By Ugo Lattanzi on April 23rd , 2015 in various | comments

In the previous post (you can read it here) I wrote about how cool is Redis as cache server and I showed the basic steps to run Redis on premise or on Microsoft Azure if you prefer.

In this post I wanna introduce an small package available on NuGet that complete one of the best library actually available for Redis in a .NET environement.

The package is StackExchange.Redis.Extensions and, as you can imagine from the name, it offers a set of useful helper.

What can we do easily with StackExchange.Redis.Extensions?

In the previous post I wrote that you have to serialize and deserialize a class if you wanna store it into Redis because the library stores a byte[] and the value could be sent via network. Using this library you don't have to worry about that, it does that for you. Right now it can use three different serialization libraries :

  • JSON.Net by NewtonSoft NuGet Status
  • Jil NuGet Status
  • Message Pack CLI NuGet Status

If you need to use another serializazion library you can easily do it by creating an implementation of ISerialize. Of course in this case a Pull Request is welcome

In the example below I'm going to use JSON.Net but the code is the same for the other librarys, just the Nuget Package changes.

First step is to install it on our project so:

PM> Install-Package StackExchange.Redis.Extensions.Newtonsoft

It contains all you need to use Redis, so you don't have to add StackExchange.Redis because it has the right dependency to it.

Now that we are ready, it's enough to create our ICacheHelper instance

var serializer = new NewtonsoftSerializer();
var cacheClient = new StackExchangeRedisCacheClient(serializer);

The constructor of StackExchangeRedisCacheClienthas different overloads offering you the opportunity to specify your custom serializer, database, connection string or, if you have it, your instance of ConnectionMultiplex.

If you use the code above is enough the add the following code to your configuration file replacing the right values (host, port, ssl and so on):

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
    <configSections>
        <section name="redisCacheClient"
               type="StackExchange.Redis.Extensions.Core.Configuration.RedisCachingSectionHandler, StackExchange.Redis.Extensions.Core" />
    </configSections>

    <redisCacheClient allowAdmin="true" ssl="false" connectTimeout="5000" database="0">
        <hosts>
            <add host="127.0.0.1" cachePort="6379"/>
        </hosts>
    </redisCacheClient>
</configuration>

If you use a dependency injection framework, probably it's better to register it as singleton

From now we have a set of useful methods for the following scenarios:

How can I store a complex object into Redis?

var user = new User()
{
    Firstname = "Ugo",
    Lastname = "Lattanzi",
    Twitter = "@imperugo"
    Blog = "http://tostring.it"
}

bool added = myCacheClient.Add("my cache key", user, DateTimeOffset.Now.AddMinutes(10));

How can I retrieve an object into Redis?

var cachedUser = cacheClient.Get<User>("my cache key");

How can I retrieve multiple objects with single roundtrip?

That's one of my favorite features because It's very helpful in case you have to retrieve several objects in the same time.

var cachedUsers = myCacheClient.GetAll<User>(new {"key1","key2","key3"});

How can I add multiple objects with single roundtrip?

IList<User> values = new List<User>();

var user1 = new User()
{
    Firstname = "Ugo",
    Lastname = "Lattanzi",
    Twitter = "@imperugo"
    Blog = "http://tostring.it"
}

var user2 = new User()
{
    Firstname = "Simone",
    Lastname = "Chiaretta",
    Twitter = "@simonech"
    Blog = "http://codeclimber.net.nz/"
}

var user3 = new User()
{
    Firstname = "Matteo",
    Lastname = "Pagani",
    Twitter = "@qmatteoq"
    Blog = "http://qmatteoq.com/"
}

values.Add(user1);
values.Add(user2);
values.Add(user3);

bool added = sut.AddAll(values);

Can I search keys into Redis?

Yes that's possible using a specific pattern. If you want to search all keys that start with myCacheKey:

var keys = myCacheClient.SearchKeys("myCacheKey*");

If you want to search all keys that contain with myCacheKey:

var keys = myCacheClient.SearchKeys("*myCacheKey*");

If you want to search all keys that end with myCacheKey:

var keys = myCacheClient.SearchKeys("*myCacheKey");

Can I use a Redis method directly from ICacheClient without adding another dependency to my class?

