Check incoming requests IIS with Request Monitor

Enable the Request Monitor feature for IIS Server from the Server Manager. Do the Role-based or feature-based installation.

Click on install on the final screen:

When the installation completes, open IIS Manager (inetmgr.exe), select Server name and open Worker processes.

Select a worker process for which you want to monitor the incoming requests. Click on View Current Requests option as shown below on the right pane:

The Request details will be visible as shown in the below screen.

Advertisements

Create a self signed certificate in IIS

An SSL certificate also known as a digital certificate helps establish a secure link between the Client browser and the Hosting Server.

Self-signed certificates are created when you need to test your website using an SSL certificate. This is usually not recommended for Production use especially if your website involves sensitive data transactions.

This example is from IIS 8.5. Open IIS Manager and select your Server name from the Left Pane. Double-click on Server Certificates as highlighted.

Select the option for Self-signed certificates on the right as shown. Provide a suitable name for your certificate in the dialog box.

The list will show the created SSL certificate with the validation for a year that is issued to the Server.

Add this certificate to your website with binding it to port 443.

Since the certificate is issued to the Server, you might get a certificate trust error in the browser. You can just continue to the website to test further.
To get rid of this error, you’ll need to create either a SAN certificate or a wild card certificate as per your needs.

App Pool set idle time out IIS Server

When it comes to managing your website traffic, one of the things to consider is the availability of your website.

IIS has a idle time-out property that is by default set to 20 minutes. This means that if no request comes for your site for 20 minutes of inactivity, IIS would kill the worker process to free-up resources. This means the memory utilised by loading of classes, session etc. This can be helpful when multiple websites may be hosted on the Server and is resource crunched.

You’ll find the below settings under the AppPool advanced settings:

So, when the next request comes to your site to access something e.g. Login page, IIS Server would again need to initialize the Worker process and load the required resources to serve that request. The first request will be slow to respond to the user because of all the initialization time required. You need to think in these terms that how much traffic usually comes to your site. If your website requires high availability, then you should consider setting the idle time-out to 0 in the App Pool settings. Or if high availability isn’t a concern, you can think for how many minutes you’d usually require your application to be available depending on the traffic.

There have been studies regarding the make or break for websites because of their initial load time. So, please be careful about this setting. Internet facing websites usually require high availability. For Intranet websites, you can think of some number of minutes based on the usage.

Change app pool settings iis express

You may face an Asp.Net error while running your Web Application Project in Debug mode using IIS Express:

“an asp.net setting has been detected that does not apply in integrated managed pipeline mode”

This error means that the framework expects the App Pool to be running the Managed Pipeline Mode as Classic. In Classic mode, managed application events are executed by using ISAPI.

There are other ways to suppress the error by making an entry in the Web.Config file to set the validateIntegratedModeConfiguration to false. But it is better to set the correct application pool.

Select your Project under the Solution and press F4 on your keyboard to access the Project Properties as shown below:

Also, you can enable/disable the Authentication for Anonymous and Windows modes.

Check this post on how to create Virtual Directory in IIS Express.

Internationalization with React JS i18n package

Building Single Page Applications (SPA) in React JS that require multi-language support require a way for the user to be able to select the preferred language and all or specific text on the page or site should change.

React supports a package i18next that helps load the default language and save the preferred language which the user selects from the UI. react-i18next is built on top of i18next and is a powerful internationalization framework for React JS. This post explains i18n usage for v10 or above.

This example is built on top of my other post for Client-side routing here.

You can find the i18n demo code in my Github profile here.

You need to install the package react-i18next using npm as below:

npm install i18next
npm install react-i18next

Initialize the i18next store placed under the config folder as below:

import i18n from "i18next";
import { initReactI18next } from "react-i18next";
import en from "../locales/en";
import fr from "../locales/fr";
import it from "../locales/it";
import de from "../locales/de";
import es from "../locales/es";
i18n.use(initReactI18next).init({
  resources: {
    en,
    fr,
    it,
    de,
    es
  },
  fallbackLng: "en",
  debug: true,
  ns: ["translations"],
  defaultNS: "translations",
  keySeparator: false,
  interpolation: {
    escapeValue: false,
    formatSeparator: ","
  },
  react: {
    wait: true
  }
});
export default i18n;

The i18n package has a provider which would wrap your react App component.

