Saturday, May 30, 2015
Tuesday, May 26, 2015
Production Incident 10: Default Proxy Or Proxy Or CORS When Remote Name Cannot be resolved
Issue: Remote Name cannot be resolved.
Scenario: When we call third party or cross domain api within our web api.
Resolution :
"usesystemdefault="True" />Scenario: When we call third party or cross domain api within our web api.
Resolution :
- Enable CORs at third party api Or
- Try to include default proxy
- Or specific proxy at your client web APi
<system.net>
</system.net>
</system.net>
Or
</system.net>
Or
Enable Cors
Error Slab:
Friday, May 1, 2015
Production Support Incident 6: Bad Architecture Design Database server Box having IIS webserver
Architecture Scenario:
A shared database SQL Server physical box or VM contains shared databases which is connected to different web servers hosted with different website. Lets assume within that database box we have IIS configured with WCF hosted service. The initial objective would be the wcf service which is present within database server must be using database table for storing service data. This is bad design.
What is the problem?
Now when we allocate RAM to SQL server box , sql server consumes all the RAM and keep very little RAM for OS activity. Now lets assume we have IIS configured with wcf service with database server and there is very little RAM available for IIS and OS as SQL server consumes most of the RAM memory . In such case there is going to be memory overflow or Network IO wait conditions for website request that are sending requests to this wcf service hosted in IIS that resides within this database server.
Workaround: You have to explicitly allocate RAM for sql server and for IIS to process the requests. The flipside is your sql server may started getting load and RAM consumption may shoot up to peek which may results in Suspended transactions and process requests with latency.
This is design flaw at infrastructure Level hence it is always important to make assessment and revisit architecture.
A shared database SQL Server physical box or VM contains shared databases which is connected to different web servers hosted with different website. Lets assume within that database box we have IIS configured with WCF hosted service. The initial objective would be the wcf service which is present within database server must be using database table for storing service data. This is bad design.
What is the problem?
Now when we allocate RAM to SQL server box , sql server consumes all the RAM and keep very little RAM for OS activity. Now lets assume we have IIS configured with wcf service with database server and there is very little RAM available for IIS and OS as SQL server consumes most of the RAM memory . In such case there is going to be memory overflow or Network IO wait conditions for website request that are sending requests to this wcf service hosted in IIS that resides within this database server.
Workaround: You have to explicitly allocate RAM for sql server and for IIS to process the requests. The flipside is your sql server may started getting load and RAM consumption may shoot up to peek which may results in Suspended transactions and process requests with latency.
This is design flaw at infrastructure Level hence it is always important to make assessment and revisit architecture.
Production Support Incident 5: Enable default proxy to access internet content or any outside DMZ API
Sometimes production webserver servers are not allowed to access outside internet web to prevent any vulnerable attack within the server.
Sometime there may be requirement to call web api which is hosted in cloud and your private intranet web server requires to call those api which is hosted externally in such case we may use internal proxy within the network to make a call across firewall.
To enable the proxy setting I
have added following piece of code in config file
Even after allowing access through proxy the server certificates are not configured properly which may results in further execution. Ensure certificates are installed in browser to make handshake to the api.
Check certificates in server
https://technet.microsoft.com/en-au/library/cc754431.aspx
Production Support Incident 3: Disable SSlv3 Poddle Attack on Azure web role and worker Role
Poodle attack - SSLV3 Enabled
Tool to ---Test your website server is poodle free..poodle test?
https://www.ssllabs.com/ssltest/
Courtesy: http://en.wikipedia.org/wiki/POODLE
The POODLE attack (which stands for "Padding Oracle On Downgraded Legacy Encryption") is a man-in-the-middle exploit which takes advantage of Internet and security software clients'
Website and server should be poodle free, its vulnerable if we have SSLV3 policy protocol is enabled. One can disabled SSLV3 through regedit whereas in cloud we have to disable using startup script in Service definitions.