Of course you can. ICacheClient exposes a readonly property named Database that is the implementation of IDatabase by StackExchange.Redis

How can I get server information?

ICacheClient has a method GetInfo and GetInfoAsync for that:

var info = myCacheClient.GetInfo();

That's what the library does right now and I've to say thanks to ziyasal, ppanyukov and rajasekarshanmugam for the contribution.

The project is available on Github here

By Ugo Lattanzi on Mar. 16th , 2015 in owin | comments

I'm very happy to announce that, from today, my first book is available here thanks to Syncfusion that is a popular company among developers for their great suites of controls. The ebook is focused on OWIN (Open Web Server Interface for .NET specification) and it's co-written with my friend Simone Chiaretta who is organizing with me the 2° Web European Conference.

It's a free ebook and, in 110 pages, it covers the most important things you need to know about OWIN from the basic stuff, like "What is OWIN" and "The Middleware", to more complex stuff like "Authentication using social networks" like Facebook, Twitter and Google with ASP.NET Identity and ASP.NET MVC.

Here is the TOC of the book:

  • OWIN
  • Katana
  • Using Katana with Other Web Frameworks
  • Building Custom Middleware
  • Authentication with Katana
  • Appendix

The book is distributed by Syncfusion for free, you just have to register and then you’ll be able to download it both in PDF and Kindle format. Of course if you have feedbacks or you find something that is not clear, that sounds strange or whatever, please don't hesistate to contact me

Owin Succinctly

By Ugo Lattanzi on Mar. 5th , 2015 in azure | comments

I know, the title is a bit provocative or presumptuous if you prefer, but I think this post could be useful if you wanna approach to Redis as cache server using .NET. For all the people who don't know what Redis is, let me quote that definition:

Redis is an open source, BSD licensed, advanced key-value cache and store.

And why is it so cool? This is probably the best answer you can find on internet (source here):

Redis running on an entry level laptop can scan a 1 million key database in 40 milliseconds.

Installation

Now that is clear why Redis is so cool and why lot of enterprise applications use it, we can see how to use it. First of all we have to download Redis from here, unzip the file and run it locally

> redis-server.exe redis.conf

and the console output should be something like this:

RedisConsole

if you want to use Redis on Microsoft Azure, you can do it by creating your instance here:

Azure1

Azure2

choose the best plan for you, the location, add your name in the proper field and create it.

creation could take a while and sometime you can get errors. The reason is that the portal is still in beta but don't worry, keep trying till you get the redis cache server up & running

Azure3

Azure4

Configuration

Here we go, Redis is up & running on your dev machine and/or on Azure if you choose it. Before to start writing code, it's important to choose the client library to use. The most used libraries are

The first one is free and opensource so, if you want to use it, you can do easily. The other one has a AGPL license (from 149$ to 249$).

if you prefer ServiceStack.Redis you can downgrade to version 3.9.71 which was the last truly free

In this article I'm going to use StackExchange.Redis so, let's start to install it using NuGet

PM> Install-Package StackExchange.Redis

There is also a StrongName (StackExchange.Redis.StrongName) package if you need to use it into a signed library.

Now, it's time to write some good code:

namespace imperugo.blog.redis
{
    class Program
    {
        private static ConnectionMultiplexer connectionMultiplexer;
        private static IDatabase database;

        static void Main(string[] args)
        {
            Configure();
        }

        private static void Configure()
        {
            //use locally redis installation
            var connectionString = string.Format("{0}:{1}", "127.0.0.1", 6379);

            //use azure redis installation
            var azureConnectionString = string.Format("{0}:{1},ssl=true,password={2}",
                                    "imperugo-test.redis.cache.windows.net",
                                    6380,
                                    "Azure Primary Key");

            connectionMultiplexer = ConnectionMultiplexer.Connect(connectionString);
            database = connectionMultiplexer.GetDatabase();
        }
    }
}

For some plans, Redis on azure uses SSL by default. If you prefer a no-secure connection you can enable it via Azure Portal, in this case use 6379 and remove ssl=true from the connection string

Add and Retrieve cache objects

StackExchange stores data into Redis sending/retrieving a byte[] or so, whatever you are storing into Redis must be converted into a byte[] (string is automatically converted by StackExchange.Redis implementation so we don't have to do it).

