS that resides within this database server.

Workaround: You have to explicitly allocate RAM for sql server and for IIS to process the requests. The flipside is your sql server may started getting load and RAM consumption may shoot up to peek which may results in Suspended transactions and process requests with latency.

This is design flaw at infrastructure Level hence it is always important to make assessment and revisit architecture.

 

Production Support Incident 5: Enable default proxy to access internet content or any outside DMZ API


Sometimes production webserver servers are not allowed  to access outside internet web to prevent any vulnerable attack within the server.
 
Sometime there may be requirement to call web api which is hosted in cloud and your private intranet web server requires to call those api which is hosted externally in such case we may use internal proxy within the network to make a call across firewall.
 
To enable the proxy setting I have added following piece of code in config file



http://proxy.
...." usesystemdefault="True" />



Even after allowing access through proxy the server certificates are not configured properly which may results in further execution. Ensure certificates are installed in browser to make handshake to the api.

Check certificates in server
https://technet.microsoft.com/en-au/library/cc754431.aspx

Production Support Incident 3: Disable SSlv3 Poddle Attack on Azure web role and worker Role

Poodle attack - SSLV3 Enabled

Tool to ---Test your website server is poodle free..poodle test?
https://www.ssllabs.com/ssltest/


Courtesy: http://en.wikipedia.org/wiki/POODLE

The POODLE attack (which stands for "Padding Oracle On Downgraded Legacy Encryption") is a man-in-the-middle exploit which takes advantage of Internet and security software clients'

Website and server should be poodle free, its vulnerable if we have SSLV3 policy protocol is enabled. One can disabled SSLV3 through regedit whereas in cloud we have to disable using startup script in Service definitions.

1. Add .cmd batch file in startup script of Role profile folder.
2. Give path of start up script in servicedefination configuration under task tag.
3. Keep the powershell file in root of website or webrole.
4. Ensure ps1 file is copy to content always. Right click on powershell file in solution VS and check property to enable this options.


Importantly!
Even after deployment your SSL scan test lab shows you  C grade check for webseal or WAF (Web application firewall). In such case you may have to disable ssl in server that is acting as firewall. Check with your infrastructure team.

****Check any WAF environment. Web application Firewall behind which your azure web role may resides.


http://www.ideliverable.com/blog/making-iis-configuration-changes-in-a-web-role-startup-task
http://blogs.msdn.com/b/jimoneil/archive/2011/02/07/azure-startup-tasks-and-powershell-lessons-learned.aspx
http://www.dotnettwitter.com/2011/11/executing-powershell-script-with.html
http://stackoverflow.com/questions/15350936/running-powershell-from-azure-startup-task
http://stackoverflow.com/questions/28888768/adding-startup-script-to-azure-web-role-copy-to-output-directory-missing
http://www.troyhunt.com/2014/10/disabling-ssl-3-in-azure-websites-and.html
http://blogs.msdn.com/b/kaushal/archive/2014/10/22/poodle-vulnerability-padding-oracle-on-downgraded-legacy-encryption.aspx



 

Please engage the team who maintains these Linux box and follow document below to disable SSL3.

Web servers


Apache


Put the following line in your configuration file, or replace any existing line starting with SSLProtocol:

SSLProtocol All -SSLv2 -SSLv3

Then run: sudo apache2ctl configtest && sudo service apache2 restart.

Don't forget to test your website.

Nginx


Put the following line in your configuration file, or replace any existing line starting with ssl_protocols:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Then restart the server (in Ubuntu: sudo service nginx restart).

Don't forget to test your website.

Lighttpd


Lighttpd releases before 1.4.28 allow you to disable SSLv2 only.

If you are running at least 1.4.29, put the following lines in your configuration file:

ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"

Then restart the server (in Ubuntu: sudo service lighttpd restart).

Don't forget to test your website.