import React from "react";
import ReactDOM from "react-dom";
import "./index.css";
import App from "./components/App";
import * as serviceWorker from "./serviceWorker";
import { BrowserRouter as Router } from "react-router-dom";
import { I18nextProvider } from "react-i18next";
import i18n from "./config/i18n";
import "bootstrap/dist/css/bootstrap.min.css";
ReactDOM.render(
  <I18nextProvider i18n={i18n}>
    <Router>
      <App />
    </Router>
  </I18nextProvider>,
  document.getElementById("root")
);

Maintain your translation files under the Locales folder and make sure the namespace matches the one provided in the i18next store initialization.
Example translation here:

{
  "translations": {
    "title": "<0>Acerca de</0>",
    "intro": "<0>Esta es la página Acerca de.</0>"
  }
}

The text in the About page is translated as below using the locales:

import React from "react";
import { Trans } from "react-i18next";

const AboutPage = () => (
  <div>
    <Trans i18nKey="title">
      <h2>About</h2>
    </Trans>
    <Trans i18nKey="intro">
      <p>This is the About page.</p>
    </Trans>
  </div>
);

export default AboutPage;

The i18nKey matches the specific text to be translated under the namespace.

The HomePage.js code has a drop-down change language event that will change the translation in the About page when selected.

changeLang = lang => {
    const { i18n } = this.props;
    const { value } = lang;
    this.props.changeLang(lang);
    this.setState({ lang });
    i18n.changeLanguage(value);
  };

The app is hosted on IIS Server. Check out the post here on how to host react app on IIS.

There is also a branch in Github here, that explains the i18n legacy version usage i.e. till v9.

Customize Logging fields in IIS for hosted website

Open IIS Manager on your Web Server and Select the Website for which you want to customize your logging fields. The changes can also be done at the Server level but that depends on the requirement.

Double-click on Logging icon.

Click on Select fields to select or remove any fields that you want in your IIS logs.

To add any custom field, click on the Add Field button as shown below and add the required header. The below example shows how you can get the Client IP information from the X-Forwarded-For Header (XFF) when the Website is hosted on a Server in a Load Balanced environment. The source of this information is in the Request header. The new log file will have an “_x” suffix to it’s name after modification.

The Logs directory shown above is where your Log files are saved. To identify the file name, check the Website ID under Sites on the left pane.
The Log file name format will be “W3SVC<ID>”.

Click on Apply on the Actions Pane on the right to apply the changes.

Add Strict-Transport-Security (HSTS) response header to IIS hosted site

The HTTP protocol by itself is clear text, meaning that any data that is
transmitted via HTTP can be captured and the contents viewed. To keep data private and prevent it from being intercepted, HTTP is often tunnelled through either Secure Sockets Layer (SSL) or Transport Layer Security (TLS). When either of these encryption standards are used, it is referred to as HTTPS.

HTTP Strict Transport Security (HSTS) is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. This will be enforced by the browser even if the user requests a HTTP resource on the same server.

Cyber-criminals will often attempt to compromise sensitive information passed from the client to the server using HTTP. This can be conducted via various Man-in-The-Middle (MiTM) attacks or through network packet captures.

Security Scanners would recommend to using adding a response header HTTP Strict-Transport-Security or HSTS when the application is using Https.

Depending on the framework being used the implementation methods will vary, however it is advised that the Strict-Transport-Security header be configured on the server. One of the options for this header is max-age, which is a representation (in milliseconds) determining the time in which the client’s browser will adhere to the header policy. The browser will memorize the HSTS policy for the period specified in max-age directive.
Within this period, if an user tries to visit the same website but types http:// or omits the scheme at all, the browser will automatically turn the insecure link to the secure one (https://) and make an HTTPS connection to the server. Depending on the environment and the application this time period could be from as low as minutes to as long as days.

Enabling includeSubDomains attribute of the element of the root domain further enhances the coverage of the HSTS policy to all its subdomains.
HSTS has a separate mechanism to preload a list of registered domains to the browser out of the box.

It is also usually recommended to redirect all http traffic to https. I’ve written another post on how to do that.

To add the HSTS Header, follow the steps below:

  1. Open IIS manager.
  2. Select your site.
  3. Open HTTP Response Headers option.
  4. Click on Add in the Actions section.
  5. In the Add Custom HTTP Response Header dialog, add the following values:
    Name: Strict-Transport-Security
    Value: max-age=31536000; includeSubDomains; preload

Or directly in web.config as below under system.webServer:

<httpProtocol>
	<customHeaders>
		<add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains; preload" />
	</customHeaders>
</httpProtocol>