PUBLISHED 29 December, 2014
Hi guys!
Do you know that special feeling some features can give you? Things that only can be described as neat. I think we just made one of them on Servant. Check out this GIF:
Yeah, I just used drag and drop to deploy a website to my IIS. I don’t wanna brag but I really think it’s awesome!
Behind the scene we use the browser to pack and compress your files into one zip archive. Then we upload this zip to a hidden URL. The zip is only stored in memory and it’s automatically wiped after 5 minutes. Now we tell your Servant Client (meaning your web server) to download the zip, extract it to the specific site (into a new folder) and change the site’s disk path to the new location.
By deploying to a new folder we also remove the seconds of downtime you normally experience when using the same-folder-strategy. The new folder name will include a timestamp.
We will extend this deployment feature with history, auto warm-up and error detection with automatic roll-back (no ETA yet).
What do you think? Cool and useful or a complete waste of time? Leave a comment!
Do you still manage your web server through remote desktop or IIS Manager? Try Servant.io today!
PUBLISHED 13 November, 2014
What have changed?
Some of you may already know about Servant for IIS - a lightweight web interface for IIS (Which is still available at GitHub of course). Servant.io is the next step in making management of web servers even easier and much more awesome.
What we have done is simply move Servant to a hosted cloud environment like you know it from Boundary, New Relic and services like that. We have developed a small client/agent to be able to communicate with your servers (the source is open and available for everyone).
We’re working like crazy apes to bring new features. Below I’ll list the features we have pushed live so far.
-
Web farm support: One of the biggest feature requests on Servant for IIS was multi-server/web farm support. Servant.io now fully supports IIS web farm setups. You simply select one server to be your primary configuration, and Servant will take care of keeping your sites in sync.
-
Deployment: We bring automated deployment to both single servers and web farms. You upload a zip file containing you site, and Servant will extract the site on every server. Servant always extract to a new folder when deploying, and it doesn’t change the path until the site is completely ready. This dramatically reduces downtime on deployment.
-
Plug and play: One super important thing for us is that it won’t be annoying to install the Servant Client. To overcome firewall issues we communicate entirely on port 443 (HTTPS). We use WebSockets (SignalR actually) to send commands to your server so you don’t have to open for incoming traffic. All communication is of course securely done via SSL.
-
Security: Everyone knows that no software is completely secure. We do a lot to keep Servant super safe, but if something bad happens we introduced a completely automated and silent updater. This makes us able to push security fixes instantly to your server. Everything is happening without any effort required by you. Your Servant Client will always be up to date.
The future
We have endless numbers of features that we want to introduce, but right now this is what we have in the official pipeline.
-
Drag and drop deployment: Simply drag a folder from your disk onto your site in Servant, and we will handle zipping and deploying.
-
Deploy from Visual Studio/IDE: We’re developing support for deployment (server + web farm) via FTP. This will enable you to deploy to all your servers directly from Visual Studio/your IDE.
-
Powershell/command line access: You will be able to execute commands and powershell on your server directly from the Servant.io web interface. Executing commands on every server in a farm will also be possible.
Pricing
Servant.io is currently in public preview which is completely free for everyone. When we feel like the product is worth paying for, we will introduce a price model.
I promise prices will be fair and will match the size of your organization. Also we will have a discount for students + completely free for open source organizations!
That’s all for now. I hope you’re as excited as we are. We want to bring the best web server manager ever.
Please leave a comment, I love feedback :-)
Do you still manage your web server through remote desktop or IIS Manager? Try Servant.io today!
What is PJAX and why?
Today most web applications use a layout page, because we need to maintain the same HTML code over multiple pages. This HTML could be the header, footer and so on.
When the user clicks around our application they need to download this header and footer again and again and again.
Some developers use AJAX to download data from the server, and then manipulate with the DOM using Javascript to show this new data. Some use big Javascript frameworks and call their application a SPA. This is clever, but isn’t compatible with search engines and non-javascript users. So developers is forced to support two “versions” - a AJAX version and a pure HTML version. Cumbersome and expensive if you care about SEO.
