IIS - apply Permissions-Policy globally - security

We have a requirement to implement a Permissions-Policy to every site hosted on our IIS instance. I have tried to do this by adding a HTTP response header at the server level, but this doesn't seem to get picked up by any of the sites. If I add to each site individually, the policy is applied. I have tried applying directly to the root web.config file but this doesn't work either. What am I missing? We have a large number of sites, so applying to each site separately isn't really an option.

Related

Setting up existing site on dev server, how do I make "/some folder/file" direct to the application folder instead of the server root?

I have been given a zip file of an existing site to make some changes. All of the paths within the site use a path structure that starts with "/". In an environment where the site is mapped to a domain name, that is fine. However, when I drop the site into a folder on my development server which i reference like:
"//[myserver]/[thissite]/[index.cfm]"
I get constant 500 errors because every include or location reference looks at:
"//myserver/file"
This is probably a really simple issue to resolve but in my 20 years of developing sites, I have never had to deal with it as I always use links relative to the file instead of to the site root.
My first inclination was to just replace the links with relative links but with more than 800, it is not only impractical, but additionally, I can't change every page in the site. I am just supposed to fix the things that are broken.
My development server is running ColdFusion 11 integrated with IIS so the files are located in the "c:\inetpub\wwwroot\siteFolder"
I have tried:
Setting application mapping in an application.cfc file:
this.mappings[ "/" ] = expandPath("/siteFolder");
this.mappings[ "/" ] = expandPath("/siteFolder/");
this.mappings[ "/" ] = getDirectoryFromPath(getCurrentTemplatePath());
this.mappings[ "/" ] = getDirectoryFromPath(getCurrentTemplatePath()) & "/";
Tried setting up a new site in IIS:
Creating another website in IIS and binding it to siteFolder.myserver and myserver.siteFolder both of which resulted in DNS errors
I have also converted the folder to an application in IIS and still no difference.
I am thinking there might be a way to do it through url rewriting, but before spending more time on something that may not work, I thought I was ask for a little help to see if I was on the right track.
It sounds like your current process is to drop applications into subfolders of a single CF website on your IIS server. This will generally work as the presence of an Application.cfc in the subfolder will designate it as a new application with its own scopes, etc. As you've discovered however, it will mess with any absolute paths you may have in the templates.
Your best bet is to set this up as a new site in IIS. You need to set a binding up for it (I tend to use sitename.local) and you'll need to add that to your hosts file with the following format:
127.0.0.1 yoursite.local
Once this is done, you'll want to let IIS know that this is intended to be a ColdFusion application. ACF comes with the Web Server Configuration tool which should be in your start menu. (If not, you can find it in \runtime\bin\wsconfig.exe).
This will let you select which IIS sites are expected to use CFML and will set up the IIS connectors properly.

Creating custom domain names for api

I have a web server using cpanel and I would like to use a custom domain on one folder for an api. So if I created a folder called api in the public_html folder then the path to that folder would be www.example.co.uk/api/(some php file). How could I change it so the folder would become a custom domain of api.example.co.uk/api/(some php file).
I have looked at a few options but don't really know the best way. I have tried to add a htaccsess file to the api folder and then create a rewrite rule to rewrite the www to api.
I also then looked at creating sub domains with the path to the api folder.
I have read that creating a A record on the server could work but I'm not quite sure how to do this. I know it can be done as most apis use some custom domain like facebooks graph api. (i.e https://graph.facebook.com/youtube/)
This will depend on if you have access to make DNS records for your root domain, example.co.uk. For example right now www. is a CNAME or A record (depends on how your web server is set up), that resolves to the address of your web server. If you made an identical record but named it api. (api. IN A ip-of-webserver), then api.example.co.uk would do the same thing that www.example.co.uk does. This is kind of pointless if they go to the same web server though, the /api/ part of the route makes it clear enough that the routes are for the api. What subdomains like facebook's are doing are pointing to a completely different application, and different web servers. For example, a company may have domains like mail.company.com, portal.company.com, sso.company.com, that all resolve to the address of different web servers for the different apps they have, but in this case it sounds like you are running one web server which is fine, you can have one web server be the api as well as serve the website.

