i have MVC app with identity authentication
this site business is playing video which edited by ffmpeg .
<video id="videojs-hls-quality-selector-player" class="video-js vjs-default-skin" width="640" height="360" controls>
<source src="video\index.m3u8" type="application/x-mpegURL">
</video>
i want to prevent direct access from browser to this link , unless user has session
https://localhost/vide/index.m3u8
i tired this code for config file
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
but i still be able to access the file and not able to aceess folder
ex:-
https://localhost/video/index.m3u8
accessible
https://localhost/video
Not accessible !
i tried this link , but still not get it
how to deny user to access sub folders and file?
You can try to use the Request Filtering module in IIS, you can use the hidden segments:
<configuration>
<system.webServer>
<security>
<requestFiltering>
<hiddenSegments>
<add segment="index.m3u8"/>
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
When request filtering blocks an HTTP request because of a hidden URL segment, IIS will return an HTTP 404 error to the client and log the following HTTP status with a unique substatus that identifies the reason that the request was denied.
When you access https://localhost/video/index.m3u8, you will get HTTP Error 404.8 - Not Found.
For more information, please refer to the following documents:
https://learn.microsoft.com/en-us/iis/manage/configuring-security/use-request-filtering
https://learn.microsoft.com/en-us/iis/configuration/system.webserver/security/requestfiltering/hiddensegments/
we have an IIS website that is returning 400 Bad Request for a very few users. we are using Windows Authentication
After research, I found the below info in the HTTP.err log on the server
2020-06-05 06:44:05 10.213.144.138 53021 10.11.210.147 80 HTTP/1.1 GET / - 400 - RequestLength -
I set the MaxFieldLength & MaxRequestBytes to their max values as suggested here
https://learn.microsoft.com/en-us/exchange/troubleshoot/http-proxy/400-bad-request
Still the user is receiving 400 Bad request error.
The user is part of around 200 AD groups and do not want to remove any of them.
Clear your cookies and try again, and see if you can reduce the size and amount of cookies your app is using.
When you set the registry key value you make sure you consider the below points:
1) Calculate the size of the user's Kerberos token by using the formula that's described in the following Knowledge Base article:
327825 Problems with Kerberos authentication when a user belongs to many groups
2) Set the value of MaxFieldLength and MaxRequestBytes on the server to 4/3 * T, where T is the user's token size in bytes. HTTP encodes the Kerberos token by using base64 encoding.
https://support.microsoft.com/en-us/help/2020943/http-400-bad-request-request-header-too-long-response-to-http-request
Note: Make sure you restarted the machine after doing changes.
you could also try to add below code in your site web.config file:
<configuration>
<system.webServer>
<security>
<requestFiltering>
<requestLimits maxAllowedContentLength="500000000" />
</requestFiltering>
</security>
<system.webServer>
<system.web>
<httpRuntime maxRequestLength="500000000" executionTimeout="120" />
</system.web>
</configuration>
if you still face same issue try to use the fiddler or any other tool to capture network traffic and properly analyze the request and response header.
The Condition
I have created my own web framework, which intercepts Error 404 and displays the appropriate content depending on the URL (it also sends the correct HTTP code 200 or 404 when the URL is valid or not). I have the entire framework under single /Default.asp (which includes several files, but that's not important here). It works perfect under IIS6, but I'm unable to figure out how to handle debugging and development under IIS7.
The Problem
The challenge is picking the correct Error Mode for the web.config file.
If I set errorMode=Custom then my code works and I can even see errors in my code while developing, but I can't debug other ASP files, because any error there, would be redirected to the /default.asp instead of showing it to me in the browser.
So, when I need to debug other ASP files, I would change the error mode from Custom to errorMode=Detailed
Then I can easily see the line number and the error description, but that means obviously that my framework would not be able to handle Errors 404 for non-existing URL's.
