i have MVC app with identity authentication
this site business is playing video which edited by ffmpeg .
<video id="videojs-hls-quality-selector-player" class="video-js vjs-default-skin" width="640" height="360" controls>
<source src="video\index.m3u8" type="application/x-mpegURL">
</video>
i want to prevent direct access from browser to this link , unless user has session
https://localhost/vide/index.m3u8
i tired this code for config file
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
but i still be able to access the file and not able to aceess folder
ex:-
https://localhost/video/index.m3u8
accessible
https://localhost/video
Not accessible !
i tried this link , but still not get it
how to deny user to access sub folders and file?
You can try to use the Request Filtering module in IIS, you can use the hidden segments:
<configuration>
<system.webServer>
<security>
<requestFiltering>
<hiddenSegments>
<add segment="index.m3u8"/>
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
When request filtering blocks an HTTP request because of a hidden URL segment, IIS will return an HTTP 404 error to the client and log the following HTTP status with a unique substatus that identifies the reason that the request was denied.
When you access https://localhost/video/index.m3u8, you will get HTTP Error 404.8 - Not Found.
For more information, please refer to the following documents:
https://learn.microsoft.com/en-us/iis/manage/configuring-security/use-request-filtering
https://learn.microsoft.com/en-us/iis/configuration/system.webserver/security/requestfiltering/hiddensegments/
Related
is there anyone expert enough in IIS7+ server and also web.config settings to say if it is possible to configure IIS server retain http-method (verb) while redirecting to different url - in the case of page-not-found-error 404 with the typical httpErrors dealing via web.config?
<system.webServer>
<directoryBrowse enabled="false"/>
<httpErrors errorMode="Custom">
<remove statusCode="404" subStatusCode="-1"/>
<remove statusCode="403" subStatusCode="-1"/>
<error statusCode="404" path="/restApp/config/restMappings.asp"
responseMode="ExecuteURL"/>
<error statusCode="403" path="/restApp/config/restMappings.asp"
responseMode="ExecuteURL"/>
enter code here</httpErrors>
</system.webServer>
Problem is that redirecting this way usually changes the http-method to GET-method irrespective of original request method, like POST or DELETE. So, in server variables you always only have GET after redirection. Is is possible somehow to retain the original http-method after redirection, so that it is available in the corresponding server-variable?
I am neeeding this in classic asp scenario for restful apis.
You can use the HTTP code 307 Temporary Redirect to maintain the HTTP method during redirection.
Response.Status = "307 Temporary Redirect"
Response.AddHeader "Location", "http://www.example.com/"
Running ColdFusion 11 (Update 7) and IIS 7.5
My site application/root level web.config:
<configuration>
<system.webServer>
<httpErrors errorMode="Custom" />
</system.webServer>
</configuration>
My nested web.config file, which sits inside /api/eb :
<configuration>
<system.webServer>
<httpErrors errorMode="Detailed" />
</system.webServer>
</configuration>
When I visit a page that sits within the /api/eb sub-directory (e.g. 401.cfm) and trigger a 401 status code the server will return the Custom error handler response. My interpretation from the docs is that the nested web.config file should override the root web.config file but it clearly is not.
I've checked within the IIS applicationhost file and httpErrors overrideModeDefault is set to true. I also tried using a location tag within my root web.config file to do the same thing but it is also ignored unless I set the path to the wildcard character.
I'm out of ideas. Your help will be greatly appreciated. Thank you in advance.
I found this article which seems to explain your question pretty well - How to Use HTTP Detailed Errors in IIS 7.0
Specifically this excerpt:
Security Considerations
A word of caution: For architectural reasons, IIS can only execute the URL if it is located in the same Application Pool. Use the redirect feature to execute a Custom Error in a different Application Pool.
IIS can also return a 302 Redirect to the browser when a particular error occurs. Redirect is good if you have a server farm. For instance, you can redirect all your errors to a central location that you closely monitor.
There is risk however: responseMode="File" (which is the default) allows you to specify every file on the disk. This will not work if you are very security conscious.