Let's start with simple object like a string

private static bool StoreData(string key, string value)
{
    return database.StringSet(key, value);
}

private static string GetData(string key)
{
    return database.StringGet(key);
}

private static void DeleteData(string key)
{
    database.KeyDelete(key);
}

and now we can use this methods

static void Main(string[] args)
{
    Configure();

    bool stored = StoreData("MyKey","my first cache string");

    if (stored)
    {
        var cachedData = GetData("MyKey");

        bool isIt = cachedData == "my first cache string";
    }
}

That's pretty simple but what about storing complex objects? As I wrote above, StackExchange.Redis stores only byte[] data so we have to serialize our complex object and convert it into a byte[] (there is an implicit conversion in case of string, for this reason we didn't convert the type string to byte[])

The easiest (and probably the best) way to store complex objects consists to serilize the object into a string before to store the data into Redis.

Choose your favorite serialized (NewtonSoft in my case ) and create some helpers like here

public bool Add<T>(string key, T value, DateTimeOffset expiresAt) where T : class
{
   var serializedObject = JsonConvert.SerializeObject(value);
    var expiration = expiresAt.Subtract(DateTimeOffset.Now);

    return database.StringSet(key, serializedObject, expiration);
}

public T Get<T>(string key) where T : class
{
    var serializedObject = database.StringGet(key);

    return JsonConvert.DeserializeObject<T>(serializedObject)
}

Now we are able to put and retrieve complex objects into Redis, next step is to remove it and check if the value exists

public bool Remove(string key)
{
    return database.KeyDelete(key);
}

public bool Exists(string key)
{
    return database.KeyExists(key);
}

if you need async methods, don't worry, StackExchange.Redis has an async overload for almost every method

Resources

Redis Commands absolutety the best reference to understand how Redis works and what StackExchage.Redis does under the table.

StackExchage.Redis documentation is absolutely helpful if you choose this library as your wrapper.

StackExchange.Redis.Extensions is a great library (and I suggest to you it) that wrap the common operation needed with StackExchange.Redis (basically you don't need to serialize objects or create helpers like I explained above):

  • Add complex objects to Redis;
  • Remove an object from Redis;
  • Search Keys into Redis;
  • Retrieve multiple objects with a single roundtrip;
  • Store multiple objects with a single roundtrip;
  • Async methods;
  • Retrieve Redis Server status;
  • Much more;

It uses Json.Net (NewtonSoft), Jil or Message Pack CLI to serialize objects into a byte[]. Anyway we'll see it with the next blog post.

Investigating Timeout Exceptions in StackExchange.Redis for Azure Redis Cache great article about possible timeout exception problem with Redis and Azure

Dashboard

Azure Dashboard

AzureRedis-Dashboard

It offers basic stats but it's free when you use Redis with Microsoft Azure

Redsmin

Redsmin-Dashboard

Probably the most complete dashboard for Redis, offers a set of stats about your Redis servers, supports Azure and has a good prompt allowing you to run Redis command directly on the server without using C# or any other programming language. Unfortunately it is not free, here plans and pricing.

Redis Desktop Manager

Redismin-Dashboard

Open Source tool for Windows, Mac and Linux hosted on Github here (right now it the version 0.7.6) offers to run Redis commands into Redis like Redismin, but unfortunately it doesn't support Azure yet (there is an issue about that opened here).

Redis Live

redis-live-Dashboard

It's a real time dashboard for Redis written using Python.

Conclusions

Redis is absolutely one of the best in memory database available right now. There is a wrapper for every language, it's got a good documentation and it's free. If I were you I'd give it a look!

staytuned!

By Ugo Lattanzi on Feb. 17th , 2015 in aspnet | comments

In the previous post, I wrote about HTTP security, particularly about "special" headers. This post is partially related to the previous one, it means I am writing about security in a common scenario for web applications.

How many times did you add a redirect from an HTTP request to an HTTPS? I think you did it more than one time and, looking on internet, there are several simple solutions.

