I have X the same applications in IIS(some code/exe, but different config file).
Would it be possible to put duplicate files to some folder?
For example I have applications:
Canada.weather.com
usa.weather.com
mexico.weather.com
Uses same .dll and .exe, but have different config.
As Lex says, we don't suggest you to put duplicate files to some folder. If one of the dll is missed or not, it will make all the sites down.
If you still want to do this , you could apply the setting in applicationHost.config and wrapping it in a tag.
The applicationhost.config file path :
%windir%\system32\inetsrv\config\applicationHost.config
Each sites will have its own location, you could add the custome configuration inside each location tag.
Like belowl, I enable the windows auth for "BrandoTestSite":
<location path="BrandoTestSite">
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true" />
<anonymousAuthentication enabled="false" />
</authentication>
</security>
</system.webServer>
</location>
Notice: This way is lower maintainability. We don't suggest you choose this way to manage mutiple application.
Related
I've got an ASP.NET MVC website with a heavily customised Umbraco 6 backend as the site's CMS.
I've been upgrading the content security policy (CSP) headers all across the site, which I am doing by use of NWebsec, and the website now happily uses CSP 3 strict-dynamic and there are nonces on every script tag, and everything works fine.
Unfortunately, I haven't been able to apply the same changes to the Umbraco admin area, so most of that does not work at all.
So what I want to do is apply the strict CSP 3 policy to the public-accessible parts of the website, and apply a relaxed CSP policy to the locked-down admin area.
The Umbraco admin area sits under a subdirectory /umbraco/ so I thought the best way to implement this would be to use two different location elements in the site's Web.config file.
So my Web.config now looks something like:
<!-- Specific CSP for Umbraco -->
<location path="~/umbraco">
<nwebsec>
...
<content-Security-Policy enabled="true">
...
<script-src self="true" unsafeInline="true" unsafeEval="true">
<add source="data:" />
</script-src>
...
</content-Security-Policy>
</nwebsec>
</location>
<!-- default CSP for everything else -->
<location path=".">
<nwebsec>
...
<content-Security-Policy enabled="true">
...
<script-src self="true" unsafeInline="true" unsafeEval="false" strictDynamic="true">
</script-src>
...
</content-Security-Policy>
</nwebsec>
</location>
But this applies the default config to the whole site.
I'm not sure whether I've got the config wrong, or maybe NWebSec doesn't support what I'm trying to do, or there's some specific issue with redirects or something else.
Fixed by creating a separate Web.config in the /umbraco subdirectory.
Main Web.config:
<location path="." allowOverride="true">
<nwebsec>
...
<content-Security-Policy enabled="true">
...
<script-src self="false" unsafeInline="true" unsafeEval="false" strictDynamic="true">
<add source="www.example.com" />
</script-src>
...
</content-Security-Policy>
</nwebsec>
</location>
Web.config in the /umbraco subdirectory:
<location path="." allowOverride="true">
<nwebsec>
...
<content-Security-Policy enabled="true">
...
<script-src self="true" unsafeInline="true" unsafeEval="true" strictDynamic="false">
<clear/>
<add source="www.other-example.com" />
</script-src>
...
</content-Security-Policy>
</nwebsec>
</location>
The config in the subdirectory overrides the main Web.config - so strictDynamic="false" switches off use of those CSP3 nonces, and the clear element removes all pre-existing elements in the collection so a new set of domains can be used.
Our website uses both dynamic and static compression. I know that compression can be enabled/disabled on a web.config level, but that the mime-types for static and dynamic compression cannot be enabled at a web-config level.
Meaning, this section:
<httpCompression directory="%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files" staticCompressionIgnoreHitFrequency="true">
<scheme name="gzip" dll="%Windir%\system32\inetsrv\gzip.dll" />
<staticTypes>
Stuff
</staticTypes>
<dynamicTypes>
Stuff
</dynamicTypes>
</httpCompression>
Must go in the applicationHost.config, and is generally edited using appcmd.exe.
I know there is a location element in the applicationHost.config that allows setting many things on a per website basis, but I can't seem to find anywhere if mimetypes for dynamic compression are one of them.
I have tried overriding these settings using a location element, but have not had any success and cannot find documentation stating it's possible for the httpCompression element.
To make matters worse, we install our product as a web application under the default site, so really we want to enable these dynamic compression mime-types only under our application, instead of site (or server) wide. Is this possible?
Generally, we are using IIS 7 and above. Right now our minimum is 7, so assume anything needs to work with that.
My question is:
Can httpCompression settings be set in the applicationHost.config per website and possible per web application under a web site?
Is there a different way to enable dynamicCompression specifics on a website/web application level?
Just an important precision: There is one prerequisite to ensure that you can add MIME Types in the "web.config" file:
It is possible to add MIME Types in the <staticTypes> and <dynamicTypes> sections at the website level (in "web.config") only if this is explicitely allowed at the "applicationHost.config" level, as explained in this solution from Stack Overflow:
The important thing to note is that modifying your
applicationHost.config (in %windir%\system32\inetsrv\config) from the following setting:
<section name="httpCompression" allowDefinition="AppHostOnly" overrideModeDefault="Deny" />
to:
<section name="httpCompression" overrideModeDefault="Allow" />
will enable configuration of the httpCompression tag under the
system.webServer tag in your web.config.
Yes you can very well add dynamic and static types in web application's web.config file. ApplicationHost.config will define global compression settings and if you want to override them in your application you can do so. Following is sample from one of my application.