1. Add .cmd batch file in startup script of Role profile folder.
2. Give path of start up script in servicedefination configuration under task tag.
3. Keep the powershell file in root of website or webrole.
4. Ensure ps1 file is copy to content always. Right click on powershell file in solution VS and check property to enable this options.
Importantly!
Even after deployment your SSL scan test lab shows you C grade check for webseal or WAF (Web application firewall). In such case you may have to disable ssl in server that is acting as firewall. Check with your infrastructure team.
****Check any WAF environment. Web application Firewall behind which your azure web role may resides.
http://www.ideliverable.com/blog/making-iis-configuration-changes-in-a-web-role-startup-task
http://blogs.msdn.com/b/jimoneil/archive/2011/02/07/azure-startup-tasks-and-powershell-lessons-learned.aspx
http://www.dotnettwitter.com/2011/11/executing-powershell-script-with.html
http://stackoverflow.com/questions/15350936/running-powershell-from-azure-startup-task
http://stackoverflow.com/questions/28888768/adding-startup-script-to-azure-web-role-copy-to-output-directory-missing
http://www.troyhunt.com/2014/10/disabling-ssl-3-in-azure-websites-and.html
http://blogs.msdn.com/b/kaushal/archive/2014/10/22/poodle-vulnerability-padding-oracle-on-downgraded-legacy-encryption.aspx
Web servers
Apache
Nginx
Lighttpd
Tool to ---Test your website server is poodle free..poodle test?
https://www.ssllabs.com/ssltest/
Courtesy: http://en.wikipedia.org/wiki/POODLE
The POODLE attack (which stands for "Padding Oracle On Downgraded Legacy Encryption") is a man-in-the-middle exploit which takes advantage of Internet and security software clients'
Website and server should be poodle free, its vulnerable if we have SSLV3 policy protocol is enabled. One can disabled SSLV3 through regedit whereas in cloud we have to disable using startup script in Service definitions.
1. Add .cmd batch file in startup script of Role profile folder.
2. Give path of start up script in servicedefination configuration under task tag.
3. Keep the powershell file in root of website or webrole.
4. Ensure ps1 file is copy to content always. Right click on powershell file in solution VS and check property to enable this options.
Importantly!
Even after deployment your SSL scan test lab shows you C grade check for webseal or WAF (Web application firewall). In such case you may have to disable ssl in server that is acting as firewall. Check with your infrastructure team.
****Check any WAF environment. Web application Firewall behind which your azure web role may resides.
http://www.ideliverable.com/blog/making-iis-configuration-changes-in-a-web-role-startup-task
http://blogs.msdn.com/b/jimoneil/archive/2011/02/07/azure-startup-tasks-and-powershell-lessons-learned.aspx
http://www.dotnettwitter.com/2011/11/executing-powershell-script-with.html
http://stackoverflow.com/questions/15350936/running-powershell-from-azure-startup-task
http://stackoverflow.com/questions/28888768/adding-startup-script-to-azure-web-role-copy-to-output-directory-missing
http://www.troyhunt.com/2014/10/disabling-ssl-3-in-azure-websites-and.html
http://blogs.msdn.com/b/kaushal/archive/2014/10/22/poodle-vulnerability-padding-oracle-on-downgraded-legacy-encryption.aspx
Please engage the team who maintains these Linux box and follow document
below to disable SSL3.
Web servers
Apache
Put the following line in your configuration file, or
replace any existing line starting with
SSLProtocol:SSLProtocol All -SSLv2 -SSLv3
Then run:
sudo apache2ctl configtest
&& sudo service apache2 restart.
Don't forget to test your
website.
Nginx
Put the following line in your configuration file, or
replace any existing line starting with
ssl_protocols:ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Then restart the server (in Ubuntu:
sudo service nginx restart).
Don't forget to test your
website.
Lighttpd
Lighttpd releases before 1.4.28 allow you to disable
SSLv2 only.
If you are running at least 1.4.29, put the following
lines in your configuration file:
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
Then restart the server (in Ubuntu:
sudo service lighttpd restart).
Don't forget to test your
website.
Subscribe to:
Posts
(
Atom
)