We are using the request filtering for file extensions in our web.config like so:
<fileExtensions allowUnlisted="false">
<add fileExtension="." allowed="true" />
<add fileExtension=".aspx" allowed="true" />
<add fileExtension=".ashx" allowed="true" />
<add fileExtension=".asmx" allowed="true" />
<add fileExtension=".axd" allowed="true" />
<add fileExtension=".html" allowed="true" />
<add fileExtension=".htm" allowed="true" />
However we have run into a problem. When we go to a url with a directory with a dot in it, for example "https://localhost/myamazing.folder" it will return a "HTTP Error 404.7 - Not Found" since it now thinks that its an extension that's not allowed.
When allowUnlisted is set to true, or without any filtering, iis will perform a courtesy redirect because its a folder. Is there anyway to keep this redirect behavior intact while still filtering extensions?
This is iis default security setting if you want to allow the unspecified extension you need to enable it by using
another way is set allow file name extension and then set allow URL by following below step:
In the "URL" tab allow the list of URLs->add the URL which you only want to allow.
that's how it will redirect URL /myamazing.folder to /myamazing.folder/
if you are using asp.net mvc site you can refer to below link:
Dots in URL causes 404 with ASP.NET mvc and IIS
Related
My web site is written by ASP.NET MVC 4 and hosted on IIS 6.2.
I need to add custom headers(X-Frame-Options,X-XSS-Protection etc.) to web config in main application.
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
<add name="X-XSS-Protection" value="1" />
<add name="X-Content-Type-Options" value="nosniff" />
</customHeaders>
</httpProtocol>
After I did it, my sub apllications getting http 500 error.I have no idea why this happening.
I already tried option.Also tried remove every customheaders from response headers in IIS, also tried add manually in response headers.
Can you give me an advice to fix this issue?
Try adding the header at the Server level by using "HTTP Response Header" applet.
I think you are adding headers in the "Default Web Site" now. Default Site the header starting with "X-" will give error. I had faced this issue.
You can also try adding it in each App or virtual directory under "Default Web Site".
In the doc (https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview) they say that ProtocolSupportModule Implements the supports which allow or turn off keep-alive support via configuration. I don't understand what it's mean exactly ?
I saw that for example without ProtocolSupportModule the custom headers will not work. So it's not only about TRACE and OPTIONS
I Think now that maybe ProtocolSupportModule is connected to this in the web.config
<httpProtocol allowKeepAlive="true">
<customHeaders>
<clear />
</customHeaders>
<redirectHeaders>
<clear />
</redirectHeaders>
</httpProtocol>
This seam to correspond to what the doc say (keepalive, redirect and custom header)
Our website uses both dynamic and static compression. I know that compression can be enabled/disabled on a web.config level, but that the mime-types for static and dynamic compression cannot be enabled at a web-config level.
Meaning, this section:
<httpCompression directory="%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files" staticCompressionIgnoreHitFrequency="true">
<scheme name="gzip" dll="%Windir%\system32\inetsrv\gzip.dll" />
<staticTypes>
Stuff
</staticTypes>
<dynamicTypes>
Stuff
</dynamicTypes>
</httpCompression>
Must go in the applicationHost.config, and is generally edited using appcmd.exe.
I know there is a location element in the applicationHost.config that allows setting many things on a per website basis, but I can't seem to find anywhere if mimetypes for dynamic compression are one of them.
I have tried overriding these settings using a location element, but have not had any success and cannot find documentation stating it's possible for the httpCompression element.
To make matters worse, we install our product as a web application under the default site, so really we want to enable these dynamic compression mime-types only under our application, instead of site (or server) wide. Is this possible?
Generally, we are using IIS 7 and above. Right now our minimum is 7, so assume anything needs to work with that.
My question is:
Can httpCompression settings be set in the applicationHost.config per website and possible per web application under a web site?
Is there a different way to enable dynamicCompression specifics on a website/web application level?
