IIS Removing nosniff header for images - iis

I have an API that return me images, like:
/api/products/images/233 -> This will return me an 233.jpg image
But my IIS has a rule to add the X-Content-Type-Options header to the requests for security, but that break the images on Internet Explorer, so I need a way to remove this rule when the endpoint /products/images/ is called or a way to add the header only if it's no that endpoint.
I tried to use this about Custom Headers
But it didn't work, I tried like this:
<system.webServer>
<rewrite>
<outboundRules>
<rule name="Remove nosniff">
<match serverVariable="RESPONSE_X_Content_Type_Options" pattern="/products/images/" />
<action type="Rewrite" value="none"/>
</rule>
</outboundRules>
</rewrite>
</system.webServer>
But it didn't change anything, the images still having the "nosniff" header.
Am I missing some configuration? Or there is another way to do that?

Your match condition is checking if the header RESPONSE_X_Content_Type_Options contains the value /products/images/ instead of nosniff. You can use a Location block to restrict this rule to /products/images/, then use pattern="nosniff" to find the value nosniff
<configuration>
...
<system.webServer/>
...
<location path="products/images/">
<system.webServer>
<rewrite>
<outboundRules>
<rule name="Remove nosniff">
<match serverVariable="RESPONSE_X_Content_Type_Options" pattern="nosniff" />
<action type="Rewrite" value="none"/>
</rule>
</outboundRules>
</rewrite>
</system.webServer>
</location>
</configuration>
See docs for element: https://msdn.microsoft.com/en-us/library/b6x6shw7(v=vs.100).aspx

Related

URL Rewrite Rules for domain and subdirectory

We're trying to rewrite to a specific domain and subdirectory, when we rewrite to the domain it works fine but trying to get to the subdirectory either brings up the wrong page or doesn't work at all.
Here is what we have now that is working to rewrite the domain, but doesn't go to the proper subdirectory and page.
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Rewrite to site.firstdomain.com">
<match url="(.*)" ignoreCase="true" />
<action type="Rewrite" url="https://site.firstdomain.com/{R:1}" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
With the above set up entering https://site.seconddomain.com takes us to https://site.seconddomain.com/Account/Login?ReturnUrl=%2f
But we really want to go to
https://site.seconddomain.com/Account/Login?co=7xTixDp4F%2fzAp0WobaTTjw%3d%3d
But if I try
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Rewrite to site.firstdomain.com">
<match url="(.*)" ignoreCase="true" />
<action type="Rewrite" url="https://site.firstdomain.com/Account/Login?co=7xTixDp4F%2fzAp0WobaTTjw%3d%3d" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
We still don't get taken to the https://site.seconddomain.com/Account/Login?co=7xTixDp4F%2FzAp0WobaTTjw%3D%3D address and the page displays the wrong images and then eventually Chrome says there is a memory error.
Is this something to do with the special characters in co=7xTixDp4F%2FzAp0WobaTTjw%3D%3D ?
Or I'm beginning to think this isn't a URL rewrite issue and is something with the page/system, any ideas?

How to set IIS url rewrite for http header

This is an inbound rule in my iis web site.
<rewrite>
<rules>
<rule name="ToBackEnd">
<match url="^v1/api/(.*)" />
<action type="Rewrite" url="https://172.16.8.78/v1/api/{R:1}" />
</rule>
</rules>
</rewrite>
I want to add a header (Access-Control-Allow-Origin) to the response for oly this request. There are some solutions tags in . But I do not want this? How can I set in rule?
URL rewrite outbound rule can help override the Access-Control-Allow-Origin from your application for specific URL but it can't add response header. So if you can get the expected header by rewriting your existingAccess-Control-Allow-Origin. Then outbound rule can be involved.
<outboundRules>
<rule name="outbound rule" enabled="false">
<match serverVariable="Access-Control-Allow-Origin" pattern=".*" />
<action type="Rewrite" value="*" />
</rule>
</outboundRules>
If you only need to add a header only for specific page. You can use CORS module with <location> tag
https://www.iis.net/downloads/microsoft/iis-cors-module
If you need to add another header for wildcard URL like v1/api/*. Then custom httpmodule in integrated pipeline would be a choice.

