IT tutorials
 
Windows
 

Windows Server 2012 : Scalable and elastic web platform (part 5) - Application Initialization,Dynamic IP Address Restrictions

- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire
3/15/2014 2:05:26 AM

5. Application Initialization

Nothing frustrates users more than trying to open a website in their web browser and then waiting for the site to respond. With previous versions of IIS, the delay that occurred when a web application was first accessed was because the application needed to be loaded into memory before IIS could process the user’s request and return a response. With complex Microsoft ASP.NET web applications often needing to perform lengthy startup tasks, such as generating and caching content, such delays could sometimes reach up to a minute or more in some cases.

Such delays are now a thing of the past with the new Application Initialization feature of IIS 8, which lets you configure IIS to spin up web applications so they are ready to respond to the first request received. Application pools can be prestarted instead of waiting for a first request, and application are initialized when their worker processes start. Administrators can decide which applications should be preloaded on the server.

In addition, IIS 8 can be configured to return a static “splash page” or other static content while an application is being initialized so the user feels the website being accessed is responding instead of failing to respond. This functionality can be combined with the URL Rewrite module to create more complex types of pregenerated static content.

Application Initialization can be configured at two levels:

  • Machine-wide, in the ApplicationHost.config file for the server

  • Per application, in the Web.config file for the application

The Application Initialization role service of the Web Server role must also be added to the server to use this feature.

Identifying “fake” requests used by Application Initialization

The Application Initialization feature introduces the concept of a warm-up period to IIS. When this feature is configured, the set of URLs specified by the application developer will be sent a “fake” request as part of warming up the application. Once all the fake requests return, the application is considered initialized, and the warm-up period ends.

Depending on your application, you may decide to handle these fake requests differently than normal requests coming from the wire. If you choose to do this, using the URL Rewrite module allows you to look at the request headers and identify the fake requests.

Identifying fake requests is easy if you know what to look for. A fake request sent to a URL as part of application-level initialization has the following properties.

  • User Agent = IIS Application Initialization Warm-up

  • Server Variables = the WARMUP_REQUEST server variable is set

In addition to application-level initialization, the Application Initialization feature also allows server administrators to “preload” important applications so that they will be initialized as soon as the worker process starts. Preload is also done using a fake request to the root of the application. The Preload fake request has the following properties:

  • User Agent = IIS Application Initialization Preload

  • Server Variables = the PRELOAD_REQUEST server variable is set

You may also want to perform special handling for normal requests that are received during the warm-up period. All normal requests received during warm-up have the APP_WARMING_UP server variable set, which you can use to identify these requests and handle them as desired.


6. Dynamic IP Address Restrictions

When a web server receives unwanted activity from malicious clients, it can prevent legitimate users from accessing websites hosted by the server. One way of dealing with such situations in previous versions of IIS was to use static IP filtering to block requests from specific clients. Static filtering had two limitations, however:

  • It required that you discover the IP address of the offending client and then manually configure IIS to block that address.

  • There was no choice as to what action IIS would take when it blocked the client—an HTTP 403.6 status message was always returned to the offending client.

In IIS 8, however, blocking malicious IP addresses is now much simpler. Dynamic IP Address Restrictions now provides three kinds of filtering to deal with undesirable request traffic:

  • Dynamic IP address filtering lets you configure your server to block access for any IP address that exceeds a specified number of concurrent requests or exceeds a specified number of requests within a given period of time.

  • You can now configure how IIS responds when it blocks an IP address; for example, by aborting the request instead of returning HTTP 403.6 responses to the client.

  • IP addresses can be blocked not only by client address, but also by addresses received in the X-Forwarded-For HTTP header used in proxy mode.

Configuring dynamic IP address filtering

To configure dynamic IP address filtering for your server, website, or folder path, select the corresponding IP Address And Domain Restrictions node in IIS Manager. This opens the Dynamic IP Restriction Settings dialog box shown in Figure 4, which lets you deny IP addresses based on the number of concurrent requests and/or the number of requests received over a specified period of time.

Configuring dynamic IP address filtering.

Figure 4. Configuring dynamic IP address filtering.

Once dynamic IP address filtering has been configured, you can configure how IIS responds to clients whose requests are dynamically filtered. To do this, select the appropriate IP Address And Domain Restrictions node in IIS Manager and click Edit Feature Settings in the Actions pane. Doing this opens the Edit IP And Domain Restriction Settings dialog box shown in Figure 5, which lets you specify the type of response and whether to enforce such responses when the incoming request passes through a proxy, such as a firewall or load balancer, that changes the source IP address of the request.

Configuring the response behavior to dynamically filtered requests, including when a proxy is encountered along the request path.

