How could I check if a request header exist on IIS 8 and the value of this header is for example "1234"?
I am trying to response with a 500 error for example if the header is not present or the value is not "1234" so you can´t access if you haven´t the secret value.
it is possible on IIS? I check the all availables server variables but I don´t find any reference to Request headers. https://learn.microsoft.com/en-us/iis/web-dev-reference/server-variables
A request header is an HTTP header that can be used in an HTTP request to provide information about the request context, so I suggest you can try to use custom HTTP headers in a urlrewrite condition:
custom headers need to be preceded by "HTTP_".
substitute dashes with underscores
Eg: in order to retrieve the custom header "x-app-version", you can use "HTTP_x_app_version". So thr urlrewrite config should look like this:
<rule name="test" enabled="false">
<match url="(.*)" />
<conditions>
<add input="{HTTP_x_app_version}" pattern="^1234$" />
</conditions>
<action type="Redirect" url="your url" />
</rule>
Related
I am trying to rewrite a URL to a soap method but I seem no to able to figure out what's wrong. I have defined a pattern like this --> ./tree/tree/(.) with no conditions and no server variables in the action section I have both used redirect and rewrite to : localhost:2136/sharvand.asmx?op=GetTree but it hasn't worked out. any help will be appreciated
by the way how can I pass query string as a parameter to the web service
You can try this rule:
<rule name="test" stopProcessing="true">
<match url="^tree/tree/(.*)$" />
<action type="Rewrite" url="gis.shiraz.ir:80/service.asmx/op/{R:1}" />
</rule>
I want to accept/deny requests depending on Http request custom headers. Is there any option available in both IIS and NGINX?
I think IIS has but NGINX??????
URL rewrite inbound rule can deny request based on request header. For example, if your custom request header is AuthHeader. Then you only need to add a condition pattern for{HTTP_AuthHeader}.
The sample deny rule would looks like this.
<rule name="deny rule" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTP_AuthHeader}" pattern="jokies" />
</conditions>
<action type="AbortRequest" />
</rule>
As you can see, IIS return 504 when the request header AuthHeader=jokies.
IIS return 200 if the AuthHeader doesn't match jokies
Of course, you can develop and inject your custom httpmodule to customize the request header filter.
I'm trying to configure a rule in UrlRewrite that has 2 conditions:
HTTP header HTTP_HOST needs to match a certain domain (api.contoso.com)
A custom HTTP header x-app-version needs to be present in the HTTP request
based on this info, I'd like to redirect to a different version of the API in the back-end.
Problem
The rule is behaving as expected on the first condition.
It kicks in when HTTP_HOST matches api.contoso.com.
However, it ignores my custom x-app-version header.
Assumption
So, I fear that a UrlRewrite condition only can be defined in combination with the limited set of predefined HTTP headers from the dropdown (HTTP_HOST, REMOTE_ADDRESS, REMOTE_HOST, …)
Question
Is assumption correct or should this be possible whatsoever?
Is there a mistake in my config or other approach to have conditions based on a custom defined HTTP header?
<rule name="ARR_test2" enabled="false">
<match url="(.*)" />
<conditions>
<add input="{HTTP_HOST}" pattern="api.contoso.com" />
<add input="{x-app-version}" pattern="1" />
</conditions>
<action type="Rewrite" url="https://FARM_apiv1/{R:0}" />
</rule>
Ok, I found out how to use custom HTTP headers in a UrlRewrite condition:
custom headers need to be preceded by "HTTP_".
substitute dashes with underscores
E.g.: in order to retrieve my custom header "x-app-version", I can use "HTTP_x_app_version".
So my UrlRewrite config should look like this
<rule name="ARR_test2" enabled="false">
<match url="(.*)" />
<conditions>
<add input="{HTTP_HOST}" pattern="api.contoso.com" />
<add input="{HTTP_x_app_version}" pattern="1" />
</conditions>
<action type="Rewrite" url="https://FARM_apiv1/{R:0}" />
</rule>
It's actually mentioned quite clear in the documentation:
https://msdn.microsoft.com/en-us/library/ms524602(v=vs.90).aspx
We have a Asp.NET web api that handles requests from Android and iOS apps. We started to experience issues with GET requests that contained query strings. A URL like this: http://localhost:10723/api/Locations?userId=32432-a4r2-f32r3 gave this response:
A potentially dangerous Request.Path value was detected from the client (?)
After some debugging I saw that the querystring had been encoded, so the actual request was http://localhost:10723/api/Locations%3FuserId=32432-a4r2-f32r3, and that caused the issue. I can make changes to the apps that will fix this, but since this a app that is in production right now, I am desperately looking for a quick fix in the API that will allow the apps to work now.