IIS Rewrite Rule for Single Page App

My goal is to be able to access this URL from remote machine via IIS Rewrite:
http://host:5000/#!/room/5963bdd51eeaa415988ec6d9
using the following URL:
http://{host}/chat/
Here's my web.config
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="chat" stopProcessing="true">
<match url="chat/*" />
<action type="Rewrite" url="http://127.0.0.1:5000" />
</rule>
</rules>
<outboundRules>
<rule name="chat" preCondition="">
<match filterByTags="A, Area, Base, Form, Head, IFrame, Img, Input, Link, Script" pattern="chat/*" negate="false" />
<action type="Rewrite" value="http://127.0.0.1:5000" />
</rule>
</outboundRules>
</rewrite>
</system.webServer>
</configuration>
Anything I'm doing wrong? Thanks
Since this is a outbound rule, your client will receive the address as http://127.0.0.1:5000. Assuming the client machine has no application installed at port 5000, you will run into an error.
Try using a Inbound Rewrite rule (If you dont want the URL to change on the browser) or Inbound redirect rule (if you want the URL to change on the browser) with the same parameters and let the server do the talking.

Rewriting a URL in an Azure web app

I have a simple wildcard routing rule I want to apply for my Azure web app.
<rule name="MyRule">
<match url="*" />
<action type="Rewrite" url="/index.html" />
</rule>
Do I have any option here given I can't RDP into the machine and fiddle with IIS? This is not an ASP.Net website, it's a simple SPA application.
You need to create a web.config file in your wwwroot folder and put the relevant config entries there.
Here's an example of an web.config rule, to give you an idea of what it should look like.
The below example redirect the default *.azurewebsites.net domain to a custom domain (via http://zainrizvi.io/blog/block-default-azure-websites-domain/)
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Redirect rquests to default azure websites domain" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAny">
<add input="{HTTP_HOST}" pattern="^yoursite\.azurewebsites\.net$" />
</conditions>
<action type="Redirect" url="http://www.yoursite.com/{R:0}" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
If simply want all URL's that resolve to this server & site to redirect to index.html you could use this rewrite section:
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="SPA">
<match url=".*" />
<action type="Rewrite" url="index.html" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
This is very similar to what you have except some minor syntax fixes e.g. the pattern should be ".*" and the rewrite URL target simply "index.html".
Note this means that ALL URL's to your site will be rewritten, even for other resources like CSS and JS files, images etc. So you'd better be fetching your resources from other domains.
If you want to do actual rewrites (not redirects), dont forget enabling ARR with applicationHost.xdt file put to the site folder with the following content:
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<system.webServer>
<proxy xdt:Transform="InsertIfMissing" enabled="true" preserveHostHeader="false" reverseRewriteHostInResponseHeaders="false" />
<rewrite>
<allowedServerVariables>
<add name="HTTP_ACCEPT_ENCODING" xdt:Transform="Insert" />
<add name="HTTP_X_ORIGINAL_HOST" xdt:Transform="Insert" />
</allowedServerVariables>
</rewrite>
</system.webServer>
</configuration>

IIS redirect to full domain name

I need to redirect from
http://someserver/someapplication.page.aspx
to
http://someserver.domain.com/someapplication.page.aspx
Both the requests lead to the same server.
someserver/ works through our company's internal DNS
This is the same question as Redirecting to Full Domain
but I want an IIS solution for this, not code. My guess is it will have something to do with adding a httpRedirect add element in Configuration Editor using wildcards.
You can use URL Rewrite for that which is the recommended way to do it in IIS, simply add a web.config with a rule like:
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Redirect to full domain" stopProcessing="true">
<match url=".*" />
<conditions>
<add input="{HTTP_HOST}" pattern="^someserver$" />
</conditions>
<action type="Redirect" url="http://someserver.domain.com/{R:0}" redirectType="Permanent" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>

Resources