Figure 5. Configuring the response behavior to dynamically filtered requests, including when a proxy is encountered along the request path.

Dynamic IP restrictions

Previous versions of IIS have a Static IP Restrictions feature, which allows server administrators to block IP addresses that are exhibiting undesirable behavior. When an HTTP request is made from an IP address that had been blocked, IIS will return an HTTP 403 Access Forbidden status. That being said, Static IP Restrictions are a manual process—server administrators are required to perform forensic analysis of their IIS logs to discover these behavioral patterns and add the offending IP addresses to their list of static IP restrictions.

The goal behind the Dynamic IP Restrictions feature is to dynamically detect two specific forms of potentially malicious behavior and temporarily block HTTP requests from the IP addresses where those requests originated. The two forms of behavior that IIS detects are having too many simultaneous connections from a specific client IP address, and having too many connections from a specific client IP address within a specific period of time.

In IIS 8, server administrators can configure the behavior that IIS will use when it blocks HTTP requests for both the Static IP Restrictions and Dynamic IP Restrictions features; this is an important change from the behavior in previous versions of IIS, which always returned an HTTP 403 Access Forbidden status message. Server administrators can now configure IIS 8 to return HTTP 401 Access Denied, HTTP 403 Access Forbidden, HTTP 404 Not Found, or abort the request entirely. For each of these HTTP statuses, IIS will mark the requests with a substatus code that signifies why the request was blocked. IIS can also be configured to simply log the behavior, in which case the requests will succeed or fail based on the nature of an HTTP request, but IIS will still mark these requests with a substatus code that indicates that the request would have been blocked. These substatus codes make it easier for server administrators to forensically examine their IIS activity logs to identify potentially malicious activity from specific IP addresses and then add those IP addresses to the list of denied static IP addresses.

The following table lists the substatuses that IIS 8 adds:

Dynamic IP Restrictions

 

501

Deny by concurrent requests limit

502

Deny by requests over time limit

Static IP Restrictions  

503

Deny by IP address match

504

Deny by hostname match

For example, if you configured IIS to return an HTTP 404 Not Found status for the Dynamic IP Restrictions feature and IIS blocks an HTTP request because of too many concurrent connections, IIS will write an HTTP 404.501 status message in the IIS activity logs. Alternatively, if you configured the Dynamic IP Restrictions feature to only log the activity, IIS would write an HTTP 200.501 status in the IIS activity logs.

When a server that is running IIS is located behind a firewall or load-balancing server, the client IP addresses for all the HTTP requests may appear to be from the firewall or load-balancing server. Because of this scenario, the IP Restrictions features in IIS 8 can be configured to operate in Proxy mode. In this mode, IIS will examine the values in the X-Forwarded-For HTTP header, and determine the client IP from the list of IP addresses for which the HTTP request was forwarded. By way of explanation, the X-Forwarded-For HTTP header is an accepted standard within the Internet community, whereby each server in the chain between an Internet client and server will append its IP address to the end of the header and separated by a comma. For example, if an HTTP request from an Internet client must travel through two firewall servers to reach the server, there should be three IP addresses in the X-Forwarded-For header: the client’s IP address, followed by the two IP addresses of the firewall servers, as illustrated in the following example HTTP request:

GET / HTTP/1.1
Host: example.com
Accept: */*
X-Forwarded-For: 10.0.51.50, 192.168.21.12, 172.16. 19.84

When IIS examines the X-Forwarded-For HTTP header in an HTTP request like the preceding example, IIS will block the originating client’s IP address (10.0.51.50) instead of the IP address of the firewall server (172.16. 19.84).

 
Others
 
- Windows Server 2012 : Scalable and elastic web platform (part 4) - IIS CPU throttling
- Windows Server 2012 : Scalable and elastic web platform (part 3) - Centralized SSL certificate support
- Windows Server 2012 : Scalable and elastic web platform (part 2) - Server Name Indication
- Windows Server 2012 : Scalable and elastic web platform (part 1) - NUMA-aware scalability
- Setting Up Windows 8 Family Safety (part 7) - Viewing Family Safety Online Reports
- Setting Up Windows 8 Family Safety (part 6) - Viewing Family Safety Activity Reports
- Setting Up Windows 8 Family Safety (part 5) - Blocking and allowing Apps
- Setting Up Windows 8 Family Safety (part 4) - Controlling Windows Store and game play
- Setting Up Windows 8 Family Safety (part 3) - Setting time limits
- Setting Up Windows 8 Family Safety (part 2) - Setting Web Filtering
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
programming4us programming4us
 
Popular tags
 
Video Tutorail Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS