I have inherited the occasional duties for updating my agency website. The website is a very basic, static HTML site that runs on Azure. Only gets updated with new PDF documents. A few weeks ago I got notified by some security people wanting the website to NOT display a yellow screen of death and instead only show a generic 500 status page. The yellow screen of death says that the web.config file can be modified to do this. OK, fine by me.
After looking it appears I don't have a web.config file so I created one but when I copy it via FTP to my Azure account it immediately kills the website. After looking in the error logs in Azure I see that there is a "500.19 error; configuration section 'customerrors' cannot be read be read...missing a section declaration".
Here is my web.config file:
<?xml version="1.0"?>
<configuration>
<system.web>
<customerrors mode="off" />
</system.web>
</configuration>
Any ideas on what is going on? Thanks!
To handle 500 errors, aka Yellow Screens of Death, the following is added to the web.config, again shown as a config transformation.
<?xml version="1.0" encoding="utf-8"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<system.web>
<customErrors mode="RemoteOnly" defaultRedirect="500.aspx" redirectMode="ResponseRewrite" xdt:Transform="SetAttributes">
<error statusCode="500" redirect="500.aspx" xdt:Transform="Insert" />
</customErrors>
</system.web>
</configuration>
The 500.aspx page added to the site root contains the following markup at the top of the file:
<%
Response.StatusCode = 500;
Response.TrySkipIisCustomErrors = true;
%>
Note: This is not ideal for a multi-site environment where the 500 page should be site-specific. To account for this, add logic to the 500.aspx page to transfer requests appropriately given the hostName requested.
For more details, you could refer to this article.
Related
Running ColdFusion 11 (Update 7) and IIS 7.5
My site application/root level web.config:
<configuration>
<system.webServer>
<httpErrors errorMode="Custom" />
</system.webServer>
</configuration>
My nested web.config file, which sits inside /api/eb :
<configuration>
<system.webServer>
<httpErrors errorMode="Detailed" />
</system.webServer>
</configuration>
When I visit a page that sits within the /api/eb sub-directory (e.g. 401.cfm) and trigger a 401 status code the server will return the Custom error handler response. My interpretation from the docs is that the nested web.config file should override the root web.config file but it clearly is not.
I've checked within the IIS applicationhost file and httpErrors overrideModeDefault is set to true. I also tried using a location tag within my root web.config file to do the same thing but it is also ignored unless I set the path to the wildcard character.
I'm out of ideas. Your help will be greatly appreciated. Thank you in advance.
I found this article which seems to explain your question pretty well - How to Use HTTP Detailed Errors in IIS 7.0
Specifically this excerpt:
Security Considerations
A word of caution: For architectural reasons, IIS can only execute the URL if it is located in the same Application Pool. Use the redirect feature to execute a Custom Error in a different Application Pool.
IIS can also return a 302 Redirect to the browser when a particular error occurs. Redirect is good if you have a server farm. For instance, you can redirect all your errors to a central location that you closely monitor.
There is risk however: responseMode="File" (which is the default) allows you to specify every file on the disk. This will not work if you are very security conscious.
A workable scenario might include only allowing the delegation of the errorMode setting. This enables a developer to receive Detailed Errors for his application even if he is using a remote client. All that is necessary is to set errorMode="Detailed". Here is how to configure this scenario:
Allow the delegation of the httpErrors section:
<section name="httpErrors" overrideModeDefault="Allow" />
Second, go to the section in applicationHost.config and change it so that only errorMode is delegated:
<httpErrors lockAllAttributesExcept="errorMode" lockElements="error">
<error statusCode="404" prefixLanguageFilePath="E:\inetpub\custerr" path="404.htm" />
<error statusCode="401" prefixLanguageFilePath="E:\inetpub\custerr" path="401.htm" />
<error statusCode="403" prefixLanguageFilePath="E:\inetpub\custerr" path="403.htm" />
<error statusCode="405" prefixLanguageFilePath="E:\inetpub\custerr" path="405.htm" />
<error statusCode="406" prefixLanguageFilePath="E:\inetpub\custerr" path="406.htm" />
<error statusCode="412" prefixLanguageFilePath="E:\inetpub\custerr" path="412.htm" />
<error statusCode="500" prefixLanguageFilePath="E:\inetpub\custerr" path="500.htm" />
<error statusCode="501" prefixLanguageFilePath="E:\inetpub\custerr" path="501.htm" />
<error statusCode="502" prefixLanguageFilePath="E:\inetpub\custerr" path="502.htm" />
</httpErrors>
Notice that the correct value for the overrideModeDefault attribute is Allow, not true as you mentioned in your question.
This article further explains the overrideModeDefault attribute - Understanding IIS 7.0 Configuration Delegation
Excerpt:
The overrideModeDefault attribute is an optional attribute that defines the locked state of a section. Its available values are either Allow or Deny. The default value is "Allow". All IIS sections that are related to any performance, security or critical aspect of the server are locked with this attribute set to "Deny". If the overrideModeDefault attribute is set to "Deny", then any configuration files at a lower level (i.e. web.config files) that set a value for a property for the specific configuration section are not able to take effect and override the global values. This incurs in a lock violation and an error occurs.
I'm fairly new to IIS so apologies if this is a basic question.
I have an IIS config serving an internal company website (php instead of asp.net). The prod version of the website is at the 'Default Web Site' level and I've got demo and test versions of the website mapped as virtual directories. The demo and test version are essentially copies of the prod directory. I've noticed the with the web.config copied to these VDs, I get an error 500 on the root url for the VD only. I.E. main website is https://mainwebsite.com and works fine but https://mainwebsite.com/demo/ doesn't work while https://mainwebsite.com/demo/index.php works fine.
