What exactly do the module ProtocolSupportModule? - iis

In the doc (https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview) they say that ProtocolSupportModule Implements the supports which allow or turn off keep-alive support via configuration. I don't understand what it's mean exactly ?
I saw that for example without ProtocolSupportModule the custom headers will not work. So it's not only about TRACE and OPTIONS
I Think now that maybe ProtocolSupportModule is connected to this in the web.config
<httpProtocol allowKeepAlive="true">
<customHeaders>
<clear />
</customHeaders>
<redirectHeaders>
<clear />
</redirectHeaders>
</httpProtocol>
This seam to correspond to what the doc say (keepalive, redirect and custom header)

Related

IIS request filtering file extensions allow directory with dot

We are using the request filtering for file extensions in our web.config like so:
<fileExtensions allowUnlisted="false">
<add fileExtension="." allowed="true" />
<add fileExtension=".aspx" allowed="true" />
<add fileExtension=".ashx" allowed="true" />
<add fileExtension=".asmx" allowed="true" />
<add fileExtension=".axd" allowed="true" />
<add fileExtension=".html" allowed="true" />
<add fileExtension=".htm" allowed="true" />
However we have run into a problem. When we go to a url with a directory with a dot in it, for example "https://localhost/myamazing.folder" it will return a "HTTP Error 404.7 - Not Found" since it now thinks that its an extension that's not allowed.
When allowUnlisted is set to true, or without any filtering, iis will perform a courtesy redirect because its a folder. Is there anyway to keep this redirect behavior intact while still filtering extensions?
This is iis default security setting if you want to allow the unspecified extension you need to enable it by using
another way is set allow file name extension and then set allow URL by following below step:
In the "URL" tab allow the list of URLs->add the URL which you only want to allow.
that's how it will redirect URL /myamazing.folder to /myamazing.folder/
if you are using asp.net mvc site you can refer to below link:
Dots in URL causes 404 with ASP.NET mvc and IIS

IIS 7.5 = Nested web.config will not override custom error handling set in application level web.config

Running ColdFusion 11 (Update 7) and IIS 7.5
My site application/root level web.config:
<configuration>
<system.webServer>
<httpErrors errorMode="Custom" />
</system.webServer>
</configuration>
My nested web.config file, which sits inside /api/eb :
<configuration>
<system.webServer>
<httpErrors errorMode="Detailed" />
</system.webServer>
</configuration>
When I visit a page that sits within the /api/eb sub-directory (e.g. 401.cfm) and trigger a 401 status code the server will return the Custom error handler response. My interpretation from the docs is that the nested web.config file should override the root web.config file but it clearly is not.
I've checked within the IIS applicationhost file and httpErrors overrideModeDefault is set to true. I also tried using a location tag within my root web.config file to do the same thing but it is also ignored unless I set the path to the wildcard character.
I'm out of ideas. Your help will be greatly appreciated. Thank you in advance.
I found this article which seems to explain your question pretty well - How to Use HTTP Detailed Errors in IIS 7.0
Specifically this excerpt:
Security Considerations
A word of caution: For architectural reasons, IIS can only execute the URL if it is located in the same Application Pool. Use the redirect feature to execute a Custom Error in a different Application Pool.
IIS can also return a 302 Redirect to the browser when a particular error occurs. Redirect is good if you have a server farm. For instance, you can redirect all your errors to a central location that you closely monitor.
There is risk however: responseMode="File" (which is the default) allows you to specify every file on the disk. This will not work if you are very security conscious.
A workable scenario might include only allowing the delegation of the errorMode setting. This enables a developer to receive Detailed Errors for his application even if he is using a remote client. All that is necessary is to set errorMode="Detailed". Here is how to configure this scenario:
Allow the delegation of the httpErrors section:
<section name="httpErrors" overrideModeDefault="Allow" />
Second, go to the section in applicationHost.config and change it so that only errorMode is delegated:
<httpErrors lockAllAttributesExcept="errorMode" lockElements="error">
<error statusCode="404" prefixLanguageFilePath="E:\inetpub\custerr" path="404.htm" />
<error statusCode="401" prefixLanguageFilePath="E:\inetpub\custerr" path="401.htm" />
<error statusCode="403" prefixLanguageFilePath="E:\inetpub\custerr" path="403.htm" />
<error statusCode="405" prefixLanguageFilePath="E:\inetpub\custerr" path="405.htm" />
<error statusCode="406" prefixLanguageFilePath="E:\inetpub\custerr" path="406.htm" />
<error statusCode="412" prefixLanguageFilePath="E:\inetpub\custerr" path="412.htm" />
<error statusCode="500" prefixLanguageFilePath="E:\inetpub\custerr" path="500.htm" />
<error statusCode="501" prefixLanguageFilePath="E:\inetpub\custerr" path="501.htm" />
<error statusCode="502" prefixLanguageFilePath="E:\inetpub\custerr" path="502.htm" />
</httpErrors>
Notice that the correct value for the overrideModeDefault attribute is Allow, not true as you mentioned in your question.
This article further explains the overrideModeDefault attribute - Understanding IIS 7.0 Configuration Delegation
Excerpt:
The overrideModeDefault attribute is an optional attribute that defines the locked state of a section. Its available values are either Allow or Deny. The default value is "Allow". All IIS sections that are related to any performance, security or critical aspect of the server are locked with this attribute set to "Deny". If the overrideModeDefault attribute is set to "Deny", then any configuration files at a lower level (i.e. web.config files) that set a value for a property for the specific configuration section are not able to take effect and override the global values. This incurs in a lock violation and an error occurs.