<system.webServer>
<modules>
<remove name="FormsAuthentication" />
<add name="Glimpse" type="Glimpse.AspNet.HttpModule, Glimpse.AspNet" preCondition="integratedMode" />
<remove name="UrlRoutingModule-4.0" />
<add name="UrlRoutingModule-4.0" type="System.Web.Routing.UrlRoutingModule" />
</modules>
<validation validateIntegratedModeConfiguration="false" />
<handlers>
<add name="Glimpse" path="glimpse.axd" verb="GET" type="Glimpse.AspNet.HttpHandler, Glimpse.AspNet" preCondition="integratedMode" />
</handlers>
<httpCompression>
<dynamicTypes>
<remove mimeType="text/*" />
<add mimeType="application/json" enabled="true" />
</dynamicTypes>
</httpCompression>
Here remove tag in dynamicTypes removes global entry coming from ApplicationHost.config
add tag is adding additional mimeType on top of global entries from applicationHost.config. This addition will be applicable only for whose web.config is being modified.
Similarly you can modify staticTypes as well.
I'm fairly new to IIS so apologies if this is a basic question.
I have an IIS config serving an internal company website (php instead of asp.net). The prod version of the website is at the 'Default Web Site' level and I've got demo and test versions of the website mapped as virtual directories. The demo and test version are essentially copies of the prod directory. I've noticed the with the web.config copied to these VDs, I get an error 500 on the root url for the VD only. I.E. main website is https://mainwebsite.com and works fine but https://mainwebsite.com/demo/ doesn't work while https://mainwebsite.com/demo/index.php works fine.
The web.config file is pretty basic:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers>
</handlers>
<defaultDocument>
<files>
<add value="index.php" />
</files>
</defaultDocument>
<staticContent>
<clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="00:03:00" />
</staticContent>
</system.webServer>
</configuration>
Moving the web.config file out of the way in the VD resolves the issue. Even though the files are identical, I wouldn't think that the file should cause a conflict as my understanding is that IIS supports multiple web config files.
Although I have a workaround in place by renaming or deleting the file, I am wondering if there's a way to keep the file in place without it causing this error.
Thanks to Panama Jack in the comments, I was able to resolve my issue.
I got this response with detailed errors:
Error Summary
HTTP Error 500.19 - Internal Server Error
The requested page cannot be accessed because the related configuration data for the page is invalid.
And further down:
Config Error
Cannot add duplicate collection entry of type 'add' with unique key attribute 'value' set to 'index.php'
To resolve, I simply commented out this line in the web.config XML:
<add value="index.php" />
I'm sure there's a better way to approach this but for now, this gets me my answer and also how to get more info from IIS when the logs are not useful.
if you create a virtual directory to another web root
web.config will cause this (personally I think the location of this file is totally insane.. mixed with htm and images etc. )
Replicate the directory somewhere else without the web.config file/excluding it..then point the virtual directory there.. & have a task set up to copy newer files over..
I created a new asp.net-mvc project and during setup I chose to use Windows Authentication.
Now I like to turn it off(at least for a while).
I changed the web.config to this
<authentication mode="None" />
But that does change anything. It will still prompt me. I am using the IIS Express.
UPDATE: I mean it still prompts me when using Firefox. Internet Explorer will continue and not show my domain username
1.) Close VS
2.) Remove the .vs/config or the .vs folder next to your solution. The IIS Express regenerates the config/applicationhost.config file. Changing this file does NOT help - it is regenerated
3.) Edit the <project>.csproj.user file. There change the lines
<IISExpressAnonymousAuthentication>disabled</IISExpressAnonymousAuthentication>
<IISExpressWindowsAuthentication>enabled</IISExpressWindowsAuthentication>
to
<IISExpressAnonymousAuthentication>enabled</IISExpressAnonymousAuthentication>
<IISExpressWindowsAuthentication>disabled</IISExpressWindowsAuthentication>
4.) Edit and change the web.config
Change
<authentication mode="Windows" />
to
<authentication mode="None" />
or comment the whole authentication XML element.
The web config should overwrite the IIS express config but in this case it seems it does not. What you can try to do is to turn it off on the IIS level as well.
You can go to this directory \IISExpress\config\applicationhost.config open up this file and set the <windowsAuthentication enabled="false" />.
I found this was possible in the web config by using the following documentation:
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/windowsauth?view=aspnetcore-3.1&tabs=visual-studio
The relevant bloc of web.config is:
<security>
<authentication>
<windowsAuthentication enabled="false" />
</authentication>
</security>
You should unload the project, edit the project .csproj file and change the lines:
<IISExpressAnonymousAuthentication>disabled</IISExpressAnonymousAuthentication>
<IISExpressWindowsAuthentication>enabled</IISExpressWindowsAuthentication>
Then, you should delete the .csproj.user file for your project, and remove de .vs directory for your solution.
Is there any way I can have IIS 7.0+ (or 7.5+) configured such that for certain paths Request Filtering is completely disabled. That is,
http://host.local/foo/bar.cs
is forbidden (since serving *.cs files is explicitly forbidden in applicationHost.config), but
http://host.local/foo/allow-all/bar.cs
is allowed.
In your allow-all directory, you can create a web.config file with the following configuration:
<configuration>
<system.webServer>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=".cs" />
</fileExtensions>
</requestFiltering>
</security>
<staticContent>
<mimeMap fileExtension=".cs" mimeType="text/plain" />
</staticContent>
</system.webServer>
</configuration>
This configuration removes the .cs extension from the request filtering. Additionally, for IIS to properly serve content, it needs a MIME type, so the .cs extension is added as text/plain.
These changes will also apply to all child directories of allow-all. This configuration works with an Integrated App Pool. Classic may require additional changes since there are HTTP handlers that explicitly disallow .cs as well.