If you are using OWIN it's enough to create a custom Middleware like this:

public class ForceHttpsMiddleware : OwinMiddleware
{
    private readonly int port;

    public ForceHttpsMiddleware(OwinMiddleware next, int port) : base(next)
    {
        this.port = port;
    }

    public override Task Invoke(IOwinContext context)
    {
        if (context.Request.Uri.Scheme == "http")
        {
            var httpsUrl = string.Format("https://{0}:{1}{2}", context.Request.Uri.Host,
                port,
                context.Request.Uri.PathAndQuery);

            context.Response.Redirect(httpsUrl);
        }

        return Next.Invoke(context);
    }
}

Nothing complex here, but the question is: "Is it correct to redirect a user from an unsecure connection to a secure connection?" Basically the answer should be yes, but you must be careful about a particular scenario.

An unsecure request (HTTP) that includes a cookie and/or SessionId is subject to hijacking attacks and we don't want that to happen on our website. The easiest way to prevent this is to release the cookies only in a secure mode, it means that the cookies are not available from an unsecure request, but only from an HTTPS preventig a MITM (Man in the middle) attack.

Using Aspnet and Owin you can do it easily

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationType = "Cookies",
    CookieSecure = CookieSecureOption.Always,
    CookieHttpOnly = true
});

Here the most important part is CookieSecure property. It defines that only HTTPS request can access to cookie. To complete the security scenario, you could add also HTTP Strict Transport Security (HSTS) explained here.

Enjoy.

By Ugo Lattanzi on Feb. 9th , 2015 in owin | comments

There are several ways to add security to our web application, sometime it could be difficult and requires several hours but, with a good architecture, it could be very easy

What some developers don't know is that there are some very useful HTTP Headers available that help your web application to be more secure with the support of the modern browsers.

The site OWASP has a list of the common security-related HTTP headers that every web application must have.


Strict-Transport-Security

also know as (HSTS), is an opt-in security enhancement that it's specified by a web application to enforce secure (HTTP over SSL/TLS) connections to the server preventing downgrate attacks like Man-in-the-middle.

Browser support:

Browser Version
Internet Explorer not supported
Firefox from version 4
Opera from version 12
Safari from Mavericks (Mac OS X 10.9)
Chrome from version 4.0.211.0

Options

Options Description
max-age=31536000 Tells the user-agent to cache the domain in the STS list (which is a list that contains known sites supporting HSTS) for one year
max-age=31536000; includeSubDomains Tells the user-agent to cache the domain in the STS list for one year and include any sub-domains.
max-age=0 Tells the user-agent to remove, or not cache the host in the STS cache

Example:

Strict-Transport-Security: max-age=16070400; includeSubDomains


X-Frame-Options

Provides Clickjacking protection.

Browser support:

Browser DENY/SAMEORIGIN ALLOW-FROM
Internet Explorer from 8.0 from 9.0
Firefox from version 3.6.9 (1.9.2.9) from version 18.0
Opera from version 10.50 not supported
Safari from version 4.0 not supported
Chrome from version 4.1.249.1042 not supported

Options

Options Description
DENY The page cannot be displayed in a frame, regardless of the site attempting to do so
SAMEORIGIN The page can only be displayed in a frame on the same origin as the page itself
ALLOW-FROM http://www.tostring.it The page can only be displayed in a frame on the specified origin.

Example:

X-Frame-Options: deny


X-XSS-Protection

This HTTP Header prevents Cross-site scripting (XSS) enabling the filters available in the most recent browsers.

Browser Version
Internet Explorer supported
Firefox not supported
Opera not supported
Safari not supported
Chrome supported

Options

Options Description
0 Disables the XSS Protections.
1 Enables the XSS Protections.
1; mode=block Enables XSS protections and prevents browser rendering if a potential XSS attack is detected
1; report=http://site.com/report Available only for Chrome and WebKit allows to report the possible attack to a specific url sending data (using JSON and verb POST)

Example:

X-XSS-Protection: 1; mode=block


X-Content-Type-Options

This HTTP Header prevents the browsers from MIME-sniffing a response away from the declared content-type.

