Restricting Access By Location in IIS

A customer and I were reviewing their web logs and remarking on how many hits were coming in from countries with which they don't even remotely do business. There were several visits each day from China, Russia, Korea, etc. If they were coming to the site, they were either seriously lost or just up to no good.

We decided to restrict access to those folks that just shouldn't be there. Here is how we did it:

First, we are using IIS7. If you are using a Unix flavor, you need to modify your .htaccess file in the /etc directory. If you are on IIS, there is a similar procedure. You will be modifying the following file:

%WinDir%\System32\Inetsrv\Config\applicationHost.config

Open this file on your IIS Server and search for

location path=

until you find the web instance you want to apply these settings to.

Next you want to get this file: http://ip-to-country.webhosting.info/downloads/ip-to-country.csv.zip This file is a list of IP addresses by country code.

The last thing to download is this excellent javascript file built by Kanwaljeet Singla. It parses the ip-to-country file into commands you can use in the applicationHost.config file. Once you have the file, rename it to: ipres.js

When you have everything, put it into a folder and pop open your command prompt and go to that directory. Here are a few interesting commands that Kanwaljeet built in:

 // Generate an "allow" list for USA IP addresses
cscript.exe //nologo ipres.js /f ip-to-country.csv /a USA

 // Generate an "deny" list for China IP addresses
cscript.exe //nologo ipres.js /f ip-to-country.csv /d China

So, here is how I got the website to deny anything but United States IP addresses:

1. Ran the utility above with the command:

   cscript.exe //nologo ipres.js /f ip-to-country.csv /a USA > usa.txt

   This created a file called usa.txt

2. Opened usa.txt in notepad and copied the text between

   <ipSecurity allowUnlisted="false">

   and the last "add" entry
3. Opened the ISS ApplicationHost.config file mentioned above in notepad.
4. Pasted the entire section into the system.webServer/Security section. I also added a special entry that allows me to access the site locally:

   <add ipAddress="10.0.0.0" subnetMask="255.0.0.0" allowed="true" />

5. Recycled the Application Pool with that website and voila!

Great credit goes to Kanwaljeet Singla for his cool tool.

SignalR - Microsoft Battles Back

As with many IT leaders (and shareholders), I've been watching Microsoft closely. Will it be able to re-emerge as a winner? Or has Microsoft reached their apogee and all we can expect is decline. To hear the news, Apple/Google/Facebook/etc are the winners.

However, there are a number of Microsoft technologies that are poised to change the computer landscape yet again. The one that has been helping me (and which has incredible potential) is SignalR.

SignalR is all about pushing data from the server to a client. For me, it has been a lifesaver for browser communications (but it can be used in any kind of client.)

Server-initiated communications have always been tough, especially on top of the http protocol, which is primarily client-initiated communications. The SignalR team has done a couple of really smart things:

• Client agnostic - First they came up with a mechanism that doesn't really matter what client your user is using. It will automatically downgrade its technique to whatever technology is available. For instance, if you are using it within a browser, SignalR will try the following technologies until it finds one that will work with the user's browser:
  • HTML5 Websockets
  • Server Sent Events (EventSource)
  • Forever Frame (Older IE browsers only)
  • Ajax long polling
• API's - There are a number of SignalR API's that make the job incredibly simple. I have primarily used the Javascript API, but you can incorporate it into almost any .net, c++, Java, etc app.

As they say, anywhere a client polls for information from a server is a good candidate for SignalR to be put in place. So, besides webchat, I've thought about using it for:

• Server monitoring
• Game servers / Game cheat monitoring
• Realtime business dashboards
• Realtime asset mapping
• Website social network updating
• Website widgets (weather, stock, deals, etc)
• Notifications to your desktop much like Apple realtime notification service

So, if you are looking for server-initiated, real-time communications, I recommend checking it out. I'm working on a demo that I'll post to this article later today.

Creating .Net Membership Services

I'm tired of looking up the specific directions for setting up Membership Services.  So, these are the quick steps for setting up the MSFT services that give you membership.

1. Setup the db with the Aspnet_regsql.exe tool.  Use the one that is in the correct .Net version.  For instance: C:\WINDOWS\Microsoft.NET\Framework\4.0\aspnet_regsql.exe

There is command line version with options here. An explanation of the Roles and Views that are setup is here.

2. Now for a website, add this to the web.config file within the system.web:

    <authentication mode="Forms" >
      <forms loginUrl="logincs.aspx"
      name=".ASPXFORMSAUTH" />
    </authentication>
    <authorization>
      <deny users="?" />
         <allow roles="Administrators" />
         <deny users="*" />
    </authorization>
    <membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="15">
      <providers>
        <add 
          name="SqlProvider" 
          type="System.Web.Security.SqlMembershipProvider" 
          connectionStringName="SqlServices"
          enablePasswordRetrieval="false"
          enablePasswordReset="false"
          requiresQuestionAndAnswer="false" 
          passwordFormat="Hashed" 
          applicationName="SampleApplication" />
      </providers>
    </membership>
    <roleManager defaultProvider="SqlProvider" 
      enabled="true"
      cacheRolesInCookie="true"
      cookieName=".ASPROLES"
      cookieTimeout="30"
      cookiePath="/"
      cookieRequireSSL="true"
      cookieSlidingExpiration="true"
      cookieProtection="All" >
      <providers>
        <add
          name="SqlProvider"
          type="System.Web.Security.SqlRoleProvider"
          connectionStringName="SqlServices" 
          applicationName="SampleApplication" />
      </providers>
    </roleManager>

3. Finally, just configure the web.config items to fit your need. You can omit the <authorization> area if you don't want it to automatically go to the login page. That should be in a later directory.

Running a Client-Side Javascript Method with an AJAX UpdatePanel

Have you ever needed to run a client-side javascript method when an AJAX UpdatePanel makes an asynchronous postback?  I needed to do that recently.  I was creating a ASP.Net control for a customer that  provided a cool chat feature to their customer support.

When the control performed an async post back, I need a client-side method to be fired as soon as it executed successfully.  Microsoft provides a pretty easy way to do it, but you need to know the trick.  Here it is:

1:  <script type="text/javascript">  
2:      function MethodToFire()  
3:      {  
4:        /* Do something on client side */  
5:      }  
6:       /* Sys function to enable cient side requests */  
7:      Sys.Application.add_init(appl_init);  
8:       /* The actual function to initialize it. Note the "add_endRequest" */  
9:      function appl_init() {  
10:        var pgRegMgr = Sys.WebForms.PageRequestManager.getInstance();  
11:        pgRegMgr.add_endRequest(MethodToFire);  
12:      }  
13:  </script>  
14:  <asp:UpdatePanel Id="UpdatePanel1" runat="server">  
15:        <Triggers>  
16:          <asp:AsyncPostBackTrigger ControlId="Timer1" />  
17:        </Triggers>  
18:       <ContentTemplate>  
19:            <!-- Some content in here! -->  
20:       </ContentTemplate>  
21:  </asp:UpdatePanel>   

With this, the "MethodToFire" function (line 11) will fire after the Async method returns. Want to fire it before the Async method executes? Use the pgRegMgr.add_beginRequest method instead.

Happy developing!