Enable Compression Mime-types for Web-Site Application

Our website uses both dynamic and static compression. I know that compression can be enabled/disabled on a web.config level, but that the mime-types for static and dynamic compression cannot be enabled at a web-config level.
Meaning, this section:
<httpCompression directory="%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files" staticCompressionIgnoreHitFrequency="true">
<scheme name="gzip" dll="%Windir%\system32\inetsrv\gzip.dll" />
<staticTypes>
Stuff
</staticTypes>
<dynamicTypes>
Stuff
</dynamicTypes>
</httpCompression>
Must go in the applicationHost.config, and is generally edited using appcmd.exe.
I know there is a location element in the applicationHost.config that allows setting many things on a per website basis, but I can't seem to find anywhere if mimetypes for dynamic compression are one of them.
I have tried overriding these settings using a location element, but have not had any success and cannot find documentation stating it's possible for the httpCompression element.
To make matters worse, we install our product as a web application under the default site, so really we want to enable these dynamic compression mime-types only under our application, instead of site (or server) wide. Is this possible?
Generally, we are using IIS 7 and above. Right now our minimum is 7, so assume anything needs to work with that.
My question is:
Can httpCompression settings be set in the applicationHost.config per website and possible per web application under a web site?
Is there a different way to enable dynamicCompression specifics on a website/web application level?
Just an important precision: There is one prerequisite to ensure that you can add MIME Types in the "web.config" file:
It is possible to add MIME Types in the <staticTypes> and <dynamicTypes> sections at the website level (in "web.config") only if this is explicitely allowed at the "applicationHost.config" level, as explained in this solution from Stack Overflow:
The important thing to note is that modifying your
applicationHost.config (in %windir%\system32\inetsrv\config) from the following setting:
<section name="httpCompression" allowDefinition="AppHostOnly" overrideModeDefault="Deny" />
to:
<section name="httpCompression" overrideModeDefault="Allow" />
will enable configuration of the httpCompression tag under the
system.webServer tag in your web.config.
Yes you can very well add dynamic and static types in web application's web.config file. ApplicationHost.config will define global compression settings and if you want to override them in your application you can do so. Following is sample from one of my application.
<system.webServer>
<modules>
<remove name="FormsAuthentication" />
<add name="Glimpse" type="Glimpse.AspNet.HttpModule, Glimpse.AspNet" preCondition="integratedMode" />
<remove name="UrlRoutingModule-4.0" />
<add name="UrlRoutingModule-4.0" type="System.Web.Routing.UrlRoutingModule" />
</modules>
<validation validateIntegratedModeConfiguration="false" />
<handlers>
<add name="Glimpse" path="glimpse.axd" verb="GET" type="Glimpse.AspNet.HttpHandler, Glimpse.AspNet" preCondition="integratedMode" />
</handlers>
<httpCompression>
<dynamicTypes>
<remove mimeType="text/*" />
<add mimeType="application/json" enabled="true" />
</dynamicTypes>
</httpCompression>
Here remove tag in dynamicTypes removes global entry coming from ApplicationHost.config
add tag is adding additional mimeType on top of global entries from applicationHost.config. This addition will be applicable only for whose web.config is being modified.
Similarly you can modify staticTypes as well.

MVC WebAPI2 attribute routing using a path ending with a route parameter of type double

We are having an issue with WebApi2 attribute routing. We recently upgraded to MVC5 and Web Api 2. As part of the upgrade we shifted our Web Api to use Attribute routing.
One of our API calls allows for data to be requested using a latitude and longitude bounding box.
https://myapi.com/v1/things/area/{toplat}/{leftlon}/{botlat}/{rightlon}
This worked in the previous api, but not in the new one. We can't find a configuration that allows this to work. The final argument {rightlon} is a double and the xx.XXX is interpreted as a file extension.
Specifying the parameters as a double {toplat:double} had no impact. We can't easily force the legacy clients to update to include a trailing slash as some posts suggest. This config change also didn't work for us.
Why is my Web API method with double args not getting called?
Has anyone found a way to use attribute routing in WebApi2 to allow for a route that has a double/decimal/float as the last route parameter?
Solved.
The linked article did include the solution but also needed the correct format on the Attribute Routing.
[HttpGet] [Route("~/v1/things/area/{toplat:double}/{leftlon:double}/{botlat:double}/{rightlon:double}")]
in the web.config
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<handlers>
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<remove name="OPTIONSVerbHandler" />
<remove name="TRACEVerbHandler" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>
<modules>
<remove name="UrlRoutingModule-4.0" />
<add name="UrlRoutingModule-4.0" type="System.Web.Routing.UrlRoutingModule" preCondition="" />
</modules>
</system.webServer>

PUT + DELETE Http Verbs returning 401/405 from API on shared hosting webserver

I have created an MVC Web Api for some university coursework, that works as expected on my development machine (Running VS11).
However when I deploy the application to the webserver on 123reg HttpVerbs other than GET and POST appear to not reach my application at all, initially a 401 Not Authorised response was returned; however after turning off the "WebDAV" module as suggested here these 401s became 405 Method not allowed. In this case I only disabled the handlers as disabling both the handlers and the module meant that my application did not start at all (Error 500 without a stacktrace [custom errors are off]).
I am planning to utilise the forms membership provider to add authentication capabilities to my API, however I removed any [Authorise] attributes from my code when 401s began appearing.
Applications on 123Reg's shared hosting are run under Medium trust.
I have been in contact with 123Reg support, and they have been semi helpful, but have since decided that they cannot help me further (They suggested adding HttpHandlers as detailed below) (Apparently, I should consult a web designer...)
Things I have tried:
I have added [AllowAnonymous] Attributes to my controllers and/or actions with no effect.
I have added the authorization web.config attribute allowing all verbs and paths to all users both authenticated and not:
<authorization>
<allow users="*" />
<allow users="?" />
<allow verbs="*" users="*" />
<allow verbs="*" users="?" />
</authorization>
I have added (As suggested by 123Reg):
<system.webServer>
<handlers>
<remove name="WebDAV" />
<add name="PUTVerbHandler" path="*" verb="PUT" modules="ProtocolSupportModule" resourceType="Unspecified" />
<add name="DELETEVerbHandler" path="*" verb="DELETE" modules="ProtocolSupportModule" resourceType="Unspecified" />
</handlers>
</system.webServer>
This appeared to be a step forward, as we now receive 405 responses rather then 401 respones, however I am now unable to make any further progress. Additionally I have also added:
<httpHandlers>
<add verb="*" path="*" type="System.Web.Mvc.MvcHttpHandler"/>
</httpHandlers>
This also made no difference.
Any help you can give would be much appreciated (I dont really want to have to move host for this application!)
This post solved my problem. I did all the regular things: added all the necessary <handlers> entries, disabled WebDAV, but I still had 401.3 Unauthorized.
Enabling forms authentication solved the problem:
<system.web>
<compilation debug="true" targetFramework="4.0" />
<authentication mode="Forms" />
</system.web>
I found this: http://forums.iis.net/t/1163441.aspx
From the looks of that forum post, you need to completely uninstall WebDAV for the PUT and DELETE Verbs to work. This is not going to help on a shared webhosting scenario unfortunately.
For me it was something different.
I had to go to the site folder, open the security tab for the folder, press Edit button to change group or user names permissions, find the site from my IIS 8 sites and give it a full control permission.

Resources