The web.config file is pretty basic:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers>
</handlers>
<defaultDocument>
<files>
<add value="index.php" />
</files>
</defaultDocument>
<staticContent>
<clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="00:03:00" />
</staticContent>
</system.webServer>
</configuration>
Moving the web.config file out of the way in the VD resolves the issue. Even though the files are identical, I wouldn't think that the file should cause a conflict as my understanding is that IIS supports multiple web config files.
Although I have a workaround in place by renaming or deleting the file, I am wondering if there's a way to keep the file in place without it causing this error.
Thanks to Panama Jack in the comments, I was able to resolve my issue.
I got this response with detailed errors:
Error Summary
HTTP Error 500.19 - Internal Server Error
The requested page cannot be accessed because the related configuration data for the page is invalid.
And further down:
Config Error
Cannot add duplicate collection entry of type 'add' with unique key attribute 'value' set to 'index.php'
To resolve, I simply commented out this line in the web.config XML:
<add value="index.php" />
I'm sure there's a better way to approach this but for now, this gets me my answer and also how to get more info from IIS when the logs are not useful.
if you create a virtual directory to another web root
web.config will cause this (personally I think the location of this file is totally insane.. mixed with htm and images etc. )
Replicate the directory somewhere else without the web.config file/excluding it..then point the virtual directory there.. & have a task set up to copy newer files over..
I have the simplist of web.config files and it works fine locally but on Windows Azure webs it doesnt show detailed errors ? Do they have them disabled on their services.
You cant get much simpler than this
<?xml version="1.0"?>
<configuration>
<system.web>
<!--
Set compilation debug="true" to insert debugging
symbols into the compiled page. Because this
affects performance, set this value to true only
during development.
-->
<compilation debug="false" targetFramework="4.0"/>
<!--
The <authentication> section enables configuration
of the security authentication mode used by
ASP.NET to identify an incoming user.
-->
<authentication mode="Windows"/>
<!--
The <customErrors> section enables configuration
of what to do if/when an unhandled error occurs
during the execution of a request. Specifically,
it enables developers to configure html error pages
to be displayed in place of a error stack trace.
-->
<customErrors mode="Off"/>
</system.web>
</configuration>
But yet I still get the yellow screen of death
Server Error in '/' Application.
Runtime Error
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.
Details: To enable the details of this specific error message to be viewable on remote machines, please create a <customErrors> tag within a "web.config" configuration file located in the root directory of the current web application. This <customErrors> tag should then have its "mode" attribute set to "Off".
<!-- Web.Config Configuration File -->
<configuration>
<system.web>
<customErrors mode="Off"/>
</system.web>
</configuration>
Notes: The current error page you are seeing can be replaced by a custom error page by modifying the "defaultRedirect" attribute of the application's <customErrors> configuration tag to point to a custom error page URL.
<!-- Web.Config Configuration File -->
<configuration>
<system.web>
<customErrors mode="RemoteOnly" defaultRedirect="mycustompage.htm"/>
</system.web>
</configuration>
This is most probably due to config file transformation that happens when you create and deploy package on Azure. Check you web.config file related to build configuration used for Azure deployment (mostly it is 'web.release.config') in your web project. There may be config transformation that are setting customErrors to value other than Off
I installed Umbraco 4.5 and it is running fine. one thing i cant get to work though, is the 404. When it hit a page that does not excist it shows the default IIS7 404 page, and not the built-in umbraco 404 page.
So i am asuming it is a setting in the iis i have to change - but which?
Copy from http://our.umbraco.org/forum/using/ui-questions/8244-IIS7--404:
Basically, you need to add
<location path="Site Description">
<system.webServer>
<httpErrors existingResponse="PassThrough" />
</system.webServer>
</location>
to your applicationHost.config file where "Site Description" is the name of your site in IIS7.
The applicationHost.config file is located in: system32\inetsrv\config
Edit:
As stated in the comments if this answer, you should add this section in your web.config instead which is way better, you should always avoid altering config files outside your own application that may affect other applications.
in config/umbraco.settings you can set the umbraco page to load for custom 404
<errors>
<!-- the id of the page that should be shown if the page is not found -->
<!-- <errorPage culture="default">1</errorPage>-->
<!-- <errorPage culture="en-US">200</errorPage>-->
<error404>1296`</error404>`
</errors>
The page error page ID goes between the <error404> & </error404> tags.
Hi I've got a site where I get the classic:
Server Error in '/' Application.
Runtime Error
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.
<!-- Web.Config Configuration File -->
<configuration>
<system.web>
<customErrors mode="Off"/>
</system.web>
</configuration>
<!-- Web.Config Configuration File -->
<configuration>
<system.web>
<customErrors mode="RemoteOnly" defaultRedirect="mycustompage.htm"/>
</system.web>
</configuration>
The problem is that although I change CustomErrors to On I can't see the error, and the xml of the web.config is not malformed since I've tried inducing this error and IIS told me, so it must be something else, but what should I look for?
Edit
I Should mention, that I only get this error when I publish my site, web.config doesn't return an error locally, only when I upload to production. I can't even get an html page to display, it still returns the web config error to me
If your using a web.config then I am assuming that you have an ASP.Net application. The web.config stores configurational data for a .NET application. If you don't create an application within your virtual directory then you will see the error you are because there is no application for IIS to serve. This link should help.