IIS reverse proxy not working in Azure Web App

I want to use a reverse proxy to point one of my endpoints to a resource that's hosted elsewhere. My primary server (where everything else is hosted) is in an Azure Web App and is otherwise working perfectly.
I've been using this seemingly failproof article along with the other links mentioned at the bottom of it: https://blogs.msdn.microsoft.com/zhiliang_xus_blog/2016/01/19/build-a-google-reverse-proxy-site-on-azure-web-app-in-less-than-3-minutes/
As a baseline, I used a Web App with no additional code and confirmed that the reverse proxy works. This was done by manually creating/editing the web.config file and applicationHost.xdt file then restarting the server.
I've tried 3 separate approaches (all on clean, new web apps) all of which are failing for me:
Push my code, confirm it works, then follow the reverse proxy steps manually
Follow the steps manually, confirm reverse proxy works, then push my code
Put the reverse proxy files into my codebase and push everything at the same time
None of these 3 approaches are working. Is this a bug in Azure? How can I try to figure this out?
Post XML Transformation (XDT), have you restarted the site?
I would suggest you to take a look at this blog from Ruslan:
http://ruslany.net/2014/05/using-azure-web-site-as-a-reverse-proxy/
It talks about using a Site extension. It implements the reverse proxy and it does the XDT transformation for you.
If the above is setup correctly, then there is something wrong with the URL Rewrite rules. I would recommend you to enable Failed Request Tracing and debug this further.
The link/way you posted used URL Rewrite to implement a reverse proxy. I tested it and it worked fine with my empty web application. After published a web application to the Azure Web App(For example, an ASP.NET MVC web application), the URL Rewrite stopped working. The reason is that all the requests to your web application are routed by ASP.NET route module.
To enable URL Rewrite for some URLs, we need to disable ASP.NET route for these URLs. For example, if you want to rewrite all the requests with "product/xxx" format to another site. You could add following code to RouteConfig.cs file.
routes.Ignore("product/{action}");
The problem in this specific case was the location of my web.config file.
It needs to be in the root directory of the application which, in my case, was not site\wwwroot. My code was being generated and copied into site\wwwroot\dist. Putting the config file in that directory fixed the problem.
Additionally, there are logs that can be enabled to get some insight as to what's going on: https://learn.microsoft.com/en-us/azure/app-service-web/web-sites-enable-diagnostic-log

Why is IIS rewriting my URL query string to combine repeated keys?

I'm working with MicroStrategy 10.3, hosted on IIS 7.5. I'm using their
URL API to run a document, and change the value of a drop down selector.
IIS is tinkering with my query parameters though, via a 302 redirect. This URL:
https://server/MicroStrategy/asp/Main.aspx?Server=XXX&Project=XXX&evt=2048001&src=Main.aspx.2048001&maxWait=-1&documentID=XXX&evt=2048084&src=Main.aspx.oivm.rwb.2048084&ctlKey=XXX&elemList=hXX;XXX&evtorder=2048001%2c2048084&2048084=1&2048001=1
is being 302'ed to:
https://server/MicroStrategy/asp/Main.aspx?Server=XXX&Project=XXX&evt=2048001%2C2048084&src=Main.aspx.2048001%2CMain.aspx.oivm.rwb.2048084&maxWait=-1&documentID=XXX&ctlKey=XXX&elemList=hXX%3BXXX&evtorder=2048001%2C2048084&2048084=1&2048001=1
(The two distinct evt and src are being combined, and MicroStrategy is complaining that 'Event ID 2048001,2048084 is illegal'.)
Does IIS do this type of thing out of the box? It certainly seems unlikely. I can't see any custom HTTP redirects in IIS Manager for the application.
IIS was most definitely not the culprit.
MicroStrategy was generating the 302 redirect itself, subsequent to an automated login. You would think that an enterprise application wouldn't rewrite its own URL such that it causes an error, but you'd be wrong.
I resolved the issue by manually adding a login event, and URL-encoding the two events I wanted to call into the target key:
https://server/MicroStrategy/asp/Main.aspx?Server=XXX&Project=XXX&evt=3054&src=Main.aspx.3054&target=evt%3D2048001%26src%3DMain.aspx.2048001%26maxWait%3D-1%26documentID%3DXXX%26evt%3D2048084%26src%3DMain.aspx.oivm.rwb.2048084%26ctlKey%3DXXX%26elemList%3DhXX%3BXXX%26evtorder%3D2048001%252c2048084%262048084%3D1%262048001%3D1

Lets Encrypt ACME Challenge file not accessable from IIS

I have been trying to generate a SSL certificate for one of our projects which is running on an Azure VM which has no IP restrictions. However, the challenge file which is generated throws a 404 error and is not accessible over the web.
I have tried the following:
Moving the static content type above the extension less options in IIS
Adding a mime type for text/json, text/html
None of the above work which is making it really hard for me to generate a SSL using this service. Any idea how I can make it accessible ? I have given full access to that specific App Pool identity so permissions don't seem to be an issue in this case, its just the way the extension less files are being handled in IIS
Any help is appreciated.
Thanks,
Vishal
You just Add a New MIME Type on IIS
like this .
and try use the url at your browser . you will see that
Now you can Pass the lets-encrypt authentication :)
Also, if you're using a system with lots of custom routing or a framework that interferes with how URLs are handled (e.g. a CMS), ensure that you've told it to ignore /.well-known
We often use Umbraco for public-facing sites and I keep forgetting that I need to add ~/.well-known to the umbracoReservedUrls app setting in the web.config. Hopefully next time I'm stuck, I'll come across this answer...
Taking inspiration from the accepted answer, I did the following:
I was using plesk for windows on Godaddy.
Go to
Web server settings
In the MIME types, added the following node and click OK.
text/plain .
Note the dot at the end of the above setting.

Resources