I have hosted an asp.net project in IIS and I want to restrict logins to some pages/folders.
I want to restrict all the users to not open some directory files using url.
They have to be able to only access the localhost/mypage/home and localhost/mypage/login. but if I try something like: localhost/mypage/resources/importantNotes.json everyone can open it! So I want somehow to redirect/deny access to it.
Also I want to not "totally" ignore that typical path because I need that resources folder later in my code.
What I have tried:
HTTP-Redirect, this works well, it redirects to specific page but I loose total access to the files I have on that specific path!
I have also tried with filteringRules but still the same result, I loose total acces to that specific resource folder!
What should I try or what am I missing here?
Below is the approach to block accessing folder and its contents using the URL Rewrite module.
You could select your site, open the URL Rewrite module.
Click the Add Rules option, select Request Blocking rule template and click the OK button.
Set * as pattern.
Set {REQUEST_URI} as Condition input. Set /test_folder/ as pattern. You could modify it and specify your own folder name here.
Set Custom Response as Action type. set Status code as 403.
click the Apply button and restart the site.
Output:
To block files in the folder, you need to set the pattern as /test_folder/*.
Output:
Related
I currently have a website running on IIS Windows Server 2019.
The website's url is : https://mywebsite.com/Sub1/login
When i get to https://mywebsite.com i obiously dont get the connexion form.
I would like to get rid of /Sub1/login and turn into https://mywebsite.com.
I tried using URL Rewrite but i don't get the syntax. Could any please help me ? :)
As Lex Li said, you can do this by setting the default document.
In IIS Manager, click the server name node, and then scroll to locate the Default Document icon.
Double click Default Document.
In the Actions pane, click Add.
In the Add Default Document dialog box, type the full filename of the default page.(such as login.aspx)
Click OK.
But the premise is that your default page needs to be placed in the root directory. This way you can directly access your default page by typing https://mywebsite.com in your browser.
In addition, you cannot use the Rewrite operation to remove the path part of the URL, because Rewrite does not change the address in the browser.
I want to reference a javascript file at the bottom of a page template.
I added the .js file under cmssitemanager / development / javascript files and then added the following to the master template (portal engine):
<script src="/CMSScripts/Custom/FOO/BAR.js"></script>
When I open the page in any browser, the javascript in the file isn't executing.
When try to access the file directly in the browser at domain.com/CMSScripts/Custom/FOO/BAR.js I get redirected to the Kentico logon page.
I don't see how/where I can specify security for the CMSScripts directory, but the user should not have to be logged in to access this file.
Any suggestions?
Update with info from first answer:
We are not currently using Windows Authentication, and I verified that the application pool user account has file-system permissions. I also verified that the application can add/delete/modify files using the cmssitemanager > administration > system > files > "test files" utility which resulted in OK status for creating/deleting/modifying folders and files.
I do have Check files permission checked in cmssitemanager > settings > system > files > security. Unchecking this option does not change the behavior, including after restarting both the application and the windows services.
The site is valid and has the correct license however there was NOT a domain alias defined. I added one however this did not change the behavior.
We have not made any changes to the web.config save for connection string information. If you are referring to this documentation on CMSUseTrailingSlashOnlyForExtensionLess in the web.config, this was not previously in there however adding it did not change anything. To that end, I wasn't seeing the site trying to redirect to domain.com/CMSScripts/Custom/FOO/BAR.js/ so I truly think it's tied to some kind of security ACL that is out of order.
Here is the solution provided by user FroggEye on the Kentico DevNet forum thread on this same issue:
You're best bet is to use the syntax below. Kentico does URL processing on all directories unless excluded and you'd have to exclude the CMSScripts directory from processing which isn't hard but the code below is a better solution.
<script src="/CMSPages/GetResource.ashx?scriptfile=/CMSScripts/Custom/FOO/BAR.js" type="text/javascript"></script>
This will do 2 things:
give you a standard place to call resources from (you can get stylesheets here as well)
allow you to use the build-in minimization functions.
Charles,
This is a strange behavior, it does not normally do that.
Do you have any windows auth going on ? where you possibly removed anonymous access (in IIS) to directories in the website folder ?
Do you have Check Files permissions turned on as a Kentico Site setting? (even though I'm fairly sure that won't affect requests to the JavaScript files in JS module)
Is it a valid site (enabled and running in CMSSiteManager) and domain name with a correct license and alias ?
Any custom modifications to web.config file that possibly changed httpHandlers or modules ? And are you running the correct extensionless URL settings in web.config ?
Using website grabbers whole website with folder structure can be downloaded.
Is there any way to prevent this?
If so,how?
The only way to protect a websites markup is not to publish it. If you want your users to see something they need to get the HTML markup and the images, that should be displayed. And therefore the files need to be accessible. And if your files are accessible every user/bot/crawler/grabber can save these files.
The best way is to put a few files like the index page in the main directory and call the other sub pages in it. If using php then you may do the following.
Say keep the index.php in the main folder and keep the homepage.php in a directory called includes and use the homepage in the index.php via include function in php.
Now add a .htaccess file to the includes folder which must contain
"deny from all"
This way users can use the page but will not have direct access to the files. So will be for the grabber.
I am stuck at the situation where I want the url, which contains a folder having some files (html, swf etc.), to be accessible after I validate the user.