Just an important precision: There is one prerequisite to ensure that you can add MIME Types in the "web.config" file:
It is possible to add MIME Types in the <staticTypes> and <dynamicTypes> sections at the website level (in "web.config") only if this is explicitely allowed at the "applicationHost.config" level, as explained in this solution from Stack Overflow:
The important thing to note is that modifying your
applicationHost.config (in %windir%\system32\inetsrv\config) from the following setting:
<section name="httpCompression" allowDefinition="AppHostOnly" overrideModeDefault="Deny" />
to:
<section name="httpCompression" overrideModeDefault="Allow" />
will enable configuration of the httpCompression tag under the
system.webServer tag in your web.config.
Yes you can very well add dynamic and static types in web application's web.config file. ApplicationHost.config will define global compression settings and if you want to override them in your application you can do so. Following is sample from one of my application.
<system.webServer>
<modules>
<remove name="FormsAuthentication" />
<add name="Glimpse" type="Glimpse.AspNet.HttpModule, Glimpse.AspNet" preCondition="integratedMode" />
<remove name="UrlRoutingModule-4.0" />
<add name="UrlRoutingModule-4.0" type="System.Web.Routing.UrlRoutingModule" />
</modules>
<validation validateIntegratedModeConfiguration="false" />
<handlers>
<add name="Glimpse" path="glimpse.axd" verb="GET" type="Glimpse.AspNet.HttpHandler, Glimpse.AspNet" preCondition="integratedMode" />
</handlers>
<httpCompression>
<dynamicTypes>
<remove mimeType="text/*" />
<add mimeType="application/json" enabled="true" />
</dynamicTypes>
</httpCompression>
Here remove tag in dynamicTypes removes global entry coming from ApplicationHost.config
add tag is adding additional mimeType on top of global entries from applicationHost.config. This addition will be applicable only for whose web.config is being modified.
Similarly you can modify staticTypes as well.
I have a website deployed on Azure Websites and I want to disable pool recycling.
If you have a regular IIS installation, you can disable this in application pool advanced settings by setting "Recycling -> Disable overlapped recycle" to true.
Yet I can't seem to find this option in the azure management console, nor do I find any information on this subject online.
Any pointers would be greatly appreciated!
Thanks a lot Puneet Gupta for pointing me in the right direction!
I couldn't use the exact solution, but it set me on the right path.
Here's how I solved this:
1) Get your hands on the applicationHost.config.
The easiest way is going through the SCM Console via "files" and then follow the links in json.
In the end, you end up here: https://YOUR_WEBSITE_NAME.scm.azurewebsites.net/api/vfs/LocalSiteRoot/Config/applicationhost.config
2) Identify the current status of overlapped recycle.
In the applicationHost.config file, look for the "applicationPools" element
It should look like this:
<applicationPools>
<add name="YOUR_SITE_NAME" managedRuntimeVersion="v4.0">
<processModel identityType="ApplicationPoolIdentity" />
</add>
<add name="~1YOUR_SITE_NAME" managedRuntimeVersion="v4.0" managedPipelineMode="Integrated">
<processModel identityType="ApplicationPoolIdentity" />
</add>
</applicationPools>
If you see this, then overlapped recycle is ENABLED!
You can't write directly to this file but fortunately microsoft gives us the power to transform it!
3) Transform it!
You can transform the applicationHost.config file by placing an applicationHost.xdt file in the /site directory of your website (mind you that the website itself is deployed in the /site/wwwroot directory, so your applicationHost.xdt transform must reside in the parent folder of where your website is.
If you want to disable overlapped recycle, then this is what you put in the file:
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">>
<system.applicationHost>
<applicationPools>
<add name="YOUR_SITE_NAME" xdt:Locator="Match(name)">
<recycling disallowOverlappingRotation="true" xdt:Transform="Insert" />
</add>
<add name="~1YOUR_SITE_NAMEd" xdt:Locator="Match(name)">
<recycling disallowOverlappingRotation="true" xdt:Transform="Insert" />
</add>
</applicationPools>
</system.applicationHost>
</configuration>
4) restart the site
finally you need to restart your site to have your transformations applied.
