I am getting a lot of spam/unwanted traffic from ips from China for eg. 125.116.123.14 as seen in my FTP logs with attempts log in etc.
Is there a way i can block this in Coldfusion Application.cfc? Currently i am manually going and blocking them on IIS.
It could be as simple as this in the top of Application.cfc:
<cfif Left(cgi.REMOTE_ADDR, 7) EQ "125.116">
<cfabort/>
</cfif>
You can play with checking patterns and achieve some acceptable results.
But still, I would recommend to handle it at web-server level for better efficiency. I don't know much about advanced IIS stuff, but extensions like Dynamic IP Restictions may work for you.
Related
I would like to know what is the best way to redirect everything from marketing-address.com to real-address.com.
best means
as less effort as possible,
as cheap as possible,
as secure as possible.
In detail:
Less effort: If possible without the need of creating a website oder some code like javascript
Secure: https://marketing-address.com should be accpeted by the browsers - no warning.
Cheap: if possible without buying a certificate (I don't think that this is possible) and without having a second webserver running
So in theory, the communication would be like this:
Making the address targeting the same IP address
Making the existing IIS listen to that address to
Let IIS tell the caller "yes, you're totally right here, but I neither I have a website nor do I have a certificate, but you don't need anything of that since you get redirected anyway..."
Is there a chance to accomplish that? If no, I would need to buy a certificate. What would be the solution then?
There are 2 restrictions:
We are using an Azure App Service for hosting an asp.net core site, which seems to be very restricted in configuration possibilities
The browser should definetly show the real-address.com in the URL, not the marketing-address.com.
Have you tried to use an Application Gateway before the IIS/Webapp at the backend?
I believe the AppGW will solve these issues, the AppGW can redirect the hostname to another web address, as many you want to.
https://learn.microsoft.com/en-us/azure/application-gateway/ssl-overview#tls-termination
I've searched around on SO, and found a few questions that ask about this, but most of the answers that I've come across all seem to suggest either filtering via IP range or introducing conditional code to the engine powering the site; neither of these options are viable for me. If this does turn out to be a duplicate where this an answer that fits in to my use case, then I apologize in advance, but I just can't seem to find anything.
My original method of filtering myself out from Google Analytics was to simply redirect requests to google-analytics.com and the https version of GA to localhost in my hosts file. This works just fine on my desktop, but it is useless when testing on mobile devices like an iPhone (unless somebody knows how to finagle the iPhone's hosts file without jailbreaking).
My setup for local testing is to use pow with .dev domains for the local project directories, and then when I need to see the development version of sites on mobile devices I use Xip.io in conjunction with Adobe Shadow.
I can't filter by IP range because I frequently work from home, and my ISP doesn't provide static addresses for residential accounts.
I tried to set up a Custom exclude filter in my Google Analytics profile to filter out traffic originating from these domains, but they either don't work or I have a really bad misunderstanding of how the Exclude filters work (which is entirely possible). I have Custom Filters set up to Exclude based on the Hostname, matching the patterns \.dev and .*xip\.io/.* but these filters do absolutely nothing. I believe this is because this filter is, technically, looking for the hostname of the originating domain and not the hostname being requested, but I'm really not sure because the language is vague and differs depending on which help document you're looking at.
Short of manually removing the GA tracking codes from the site during local dev then going back and adding them back in, does anybody have any suggestions or can anybody tell me what I'm doing wrong with my Exclude filters?
I've been using a variation on the analytics tracking code to prevent page views from being tracked on our staging server -- something like:
if (!/\.dev|xip\.io/.test(window.location.hostname)) _gaq.push(['_trackPageview']);
Alternatively, you could apply this to the _setAccount call. If you do this and look at the tracking requests, the web property ID shows up as 'UA-XXXXX-X'
You could rely on
window['ga-disable-UA-XXXXXX-Y'] = true;
where UA-XXXXXX-Y is the account ID. (details here).
Like creating a page or webserver directive that sets a cookie (page reserved to developers to be excluded from ga), and in your code that loads ga:
if (hasDeveloperCookie()) {
window['ga-disable-UA-XXXXXX-Y'] = true;
}
I want to display beautiful page (with excuses) to the users if my webserver is down.
How it is possible?
My first idea was to make VM in cloud and to setup nginx there, which will check if webserver is available, and display beautiful error page if it's not.
Is there another way to perform it (without nginx proxy)? (Maybe some magic with dns.. i don't know)
Thanks in advance!
With proxy, when you site is up, all traffic will pass through that proxy. Now, what will you do when the proxy is down ? - While trying to handle one point of failure you just introduce an additional one. Also, you site response time will be lower, and you will pay three times for your traffic (your website, VPS in and VPS out). Hence, proxy idea alone makes little sense.
What you can do is when your site is down, point DNS records for your site to some other location (like your VPS). You will need DNS provider which supports dynamic updates.
You may also have such DNS-based failover completely as a service - see dnshat.com, edgedirector.com and lots of others.
To avoid mixed content warnings I would like to have a file that can be delivered under both protocols (http/https). Ie.
http://www.site.com/file.js
and
https://www.site.com/file.js
I've had a look at google analytics injection code and they use a diferent domain, i.e:
http://www.google.com and https://ssl.google.com.
Now I would like something a little 'cleaner'? I really don't want to have 2 websites to mantain. Does anyone know if this is possible in IIS?
Thanks
Guido
This doesn't have to be a different domain, it will typically use the domain just a different port. See "How to Setup an HTTPS Service in IIS."
EDIT
I see you you are talking about mixing SSL and non SSL, so if my answer above doesn't help. It seems that using relative URLs are the answer. Take a look at Http-https transitions and relative URLs.
Is there any way in IIS to map requests to a particular URL with no extension to a given application.
For example, in trying to port something from a Java servlet, you might have a URL like this...
http://[server]/MyApp/HomePage?some=parameter
Ideally I'd like to be able to map everything under MyApp to a particular application, but failing that, any suggestions about how to achieve the same effect would be really helpful.
You can set the IIS6 to handle all requests, but the key to handle files without extensions is to tell the IIS not to look for the file.
http://weblogs.asp.net/scottgu/archive/2007/03/04/tip-trick-integrating-asp-net-security-with-classic-asp-and-non-asp-net-urls.aspx
You can also create an ISAPI filter that re-writes urls. The user enters a url with no extension, but the filter will interpret the request so that it does. Note that in IIS it's real easy to screw this up, so you might want to find a pre-written one. I haven't used any myself so I can't recommend a specific product that's any different than what you'd find via google, especially as I don't know your specific use case. But at least now you know what to search for.
You can also rewrite your urls using ASP.Net:
http://msdn.microsoft.com/en-us/library/ms972974.aspx