For example.
The url to access is:
A - http://mysite.com/files/version/1/file.swf
And this above url is accessible from the link,
B - http://mysite.com/view/1
I have implemented a way to hide the URL A from a normal user but if the user somehow is a semi-techie person then he can know the swf file location from firebug or other tools. So, to make the access-to-file secure what should I do?
If a user somehow knows the first url(A) and then enters it in browser, i have to check if the user is logged-in and if validation is done it lets the url A to be loaded.
Since, in CI, the controller names cannot be named same as the folders in the root directory, in this case i cannot have a controller called “files”. So, the only option left to make this secure access to url work is to use htaccess rule/cond. If this is the only option, then how can it be achieved by htaccess and if not, then what other options do i have.
Will the codeigniter's URI Routes work because when i tried like this:
$route[‘files/version/1/(:any)’] = “view/$1”;
and it doesnt work, maybe because there is no controller/function/param as files/versions/1 ...
looking for quick help. Thanks
There isn't a sure-fire way to do it without, for example, using .htpasswd.
One thing you could implement is sort of "Security by Obscurity". In that case you could redirect all requests to a file to the URL http://mysite.com/view/file-id and then instead of loading the requested file directly, you would load a .php template with the appropriate headers - be it an image, a flash file or anything else.
But it really depends on how the files are going to be managed, since every file will need an entry in the database and you would have to output different headers for different types of files. And if someone still manages to guess the path to the file, it will be directly accessible.
In IIS 6.0, is there an easy way to re-direct requests to a folder to another folder, while preserving the rest of the path.
e.g.
If I have moved the content from:
mysite.org.uk/stuff
to
stuff.mysite.org.uk/
Can I automatically redirect requests for specific pages like
mysite.org.uk/stuff/countrybriefing/tanzania/travel.html
to
stuff.mysite.org.uk/countrybriefing/tanzania/travel.html
I know that .htaccess can do things like this in Apache, is there an equivalent in IIS?
Format the redirect URL in the following way:
stuff.mysite.org.uk$S$Q
The $S will say that any path must be applied to the new URL.
$Q says that any parameter variables must be passed to the new URL.
In IIS 7.0, you must enable the option Redirect to exact destination.
I believe there must be an option like this in IIS 6.0 too.
Taken from Microsoft Technet.
Redirecting Web Sites in IIS 6.0 (IIS 6.0)
When a browser requests a page or program on your Web site, the Web server locates the page identified by the URL and returns it to the browser. When you move a page on your Web site, you can't always correct all of the links that refer to the old URL of the page. To make sure that browsers can find the page at the new URL, you can instruct the Web server to redirect the browser to the new URL.
You can redirect requests for files in one directory to a different directory, to a different Web site, or to another file in a different directory. When the browser requests the file at the original URL, the Web server instructs the browser to request the page by using the new URL.
Important
You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /user:Administrative_AccountName "mmc %systemroot%\system32\inetsrv\iis.msc".
Procedures
To redirect requests to another Web site or directory
In IIS Manager, expand the local computer, right-click the Web site or directory you want to redirect, and click Properties.
Click the Home Directory, Virtual Directory, or Directory tab.
Under The content for this source should come from, click A redirection to a URL.
In the Redirect to box, type the URL of the destination directory or Web site. For example, to redirect all requests for files in the Catalog directory to the NewCatalog directory, type /NewCatalog.
To redirect all requests to a single file
In IIS Manager, expand the local computer, right-click the Web site or directory you want to redirect, and click Properties.
Click the Home Directory, Virtual Directory, or Directory tab.
Under The content for this source should come from, click A redirection to a URL.
In the Redirect to box, type the URL of the destination file.
Select the The exact URL entered above check box to prevent the Web server from appending the original file name to the destination URL.
You can use wildcards and redirect variables in the destination URL to precisely control how the original URL is translated into the destination URL.
You can also use the redirect method to redirect all requests for files in a particular directory to a program. Generally, you should pass any parameters from the original URL to the program, which you can do by using redirect variables.
To redirect requests to a program
In IIS Manager, expand the local computer, right-click the Web site or directory you want to redirect, and click Properties.
Click the Home Directory, Virtual Directory, or Directory tab.
Under The content for this source should come from, click A redirection to a URL.
In the Redirect to box, type the URL of the program, including any redirect variables needed to pass parameters to the program. For example, to redirect all requests for scripts in a Scripts directory to a logging program that records the requested URL and any parameters passed with the URL, type /Scripts/Logger.exe?URL=$V+PARAMS=$P. $V and $P are redirect variables.
Select the The exact URL entered above check box to prevent the Web server from appending the original file name to the destination URL.
If you have loads of re-directs to create, having loads of virtual directories over the places is a nightmare to maintain. You could try using ISAPI redirect an IIS extension. Then all you re-directs are managed in one place.
http://www.isapirewrite.com/docs/
It allows also you to match patterns based on reg ex expressions etc. I've used where I've had to re-direct 100's of pages and its saved a lot of time.
Here's the config for ISAPI_Rewrite 3:
RewriteBase /
RewriteCond %{HTTP_HOST} ^mysite.org.uk$ [NC]
RewriteRule ^stuff/(.+)$ http://stuff.mysite.org.uk/$1 [NC,R=301,L]