I have been doing this "dance" switching web.config every time I need to check something and it's getting very annoying. Here's my web.config file:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<!-- I'm changing Custom to Detailed here when I need to debug -->
<httpErrors errorMode="Custom">
<remove statusCode="404" subStatusCode="-1" />
<error statusCode="404" prefixLanguageFilePath=""
path="/Default.asp" responseMode="ExecuteURL" />
<!-- I have experimented with this, but unsuccessfully, so I comment it out
<remove statusCode="500" subStatusCode="-1" />
<error statusCode="500" prefixLanguageFilePath=""
path="/Default.asp" responseMode="ExecuteURL" />
-->
</httpErrors>
<directoryBrowse enabled="false" />
</system.webServer>
</configuration>
Question:
Is it possible to use both methods simultaneously?
A custom .ASP file to process 404 (and possibly other errors) but also leaving the 500 errors to be processed by the server and display the detailed error.
All I need to see is the line number and the error description.
When issuing a perfectly cromulent verb to a local IIS Express web-site under Visual Studio 2013:
CROMULENT http://localhost:7579/Handler.ashx HTTP/1.1
Host: localhost:7579
the server responds with the error:
HTTP/1.1 405 Method Not Allowed
Allow: GET, HEAD, OPTIONS, TRACE
That is a request to a "generic handler" (i.e. .ashx). If if i try again to a static resource:
SCHWIFTY http://localhost:7579/Default.htm HTTP/1.1
Host: localhost:7579
the server responds with the error:
HTTP/1.1 405 Method Not Allowed
Allow: GET, HEAD, OPTIONS, TRACE
This is all by way to trying to use HTTP verbs:
DELETE http://localhost:7579/Handler.ashx HTTP/1.1
Host: localhost:7579
HTTP/1.1 405 Method Not Allowed
Allow: GET, HEAD, OPTIONS, TRACE
PUThttp://localhost:7579/Handler.ashx HTTP/1.1
Host: localhost:7579
HTTP/1.1 405 Method Not Allowed
Allow: GET, HEAD, OPTIONS, TRACE
This question has been asked to death, sometimes by me. But nobody has ever come up with a solution.
</Question>
Microsoft's Bug
The problem, fundamentally, is that Microsoft ships IIS and IISExpress broken by default. Rather than handling HTTP verbs, as a web-server is required to do, they don't handle verbs.
This can most easily be seen when managing full IIS running on Windows Server. Pick any of the built-in handlers (e.g. the cshtml handler), and you can see that someone thought it would be hilarious if it only worked with GET, HEAD, POST, and DEBUG verbs:
rather than correctly implementing support for HTTP in an HTTP server.
The question becomes:
why exactly doesn't it work
how exactly to fix it
how to fix it in IIS Express (without any management tools)
why it continues to be shipped, year after year, broken
Question 1. Why doesn't it work?
The first question is why doesn't it work. Let's look at an IIS server where we've removed every handler except the basic Static file handler:
The handler is configured to all all verbs:
The only handler left is set to allow any verb. Yet if we issue a request to the web server we get the error:
DELETE http://scratch.avatopia.com/ HTTP/1.1
Host: scratch.avatopia.com
HTTP/1.1 405 Method Not Allowed
Allow: GET, HEAD, OPTIONS, TRACE
Server: Microsoft-IIS/7.5
Why is this happening?
Why didn't it work? Where is the configuration option that says:
GET
HEAD
OPTIONS
TRACE
because the server itself is saying those are the only supported verbs.
Yet if we change it to a GET it works fine:
GET http://scratch.avatopia.com/ HTTP/1.1
User-Agent: Fiddler
Host: scratch.avatopia.com
HTTP/1.1 200 OK
Content-Type: text/html
Question 2. How to fix it?
The common wisdom is to remove WebDAV. Nobody knows what WebDAV is, how it could be a problem, why it is a problem, or why it exists if it only causes problems. WebDAV can be removed as a handler from the IIS administration user interface:
which is identical to adding a remove entry from the handlers section in web.config (the UI itself adds the entry to web.config for you):
<system.webServer>
<handlers>
<remove name="WebDAV" />
</handlers>
</system.webServer>
Except this doesn't work. So how do we fix it?
