I need to do a whitelist using a specific header value every request that have not that value should'nt have access, right now I'm using "Url rewrite" function but is kinda confusing for me.
I tried to use a "Request filter" to do this but I have no choise to allow the entrance by header only deny it.
In request filter I have something like this :
| Name | Examine | Apply to | Deny String |
| Example | Headers | .html | "NotAllowed" |
You can first customize HTTP header in a UrlRewrite condition, then use a rule to match all URLs and use a condition to check for the http header, check for the header value and reject all requests not from the UExamine. here is a case for your reference:
<rules>
<rule name="test" stopProcessing="true">
<match url=".*" />
<conditions>
<add input="{HTTP_x_header}" pattern="^Headers$" negate="true" />
</conditions>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden: Access is denied." statusDescription="Using this site is not supported." />
</rule>
</rules>
About how to customize HTTP header you can refer to this link: customize HTTP header.
Related
This is an inbound rule in my iis web site.
<rewrite>
<rules>
<rule name="ToBackEnd">
<match url="^v1/api/(.*)" />
<action type="Rewrite" url="https://172.16.8.78/v1/api/{R:1}" />
</rule>
</rules>
</rewrite>
I want to add a header (Access-Control-Allow-Origin) to the response for oly this request. There are some solutions tags in . But I do not want this? How can I set in rule?
URL rewrite outbound rule can help override the Access-Control-Allow-Origin from your application for specific URL but it can't add response header. So if you can get the expected header by rewriting your existingAccess-Control-Allow-Origin. Then outbound rule can be involved.
<outboundRules>
<rule name="outbound rule" enabled="false">
<match serverVariable="Access-Control-Allow-Origin" pattern=".*" />
<action type="Rewrite" value="*" />
</rule>
</outboundRules>
If you only need to add a header only for specific page. You can use CORS module with <location> tag
https://www.iis.net/downloads/microsoft/iis-cors-module
If you need to add another header for wildcard URL like v1/api/*. Then custom httpmodule in integrated pipeline would be a choice.
How to configure IIS to return 200 OK to any URL request?
Any request that arrives to IIS should immediately return 200 with an empty body.
It is not important how this is achieved, either thru configuration or code.
As lex says, we could use url rewrite to achieve your requirement. You could install url rewrite firstly by using this url:https://www.iis.net/downloads/microsoft/url-rewrite.
Then you could add below rule into the web.config.
<rewrite>
<rules>
<rule name="Customresponse" stopProcessing="true">
<match url=".*" />
<action type="CustomResponse" statusCode="200" statusReason="test" statusDescription="test" />
</rule>
</rules>
</rewrite>
I have requests coming to my webserver at
http://www.example.com/blog
I want to Rewrite that to another server listening on
http://blog.example.com
Here is my rewrite rule:
<rule name="blogredirect1" stopProcessing="true">
<match url="^blog(.*)" />
<action type="Rewrite" url="http://blog.example.com{R:1}" />
</rule>
What ends up happening is the rewrite sends the request to the second servers IP at blog.mysite.com but the request header's host is still www.mysite.com.
How do I make sure that the redirected request HOST is set to blog.mysite.com (which is set in the redirect rule)
May I know how did you check the HOST header?
It is recommended to check {HTTP_HOST} variable instead of view the HTTP header directly. Because if you view the request header, you will always see www.mysite.com.
You could fetch {HTTP_HOST} request variable from backend server blog.mysite.com.
However,If you means page in blog.mysite.com also displayed {HTTP_HOST} as www.mysite.com.Then please check whether you have set system.webServer/proxy/preserveHostHeader to true?
By the way, IIS support to rewrite HTTP_HOST manually, you could modify your rule like this:
<rule name="blogredirect1" stopProcessing="true">
<match url="^blog(.*)" />
<action type="Rewrite" url="http://blog.example.com{R:1}" />
<serverVariables>
<set name="HTTP_HOST" value="blog.example.com" />
</serverVariables>
</rule>
Please remember to Allow Server Variable{HTTP_HOST} in URL rewrite.
https://learn.microsoft.com/en-us/iis/extensions/url-rewrite-module/setting-http-request-headers-and-iis-server-variables
You could also set this in applicationhost.config <location path="sitename"> section.
<location path="Default Web Site">
<system.webServer>
<rewrite>
<allowedServerVariables>
<add name="HTTP_HOST" />
</allowedServerVariables>
</rewrite>
</system.webServer>
</location>
I have an API that return me images, like:
/api/products/images/233 -> This will return me an 233.jpg image
But my IIS has a rule to add the X-Content-Type-Options header to the requests for security, but that break the images on Internet Explorer, so I need a way to remove this rule when the endpoint /products/images/ is called or a way to add the header only if it's no that endpoint.
I tried to use this about Custom Headers
But it didn't work, I tried like this:
<system.webServer>
<rewrite>
<outboundRules>
<rule name="Remove nosniff">
<match serverVariable="RESPONSE_X_Content_Type_Options" pattern="/products/images/" />
<action type="Rewrite" value="none"/>
</rule>
</outboundRules>
</rewrite>
</system.webServer>
But it didn't change anything, the images still having the "nosniff" header.
Am I missing some configuration? Or there is another way to do that?
Your match condition is checking if the header RESPONSE_X_Content_Type_Options contains the value /products/images/ instead of nosniff. You can use a Location block to restrict this rule to /products/images/, then use pattern="nosniff" to find the value nosniff
<configuration>
...
<system.webServer/>
...
<location path="products/images/">
<system.webServer>
<rewrite>
<outboundRules>
<rule name="Remove nosniff">
<match serverVariable="RESPONSE_X_Content_Type_Options" pattern="nosniff" />
<action type="Rewrite" value="none"/>
</rule>
</outboundRules>
</rewrite>
</system.webServer>
</location>
</configuration>
See docs for element: https://msdn.microsoft.com/en-us/library/b6x6shw7(v=vs.100).aspx
Is i possible to rewrite an URL using IIS, based on the Accept-headers and request type.
I need IIS to rewrite all URLS to index.html (A stateful js app) for the following conditions:
The request is a GET request
The accept headers from the client includes: "text/html"
Is not a direct file request. The requested path does not contain a . (DOT) character
I think its the same as the Node module: https://github.com/bripkens/connect-history-api-fallback
Yes you can do that, if I follow correctly your requirements I believe the URL Rewrite rule you need is below.
Basically,
use a condition to match the HTTP_METHOD to be a GET
use a condition to match HTTP_ACCEPT to make sure it starts with text/html since usually they also include encoding and other data
make sure it is not a file
<rule name="Rewrite Text Requests">
<match url=".*" />
<conditions>
<add input="{HTTP_METHOD}" pattern="^GET$" />
<add input="{HTTP_ACCEPT}" pattern="^text/html" />
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
</conditions>
<action type="Rewrite" url="/index.html" />
</rule>