PJAX fixes this issue. When enabled it will tell the server if it should include the layout HTML or not. If Javascript is enabled (not a crawler) there’s no reason to include the layout. If not, the server returns the complete HTML.
Quote from https://github.com/defunkt/jquery-pjax: pjax works by grabbing html from your server via ajax and replacing the content of a container on your page with the ajax’d html. It then updates the browser’s current url using pushState without reloading your page’s layout or any resources (js, css), giving the appearance of a fast, full page load. But really it’s just ajax and pushState.
So to get to the point: PJAX is a plug-and-play plugin that reduces bandwidth usage, increase performance and is fully compatible with non-javascript users.
Also, please notice that PJAX is also part of the YUI library: http://yuilibrary.com/yui/docs/pjax/, however I will use the standalone version in this demo.
Setting up the demo
I’ll go through setting up the demo application real quick, since this article isn’t about Nancy, but PJAX. If you’re new to Nancy I suggest you start by reading my getting started on Nancy blog posts.
Required Nuget packages for the demo is the following:
install-package nancy.hosting.aspnet
install-package nancy.viewengines.razor
install-package jquery
install-package jquery.pjax
After installing Nuget packages I move the script folder into another folder called “Content” only to follow Nancy conventions.
A HomeModule containing a set of actions:
using Nancy;
namespace NancyPjaxDemo
{
public class HomeModule : NancyModule
{
public HomeModule()
{
Get["/"] = p =>
{
return View["Index"];
};
Get["/first/"] = p =>
{
return View["First"];
};
Get["/second/"] = p =>
{
return View["Second"];
};
}
}
}
A _Layout.cstml view:
@using System
<!DOCTYPE html>
<html>
<head>
<meta name="viewport" content="width=device-width" />
<title>@ViewBag.Title</title>
</head>
<body>
Layout loaded: @DateTime.Now
<div id="container">
@RenderBody()
</div>
</body>
</html>
A Index.cshtml view:
@{
Layout = "_Layout.cshtml";
}
<h1>Index page</h1>
<ul>
<li><a href="/first/">First link</a></li>
<li><a href="/second/">Second link</a></li>
</ul>
And at last a First.cshtml and Second.cshtml:
@{
Layout = "_Layout.cshtml";
}
<h1>Welcome to second page!</h1>
<a href="/">Go back to the index page</a>
My solution explorer now looks like this:
Setting up the Javascript
Perfect, our demo is ready. Time to set up PJAX. First, let’s update the layout page to include jQuery and the PJAX library. I’ll add the following two lines just before my </body> tag:
<script src="~/Content/Scripts/jquery-2.1.0.min.js"></script>
<script src="~/Content/Scripts/jquery.pjax.js"></script>
Next I’ll tell PJAX to use my #container element which you can find in my _Layout.cshtml page:
<script>
$(document).pjax('a', '#container', { timeout: 1000 });
</script>
This tells PJAX that whenever a user clicks a link, the content should be loaded into #container. The exact same behavior as Razor’s @RenderBody().
To summerize, my _Layout.cshtml page now looks like this:
@using System
<!DOCTYPE html>
<html>
<head>
<meta name="viewport" content="width=device-width" />
<title>@ViewBag.Title</title>
</head>
<body>
Layout loaded: @DateTime.Now
<div id="container">
@RenderBody()
</div>
<script src="~/Content/Scripts/jquery-2.1.0.min.js"></script>
<script src="~/Content/Scripts/jquery.pjax.js"></script>
<script>
$(function() {
$(document).pjax('a', '#container', { timeout: 1000 });
});
</script>
</body>
</html>
Now when I click through my application I will see that PJAX now sends each request using AJAX instead of regular pageloads.
You’ll also notice the X-PJAX: true header (marked with yellow). This tells our application that this request should not contain the layout HTML, only the new HTML for the requested page.
Because PJAX detects that we are returning the Layout HTML again, it fires a regular pageload. What we need to do is tell Nancy to forget about the Layout page if we see this header.