Starting with IIS it seems that WebDAV has become even more of a virus. Rather than simply disabling it as a handler, you have to completely install or remove it as a module:
<system.webServer>
<modules>
<remove name="WebDAVModule" />
</modules>
<handlers>
<remove name="WebDAV" />
</handlers>
</system.webServer>
That sounds like a reason idea, except in my test case, on IIS 7.5, WebDAV is both not installed, and removed as a module:
HTTP/1.1 405 Method Not Allowed
Allow: GET, HEAD, OPTIONS, TRACE
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Tue, 10 May 2016 19:19:42 GMT
Content-Length: 0
So, if we can figure out how to solve the problem, we can answer question number two.
Question 3. How to fix it in IIS Express
Starting with Visual Studio 20131, Visual Studio no longer uses a mini web-server called Cassini. It uses a portable install of IIS Express itself (i.e. IIS Express Windows feature doesn't need to be installed).
Most of the above fix (attempts) (fail) in IIS. But nobody has dealt with them in IIS Express of Visual Studio 2013 (which is how this question is different from any others).
Question 4. Why does this keep happening?
It's been over 15 years, and this still keeps happening. There must be a good reason why IIS does not function as a web-server. But what is it? I've not been able to find any knowledge base article, or blog post, explaining why the IIS team refuses to function correctly.
Bonus Reading
The most popular Stackoverflow question for this problem: ASP.NET Web API - PUT & DELETE Verbs Not Allowed - IIS 8
Research Effort
HTTP Error 405.0 - Method Not Allowed, with POST (no answer, php)
HTTP Error 405.0 - Method Not Allowed (no answer)
POST verb not allowed (php)
HTTP Error 405.0 - Method Not Allowed in ASP.net MVC5 (no answer, mvc)
JQuery File Uploader = error 405 IIS8.5 (jquery no answer)
IIS 7.5 405 Method Not Allowed for PUT from StaticFileModule (no answer, static module, iis)
The HTTP verb POST used to access path is not allowed ("don't use verbs")
http error 405 method not allowed error with web.API (uninstall WebDAV; already isn't)
Handling Perl IIS 7.5 (perl)
HTTP Error 405.0 - Method Not Allowed using Jquery ajax get (ajax)
What causes an HTTP 405 "invalid method (HTTP verb)" error when POSTing a form to PHP on IIS? (iis6, ftp, php)
http://forums.asp.net/t/1648594.aspx ("have you tried pinging your computer")
Angular $resource POST/PUT to WebAPI 405 Method Not Allowed (try removing WebDAV handlder and WebDAV module)
Http Error 405.0 - method not allowed iis 7.5 module staticfilemodule (no solution)
Unable to set up WebDAV with IIS 7 *(trying to setup webdav)*
Android SOAP request is returning HTTP Response 405 (no solution)
wcf service doesn't allow POST (wcf)
WebAPI Delete not working - 405 Method Not Allowed (WebAPI; remove WebDAV)
I seem to pick up on a bit of frustration in the question, so the actual question is a bit unclear. What specifically is it that you are trying, but failing, to do? What do you expect of the answer?
Anyway, based on this comment in the question:
This is all by way to trying to use HTTP verbs:
and the corresponding samples involving a generic handler, I'll take a stab at showing what is needed to make it possible to PUT and DELETE a generic handler.
In order to allow PUT and DELETE on a generic handler, you must allow it in the web.config of the application. To do that you should register a handler for *.ashx as follows:
<system.webServer>
<handlers>
<add name="SimpleHandlerFactory-Integrated-WithPutDelete"
path="*.ashx"
verb="GET,HEAD,POST,DEBUG,PUT,DELETE"
type="System.Web.UI.SimpleHandlerFactory"
resourceType="Unspecified"
requireAccess="Script"
preCondition="integratedMode" />
</handlers>
</system.webServer>
Depending on how you originally set up the web site/application, there may or may not be a handler registered for type="System.Web.UI.SimpleHandlerFactory" in your web.config file. If there is one, you should be able to just modify that entry and add the verbs you want to allow.