Options

The only option available here is nosniff

Example:

X-Content-Type-Options: nosniff


Content-Security-Policy

This HTTP Header (aka CSP) is very powerful and it requires a precise tuning because we need to specify all the trusted sources for our pages like Images, Script, Fonts, and so on.

With the correct configuration the browser doesn't load a not trusted source preventing execution of dangerous code.

Browser Version
Internet Explorer partial support starting from 9.0
Firefox from version 4
Opera from version 15
Safari partial support starting from 5.1, total support from 6
Chrome from version 14

Options

Options Description
default-src Specify loading policy for all resources type in case one of the following directive is not defined (fallback)
script-src The script-src directive specifies valid sources for JavaScript
object-src The object-src directive specifies valid sources for the <object>, <embed>, and <applet> elements.
style-src The style-src directive specifies valid sources for stylesheets.
img-src The style-src directive specifies valid sources for images and favicons.
media-src The media-src directive specifies valid sources for loading media using the <audio> and <video> elements.
frame-src The frame-src directive specifies valid sources for web workers and nested browsing contexts loading using elements such as <frame> and <iframe>
font-src The font-src directive specifies valid sources for fonts loaded using @font-face
connect-src The connect-src directive defines valid sources for XMLHttpRequest, WebSocket, and EventSource connections
form-action The form-action directive specifies valid endpoints for <form> submissions
plugin-types The plugin-types directive specifies the valid plugins that the user agent may invoke.
reflected-xss Instructs a user agent to activate or deactivate any heuristics used to filter or block reflected cross-site scripting attacks, equivalent to the effects of the non-standard X-XSS-Protection header
report-uri The report-uri directive instructs the user agent to report attempts to violate the Content Security Policy (send json using post)

Example:

Content-Security-Policy: default-src 'self'

Now that we know all these header, let's see how to implement them on our applications. As usual there are several ways to configure the HTTP Headers, we can do it using WebServer configuration (IIS and Apache support that) or, if we use owin, we can do it using a sample middleware without configuring the webserver.

The last one is absolutely my favorite implementation because I can switch the webserver without configuring anything (that's is one of the reason why Owin was created).

Anyway let's start to add SecurityHeadersMiddleware

PM> Install-Package SecurityHeadersMiddleware

and now to configure it is very easy

var contentSecurityPolicy = new ContentSecurityPolicyConfiguration();

//Content-Security-Policy header 

//Configuring trusted Javascript
contentSecurityPolicy.ScriptSrc.AddScheme("https");
contentSecurityPolicy.ScriptSrc.AddKeyword(SourceListKeyword.Self);
contentSecurityPolicy.ScriptSrc.AddKeyword(SourceListKeyword.UnsafeEval);
contentSecurityPolicy.ScriptSrc.AddKeyword(SourceListKeyword.UnsafeInline);
contentSecurityPolicy.ScriptSrc.AddHost("cdnjs.cloudflare.com");

//Configuring trusted connections
contentSecurityPolicy.ConnectSrc.AddScheme("wss");
contentSecurityPolicy.ConnectSrc.AddScheme("https");
contentSecurityPolicy.ConnectSrc.AddKeyword(SourceListKeyword.Self);

//Configuring trusted style
contentSecurityPolicy.StyleSrc.AddKeyword(SourceListKeyword.Self);
contentSecurityPolicy.StyleSrc.AddKeyword(SourceListKeyword.UnsafeInline);
contentSecurityPolicy.StyleSrc.AddHost("fonts.googleapis.com");

//Configuring fallback
contentSecurityPolicy.DefaultSrc.AddKeyword(SourceListKeyword.Self);

//Configuring trusted image source
contentSecurityPolicy.ImgSrc.AddHost("*");

//Configuring trusted fonts
contentSecurityPolicy.FontSrc.AddKeyword(SourceListKeyword.Self);
contentSecurityPolicy.FontSrc.AddHost("fonts.googleapis.com");
contentSecurityPolicy.FontSrc.AddHost("fonts.gstatic.com");

app.ContentSecurityPolicy(contentSecurityPolicy);

//X-Frame-Options
app.AntiClickjackingHeader(XFrameOption.Deny);

//X-XSS-Protection
app.XssProtectionHeader();

Here the github repository.

Have fun and make your application secure.