Setting up Nancy for PJAX
First, we need to provide all views a bool indication whetever the request is coming from PJAX or not. I’ll do this by using the Before hook in Nancy in my HomeModule:
Before += ctx => {
ViewBag.IsPjax = Request.Headers.Keys.Contains("X-PJAX");
return null;
};
This will make my HomeModule look like this:
using System.Linq;
using Nancy;
namespace NancyPjaxDemo
{
public class HomeModule : NancyModule
{
public HomeModule()
{
Before += ctx =>
{
ViewBag.IsPjax = Request.Headers.Keys.Contains("X-PJAX");
return null;
};
Get["/"] = p =>
{
return View["Index"];
};
Get["/first/"] = p =>
{
return View["First"];
};
Get["/second/"] = p =>
{
return View["Second"];
};
}
}
}
Great, now ViewBag.IsPjax can tell is if the request is coming from PJAX. Now we simply need to add an if-sentence to our Views, to make them able to ditch the layout if request is coming from PJAX:
@{
Layout = ViewBag.IsPjax ? null : "_Layout.cshtml";
}
I’ll do this everywhere I set the Layout in Razor. In my demo it will be Index.cshtml, First.cshtml and Second.cshtml.
Now when I click around my application, I’ll see that the “Layout loaded” timestamp doesn’t change, but the content and URL does! If I disable Javascript, everything still works as any other regular webpage.
We’re done!
That’s it, one complete PJAX application. You should notice that when you write Javascript for PJAX application it is very important that all events is attached to the #container object. For example to handle a click event on some button, you should NOT do this:
Wrong way:
$('#MyButton').click(function() {});
Right way:
$('#container').on('click', '#MyButton', function() {});
The reason is that PJAX will inject the content of your pages into the existing DOM. The “wrong example” only hooks up to instances of my #MyButton on intilization, but PJAX injects #MyButton after initilization.
I hope you see the power of PJAX. I really do think this is the next big thing. I already use it in production and it is a huge timesaver and have really changed the way I do web applications. To be honest I tend to write much more C# than Javascript now, after PJAX. Simplicity at it’s best. PJAX have my vote for the no. 1 web technology of 2014.
The full source of this demo is available at GitHub: https://github.com/jhovgaard/nancy-pjax-demo.
Please leave a comment, I love feedback :-)
Do you still manage your web server through remote desktop or IIS Manager? Try Servant.io today!
What is CSRF?
Alright, I’ll make this quick since most of you will know this already.
CSRF stands for Cross-Site Request Forgery. What it bascially means is, that you make one website do a request to another website, without letting the user know.
To ensure that a request is coming from your own website, we have to push a unique string into a hidden input in every form that we post - this is called the AntiForgeryToken.
If you want to know more about CSRF go check out the Wikipedia page, it’s actually very well explained.
CSRF and Nancy
Like any other functionality in Nancy, you will not get a full blown plug-and-play solution. As always Nancy is all about lightweight and total freedom, so we have to make a little effort:
- Enable CSRF support in the
Bootstrapper.
- Insert the
AntiForgeryToken in every <form> element of our application.
- Validate the posted CSRF token using the built-in Nancy Helper method
ValidateCsrfToken().
- Handle when Nancy can’t accept a given token (or if none is provided).
Alright let’s go.
1. Enable CSRF support
Create a NancyDefaultBootstrapper class or use your existing. Add the following line to your ApplicationStartup() method:
Nancy.Security.Csrf.Enable(pipelines);
My bootstrapper now looks like this:
using Nancy;
using Nancy.Bootstrapper;
using Nancy.TinyIoc;
namespace NancyCsrfDemo
{
public class Bootstrapper : DefaultNancyBootstrapper
{
protected override void ApplicationStartup(TinyIoCContainer container, IPipelines pipelines)
{
base.ApplicationStartup(container, pipelines);
Nancy.Security.Csrf.Enable(pipelines);
}
}
}
Alright, you should already have some views in your application, one of them containing some form. In my example I’m using Razor as the viewengine.
To add the AntiForgeryToken to my form I simply add Html.AntiForgeryToken() to anywhere inside my <form> element.