You'll note that this entry has the preCondition="integratedMode". This should, I believe, work when debugging in Visual Studio using IIS Express. In a real IIS deployment, the handler registration may need to be modified to match the application pool that will run the application. For an application running in classic mode (not integrated), it would look something like this (not tested so may be wrong):
<system.webServer>
<handlers>
<add name="SimpleHandlerFactory-ISAPI-4.0_64bit-WithPutDelete"
path="*.ashx"
verb="GET,HEAD,POST,DEBUG,PUT,DELETE"
modules="IsapiModule"
scriptProcessor="%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll"
preCondition="classicMode,runtimeVersionv4.0,bitness64"
responseBufferLimit="0" />
</handlers>
</system.webServer>
The exact details would depend on the framework version an bit-ness of the application pool.
If you are debugging in Visual Studio using IIS Express, you should have a look at the applicationhost.config which sets up a lot of the defaults regarding IIS Express. It is located in:
My Documents\IISExpress\config
The untested handler registration above for a classic pipeline application pool is a slight modification of a handler registration in that file. There are in my environment 6 separate entries for *.ashx, with varying preconditions, in that file.
It might be a good idea to explicitly remove all of these in your web.config if you want to have your own registration which allows PUT and DELETE. Not all of them would actually be active/registered at the same time since the preconditions are (I suppose) mutually exclusive, but at least for me it works to just remove them all, one after the other. In my environment the section with the removes looks like this:
<remove name="SimpleHandlerFactory-ISAPI-4.0_64bit"/>
<remove name="SimpleHandlerFactory-ISAPI-4.0_32bit"/>
<remove name="SimpleHandlerFactory-Integrated-4.0"/>
<remove name="SimpleHandlerFactory-Integrated"/>
<remove name="SimpleHandlerFactory-ISAPI-2.0"/>
<remove name="SimpleHandlerFactory-ISAPI-2.0-64"/>
Hope this shines at least a bit of light into dark places!
okay so i ran into this same exact problem on IIS 7.5 when trying to PUT or DELETE it returned a 405.
i was specifically trying to setup a MEAN stack with IISnode module. when accessing the static HTML file IIS was serving up i was able to GET and PUSH but not PUT or DELETE.
-- the problem --
i believe that the issue is with IIS server itself. take a look at this post here:
https://blogs.msdn.microsoft.com/saurabh_singh/2010/12/10/anonymous-put-in-webdav-on-iis-7-deprecated/
https://support.microsoft.com/en-us/kb/2021641
it appears that IIS no longer allows Anonymous PUT or DELETE
so in the end i just went with a nodejs webserver instead
-- however --
i have not tried this but perhaps you might want to look into modifying the IIS system config file itself called the ApplicationHost.config located here:
C:\Windows\System32\inetsrv\config
make sure to use notepad with administrator privileges
let me know how it goes and i might try and do this later when i have time
There is a lot of talk about removing WebDAV and that will fix the problem - but if you're wondering what WebDAV is and what its used for, check out this page:
https://www.cloudwards.net/what-is-webdav/
Holy Damn, many research these 2 days....
No WebDav installed, no typical handler modifications (SimpleHandlerFactory, ExtensionlessUrl)
For those using any PHP Frameworks just as: Laravel, CakePHP etc
I couldn't make IIS Failed Tracing Logs work, so...