A workable scenario might include only allowing the delegation of the errorMode setting. This enables a developer to receive Detailed Errors for his application even if he is using a remote client. All that is necessary is to set errorMode="Detailed". Here is how to configure this scenario:
Allow the delegation of the httpErrors section:
<section name="httpErrors" overrideModeDefault="Allow" />
Second, go to the section in applicationHost.config and change it so that only errorMode is delegated:
<httpErrors lockAllAttributesExcept="errorMode" lockElements="error">
<error statusCode="404" prefixLanguageFilePath="E:\inetpub\custerr" path="404.htm" />
<error statusCode="401" prefixLanguageFilePath="E:\inetpub\custerr" path="401.htm" />
<error statusCode="403" prefixLanguageFilePath="E:\inetpub\custerr" path="403.htm" />
<error statusCode="405" prefixLanguageFilePath="E:\inetpub\custerr" path="405.htm" />
<error statusCode="406" prefixLanguageFilePath="E:\inetpub\custerr" path="406.htm" />
<error statusCode="412" prefixLanguageFilePath="E:\inetpub\custerr" path="412.htm" />
<error statusCode="500" prefixLanguageFilePath="E:\inetpub\custerr" path="500.htm" />
<error statusCode="501" prefixLanguageFilePath="E:\inetpub\custerr" path="501.htm" />
<error statusCode="502" prefixLanguageFilePath="E:\inetpub\custerr" path="502.htm" />
</httpErrors>
Notice that the correct value for the overrideModeDefault attribute is Allow, not true as you mentioned in your question.
This article further explains the overrideModeDefault attribute - Understanding IIS 7.0 Configuration Delegation
Excerpt:
The overrideModeDefault attribute is an optional attribute that defines the locked state of a section. Its available values are either Allow or Deny. The default value is "Allow". All IIS sections that are related to any performance, security or critical aspect of the server are locked with this attribute set to "Deny". If the overrideModeDefault attribute is set to "Deny", then any configuration files at a lower level (i.e. web.config files) that set a value for a property for the specific configuration section are not able to take effect and override the global values. This incurs in a lock violation and an error occurs.
Is there any way I can have IIS 7.0+ (or 7.5+) configured such that for certain paths Request Filtering is completely disabled. That is,
http://host.local/foo/bar.cs
is forbidden (since serving *.cs files is explicitly forbidden in applicationHost.config), but
http://host.local/foo/allow-all/bar.cs
is allowed.
In your allow-all directory, you can create a web.config file with the following configuration:
<configuration>
<system.webServer>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=".cs" />
</fileExtensions>
</requestFiltering>
</security>
<staticContent>
<mimeMap fileExtension=".cs" mimeType="text/plain" />
</staticContent>
</system.webServer>
</configuration>
This configuration removes the .cs extension from the request filtering. Additionally, for IIS to properly serve content, it needs a MIME type, so the .cs extension is added as text/plain.
These changes will also apply to all child directories of allow-all. This configuration works with an Integrated App Pool. Classic may require additional changes since there are HTTP handlers that explicitly disallow .cs as well.
I have created an MVC Web Api for some university coursework, that works as expected on my development machine (Running VS11).
However when I deploy the application to the webserver on 123reg HttpVerbs other than GET and POST appear to not reach my application at all, initially a 401 Not Authorised response was returned; however after turning off the "WebDAV" module as suggested here these 401s became 405 Method not allowed. In this case I only disabled the handlers as disabling both the handlers and the module meant that my application did not start at all (Error 500 without a stacktrace [custom errors are off]).
I am planning to utilise the forms membership provider to add authentication capabilities to my API, however I removed any [Authorise] attributes from my code when 401s began appearing.
Applications on 123Reg's shared hosting are run under Medium trust.
I have been in contact with 123Reg support, and they have been semi helpful, but have since decided that they cannot help me further (They suggested adding HttpHandlers as detailed below) (Apparently, I should consult a web designer...)
Things I have tried:
I have added [AllowAnonymous] Attributes to my controllers and/or actions with no effect.