After restart, go to step 1 again and you should now see this instead:
<applicationPools>
<add name="YOUR_SITE_NAME" managedRuntimeVersion="v4.0">
<processModel identityType="ApplicationPoolIdentity" />
<recycling disallowOverlappingRotation="true" />
</add>
<add name="~1YOUR_SITE_NAME" managedRuntimeVersion="v4.0" managedPipelineMode="Integrated">
<processModel identityType="ApplicationPoolIdentity" />
<recycling disallowOverlappingRotation="true" />
</add>
</applicationPools>
et voila: overlapped recycle is now disabled on your azure website.
You will have to use a XDT transform similar to the one mentioned in https://github.com/projectkudu/kudu/wiki/Xdt-transform-samples#remove-all-your-recycling-options-from-your-net-4-application-pool-and-make-it-available-always.
More details on using transforms is in http://blogs.msdn.com/b/waws/archive/2014/06/17/transform-your-microsoft-azure-web-site.aspx
I have created an MVC Web Api for some university coursework, that works as expected on my development machine (Running VS11).
However when I deploy the application to the webserver on 123reg HttpVerbs other than GET and POST appear to not reach my application at all, initially a 401 Not Authorised response was returned; however after turning off the "WebDAV" module as suggested here these 401s became 405 Method not allowed. In this case I only disabled the handlers as disabling both the handlers and the module meant that my application did not start at all (Error 500 without a stacktrace [custom errors are off]).
I am planning to utilise the forms membership provider to add authentication capabilities to my API, however I removed any [Authorise] attributes from my code when 401s began appearing.
Applications on 123Reg's shared hosting are run under Medium trust.
I have been in contact with 123Reg support, and they have been semi helpful, but have since decided that they cannot help me further (They suggested adding HttpHandlers as detailed below) (Apparently, I should consult a web designer...)
Things I have tried:
I have added [AllowAnonymous] Attributes to my controllers and/or actions with no effect.
I have added the authorization web.config attribute allowing all verbs and paths to all users both authenticated and not:
<authorization>
<allow users="*" />
<allow users="?" />
<allow verbs="*" users="*" />
<allow verbs="*" users="?" />
</authorization>
I have added (As suggested by 123Reg):
<system.webServer>
<handlers>
<remove name="WebDAV" />
<add name="PUTVerbHandler" path="*" verb="PUT" modules="ProtocolSupportModule" resourceType="Unspecified" />
<add name="DELETEVerbHandler" path="*" verb="DELETE" modules="ProtocolSupportModule" resourceType="Unspecified" />
</handlers>
</system.webServer>
This appeared to be a step forward, as we now receive 405 responses rather then 401 respones, however I am now unable to make any further progress. Additionally I have also added:
<httpHandlers>
<add verb="*" path="*" type="System.Web.Mvc.MvcHttpHandler"/>
</httpHandlers>
This also made no difference.
Any help you can give would be much appreciated (I dont really want to have to move host for this application!)
This post solved my problem. I did all the regular things: added all the necessary <handlers> entries, disabled WebDAV, but I still had 401.3 Unauthorized.
Enabling forms authentication solved the problem:
<system.web>
<compilation debug="true" targetFramework="4.0" />
<authentication mode="Forms" />
</system.web>
I found this: http://forums.iis.net/t/1163441.aspx
From the looks of that forum post, you need to completely uninstall WebDAV for the PUT and DELETE Verbs to work. This is not going to help on a shared webhosting scenario unfortunately.
For me it was something different.
I had to go to the site folder, open the security tab for the folder, press Edit button to change group or user names permissions, find the site from my IIS 8 sites and give it a full control permission.