What I have tried so far:
<httpRuntime targetFramework="4.5.1" requestValidationMode="2.0" />
<pages validateRequest="false" />
And related httpRuntime web.config tricks.
I have also written a custom request validator.
But everything is telling me that this is something that happens before the pagevalidation and my request validator is hit.
I was able to solve this by adding a rewrite rule for url on the server:
<system.webServer>
<rewrite>
<rules>
<rule name="Allowing querystrings.">
<match url="^(.*)\?(.*)$" />
<conditions logicalGrouping="MatchAny" />
<action type="Rewrite" url="{R:1}?{R:2}" />
</rule>
</rules>
</rewrite>
</system.webServer>
I do my best to scan the forum for help to make a web.config to do a Rewrite of this kind of url
domain.com/default.asp?id=3&language=2
My hope is that this can be
domain.com/en/service
where language=2 is "en"
and id=3 is page "Service" (this name exist in a mySQL)
I can only find example that do it vice versa...
Like this
<rewrite>
<rules>
<rule name="enquiry" stopProcessing="true">
<match url="^enquiry$" />
<action type="Rewrite" url="/page.asp" />
</rule>
</rules>
</rewrite>
I would like it to be something like this... I know this isn't correct, but maybe explains my problem.
<rewrite>
<rules>
<rule name="enquiry" stopProcessing="true">
<match url="^default.asp?id=3&language=2$" />
<action type="Rewrite" url="/en/serice" />
</rule>
</rules>
</rewrite>
If you want to use regular expressions you could do something like this
<rule name="RewriteUserFriendlyURL1" stopProcessing="true">
<match url="^([^/]+)/([^/]+)/?$" />
<conditions>
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
</conditions>
<action type="Rewrite" url="default.asp?language={R:1}&id={R:2}" />
</rule>
This would rewrite "domain.com/en/service" as "domain.com/default.asp?language=en&id=Service", or "domain.com/2/3" as "domain.com/default.asp?language=2&id=3"
To change the 2 to en and the 3 to service, along with all the other options though I think you would need a separate rule for each permutation, or have some sort of logic within your asp pages to read your querystring variables and send the corresponding values to your SQL queries. Note also that the parameters in the friendly url appear in the same order and the querystring variables in the rewritten URL, although this shouldn't really be an issue. If someone tries to access the page with the original "unfriendly" url they will find what they are looking for, whichever way round they enter the querystring variables.
Please note, I didn't actually hand code the rule above, I generated it with the URL Rewrite module in IIS manager - it makes life a lot easier
Also note, as discussed with my namesake in the other answer, this only applies to IIS7 and above
I have done this in Classic ASP using custom error pages and this seems to be the best way unless you use some sort of third party component installed on the server.
To do this, in IIS (or web.config) you need to set up 404 errors to go to a specific custom error Classic ASP page (eg. 404.asp).
In this custom error page you first need to check to see if the URL is valid. If it is you can Server.Transfer to the correct page, return a 200 response code, and parse the URL there to convert the URL to the values needed for the database lookup, etc. If it's not a valid URL then you show a custom error page and return a 404 response code.
The code to check for a valid URL and to retrieve the URL parameters will vary greatly depending on your URL structure. But to find the URL requested on the custom 404 error page you have to look at the querystring, which will be something like "404;http://domain.com:80/en/service/".
Here's some sample code that gets the parameters from the requested URL:
Dim strUrl, intPos, strPath, strRoutes
strUrl = Request.ServerVariables("QUERY_STRING")
If Left(strUrl, 4) = "404;" Then
intPos = InStr(strUrl, "://")
strPath = Mid(strUrl, InStr(intPos, strUrl, "/") + 1)
If strPath <> "" Then
If Right(strPath, 1) = "/" Then strPath = Left(strPath, Len(strPath) - 1)
End If
strRoutes = Split(strPath, "/")
'Here you can check what parameters were passed in the url
'eg. strRoutes(0) will be "en", and strRoutes(1) will be "service"
End If
And here's how you can setup custom error pages in the web.config (rather than in IIS):
<?xml version="1.0"?>
<configuration>
<system.webServer>
<httpErrors errorMode="Custom" existingResponse="Replace">
<remove statusCode="404" subStatusCode="-1" />
<error statusCode="404" subStatusCode="-1" responseMode="ExecuteURL" path="/404.asp" />
</httpErrors>
</system.webServer>
</configuration>