All I did was, modify PHP handler [MODIFY: php-X_VERSION]:
<handlers>
<remove name="php-X_VERSION" />
<add name="php-X_VERSION" path="*.php" verb="GET,HEAD,POST,PUT,DELETE" modules="FastCgiModule" scriptProcessor="D:\Program Files\PHP\X_VERSION\php-cgi.exe" resourceType="Either" requireAccess="Script" />
</handlers>
I have no WebDAV installed, and am running IIS Express from VS2019. After some digging, I came upon the applicationhost.config file used by IIS Express, and ended up with a solution by changing my own project web.config file. In the system.webServer/handlers section, add the following:
<system.webServer>
<handlers>
<remove name="PageHandlerFactory-ISAPI-4.0_64bit"/>
<remove name="PageHandlerFactory-ISAPI-4.0_32bit"/>
<remove name="PageHandlerFactory-Integrated-4.0"/>
<remove name="PageHandlerFactory-Integrated"/>
<remove name="PageHandlerFactory-ISAPI-2.0"/>
<remove name="PageHandlerFactory-ISAPI-2.0-64"/>
<add name="PageHandlerFactory-ISAPI-4.0_64bit" path="*.aspx" verb="GET,HEAD,POST,DEBUG,PUT" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0" />
<add name="PageHandlerFactory-ISAPI-4.0_32bit" path="*.aspx" verb="GET,HEAD,POST,DEBUG,PUT" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness32" responseBufferLimit="0" />
<add name="PageHandlerFactory-Integrated-4.0" path="*.aspx" verb="GET,HEAD,POST,DEBUG,PUT" type="System.Web.UI.PageHandlerFactory" preCondition="integratedMode,runtimeVersionv4.0" />
<add name="PageHandlerFactory-Integrated" path="*.aspx" verb="GET,HEAD,POST,DEBUG,PUT" type="System.Web.UI.PageHandlerFactory" preCondition="integratedMode,runtimeVersionv2.0" />
<add name="PageHandlerFactory-ISAPI-2.0" path="*.aspx" verb="GET,HEAD,POST,DEBUG,PUT" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv2.0,bitness32" responseBufferLimit="0" />
<add name="PageHandlerFactory-ISAPI-2.0-64" path="*.aspx" verb="GET,HEAD,POST,DEBUG,PUT" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework64\v2.0.50727\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv2.0,bitness64" responseBufferLimit="0" />
</handlers>
</system.webServer>
All this does, is it adds the word "PUT" to the verb attribute of each handler.
I also have to add that I am working on an older project and created the API endpoints with *.aspx files, which is why other solutions found googling did not work. So if you are using VS2019 and get the error 405.0 - Method not Allowed and you already removed WebDAV and expose your API with .aspx files this might work.
I have an Azure project with a single webrole that I am trying to get to run properly after upgrading to Windows 8 and Visual Studio 2012.
The problem is with any static content, it returns a HTTP 500 Internal Server Error with this text: "The page cannot be displayed because an internal server error has occurred." This error is presented for any static content (images and javascript), while dynamic content is served fine (all controller actions work fine).
We cannot get IIS to present a detailed error message. The only reference we can find to the error is in the access log, which presents it as a 500 subtype 19 error.
We've tried switching between IIS and IISExpress, same error occurs. We've tried adding all the "show detailed error messages" options to our web.config and IIS Manager. The same error happens on both HTTP and HTTPS endpoints.
What should be my next steps?
The culprit has been discovered. By comparing a default web.config with our web.config we discovered this in our web.config:
<system.webServer>
<staticContent>
<mimeMap fileExtension=".woff" mimeType="application/x-font-woff" />
</staticContent>
</system.webServer>
IIS8 has support for the WOFF built in, while IIS 7 did not. Simply moving this line into a transform solved the issue.
I came across this a long time ago and the answer from Vegard Larsen worked great. However, I've since upgraded to osFamily 3 (Windows Server 2012) and found that I was once again getting the 500 error with subtype 19 when deploying to Azure. The fix was to use the following in the transform.
<system.webServer>
<staticContent xdt:Transform="Insert">
<remove fileExtension=".woff" />
<mimeMap fileExtension=".woff" mimeType="application/x-woff" />
</staticContent>
</system.webServer>
The important part is to remove any existing .woff configuration. That way you can be sure it'll work on any IIS platform/configuration.