I have added the authorization web.config attribute allowing all verbs and paths to all users both authenticated and not:
<authorization>
<allow users="*" />
<allow users="?" />
<allow verbs="*" users="*" />
<allow verbs="*" users="?" />
</authorization>
I have added (As suggested by 123Reg):
<system.webServer>
<handlers>
<remove name="WebDAV" />
<add name="PUTVerbHandler" path="*" verb="PUT" modules="ProtocolSupportModule" resourceType="Unspecified" />
<add name="DELETEVerbHandler" path="*" verb="DELETE" modules="ProtocolSupportModule" resourceType="Unspecified" />
</handlers>
</system.webServer>
This appeared to be a step forward, as we now receive 405 responses rather then 401 respones, however I am now unable to make any further progress. Additionally I have also added:
<httpHandlers>
<add verb="*" path="*" type="System.Web.Mvc.MvcHttpHandler"/>
</httpHandlers>
This also made no difference.
Any help you can give would be much appreciated (I dont really want to have to move host for this application!)
This post solved my problem. I did all the regular things: added all the necessary <handlers> entries, disabled WebDAV, but I still had 401.3 Unauthorized.
Enabling forms authentication solved the problem:
<system.web>
<compilation debug="true" targetFramework="4.0" />
<authentication mode="Forms" />
</system.web>
I found this: http://forums.iis.net/t/1163441.aspx
From the looks of that forum post, you need to completely uninstall WebDAV for the PUT and DELETE Verbs to work. This is not going to help on a shared webhosting scenario unfortunately.
For me it was something different.
I had to go to the site folder, open the security tab for the folder, press Edit button to change group or user names permissions, find the site from my IIS 8 sites and give it a full control permission.
I had an application that was running on IIS 6. All requests went through aspnet_isapi.dll. This was achieved via a wildcard application mapping (which did not verify the file existed).
I have copied said application to a machine running IIS7, and would like to get it working again.
In the application, any request with an extension of .aspx (or .ashx) are handled in the normal way. Other requests with different extensions (such as .html and .xml) are handled by a custom http module. Some requests have no extension, and are dynamically redirect to a file with an extension (e.g. visiting …/item/1 might redirect to …/item/1.html or …/item/1.xml, depending on values in the accept header).
The new location probably does not exist, but a response is generated dynamically.
Currently, the application pool is in “classic” mode, and is using .NET v4.0 (it was previously using .NET 3.5, but that doesn’t seem to be related to the problem). The custom http module is set only in the web.config.
The redirect (from …/item/1 to …/item/1.html) seems to work, which suggests that extension less requests are indeed being processed by the application (that redirect is written in the application itself). I think that means that the custom module is working.
Requests with extensions (.html, .xml etc) are failing however. The error I get is:
HTTP Error 404.0 - Not Found
The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.
Module: IIS Web Core
Notification: MapRequestHandler
Handler: StaticFile
Error Code: 0x80070002
I have tried:
Adding a wildcard script mapping that mapped * to aspnet_isapi.dll
Tried adding a specific mapping for *.html to aspnet_isapi.dll
These still result in the same error message, and still seem to go to the handler "StaticFile".
I tried modifying "StaticFile" so that it uses the aspnet_isapi.dll executable, and this results in a new error:
HTTP Error 404.4 - Not Found
The resource you are looking for does not have a handler associated with it.
Handler: Not yet determined
Any help would be greatly appreciated.
Set application pool in integrated mode and set that all request run all managed modules
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
...
</modules>
...
</system.webServer>
Use this config in service config it worked for me.
<?xml version="1.0"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
</system.web>
<system.serviceModel>
<services>
<service name="WcfService.Service1">
<endpoint address=""
binding="basicHttpBinding"
bindingConfiguration="secureHttpBinding"
contract="WcfService.IService1"/>
<endpoint address="mex"
binding="mexHttpsBinding"
contract="IMetadataExchange" />
</service>
</services>
<bindings>
<basicHttpBinding>
<binding name="secureHttpBinding">
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior>
<!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
<serviceMetadata httpsGetEnabled="true"/>
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="false"/>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
</configuration>