My view looks like this:
<!DOCTYPE html>
<html>
<head>
<meta name="viewport" content="width=device-width" />
<title></title>
</head>
<body>
<h1>Welcome to Nancy CSRF Demo, @ViewBag.Name</h1>
<form action="/" method="POST">
Name:<br/>
<input type="text" name="name" value="@ViewBag.Name" />
<input type="submit" />
@Html.AntiForgeryToken()
</form>
</body>
</html>
The generated value of @Html.AntiForgeryToken() looks something like this (the string will change for each request):
<input type="hidden" name="NCSRF" value="AAEAAAD/////AQAAAAAAAAAMAgAAAD1OYW5jeSwgVmVyc2lvbj0wLjIyLjIuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1udWxsBQEAAAAYTmFuY3kuU2VjdXJpdHkuQ3NyZlRva2VuAwAAABw8UmFuZG9tQnl0ZXM+a19fQmFja2luZ0ZpZWxkHDxDcmVhdGVkRGF0ZT5rX19CYWNraW5nRmllbGQVPEhtYWM+a19fQmFja2luZ0ZpZWxkBwAHAg0CAgAAAAkDAAAAOrVPNrYs0YgJBAAAAA8DAAAACgAAAAI4qmisW7sYu2FlDwQAAAAgAAAAAsdnVjuuU1fzpb58LEjF1pcK98u9ENMjG0viyxLpvlv/CwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="/>
Validate the posted token
When the user clicks my submit button their browser will send my application the value of the AntiForgeryToken/CSRF token. We need to handle this.
Nancy have a builtin method called ValidateCsrfToken(). The method will automatically lookup Request.Form.Ncsrf and throw a CsrfValidationException if the token is not valid.
The exception will end up showing a Error 500 page to the user, which isn’t fortunately. To overcome this we catch this exact exception and show some other result. Here’s my NancyModule:
using Nancy;
using Nancy.Security;
namespace NancyCsrfDemo
{
public class HomeModule : NancyModule
{
public HomeModule()
{
Get["/"] = p =>
{
return View["Index"];
};
Post["/"] = p =>
{
try
{
this.ValidateCsrfToken();
}
catch (CsrfValidationException)
{
return Response.AsText("Csrf Token not valid.").WithStatusCode(403);
}
ViewBag.Name = Request.Form.Name;
return View["Index"];
};
}
}
}
As you can I simply return a text response to the user, telling them the token is invalid. Also I’m returning a 403 Forbidden status code instead of 500 Internal Error. You may choose another solution :-)
Simple as that!
That is how CSRF protection works using Nancy. Please notice I’m not showing best practice here. You should move the try-catch into a BaseModule (maybe use the Before hook), there’s no need to copy/paste that code into every action of your application.
If I helped you out, please leave a comment, I love feedback :-)
The full example/demo is available at GitHub:
https://github.com/jhovgaard/nancy-csrfdemo
Do you still manage your web server through remote desktop or IIS Manager? Try Servant.io today!
PUBLISHED 9 September, 2013
Wauw, happy days! This was a biggy! I’ve decided to completely open-source my number 1 pet project, Servant for IIS, under the MIT license. This means that you can jump right to https://github.com/jhovgaard/servant and check out the source. You can of course fork your own version, make it more awesome and send me your pull request!
I received a couple of questions regarding the open sourcing of Servant. I’ll share my answers here:
Was Servant initially meant to be monetized?
Absolutely! I wanted to make a Pro edition and earn some cash that way. Unfortunately for my economy it felt wrong. I’ve never shared anything but my blog posts with the community, even that I got so much from it. Making money out of my first real project just felt bad so I decided to open source it instead.
Does open sourcing Servant mean you’ll stop supporting and developing it?
Not at all. I’ll continue to support and develop Servant like I used to. The only difference is that you guys can help me make it go a lot faster! :-)
So that’s it! My first open-source project. I’m very excited about the future of Servant. I hope to see a lot of issues getting created and even some pull requests (that really would be awesome!).
Thanks for reading!
Jonas
Do you still manage your web server through remote desktop or IIS Manager? Try Servant.io today!
