I have two applications:
X.Web - Asp.net core 1.1 web application
X.Api - ASP.NET WebApi2 application in .NET 4.6.1
Now they are both available as www.example.com/X.Web and www.example.com/X.Api respectively. My customer wants the web application to be available simply as www.example.com.
I tried a quick solution in my test environment - I just moved the content of X.Web folder to wwwroot and without any problems everything worked fine.
However, on my production server the web app works - htmls, scripts and styles are loaded correctly, but X.Api stops working - i get response
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title> IIS 502.5 Error </title>
<style type="text/css"></style>
</head>
<body>
<div id = "content">
<div class = "content-container">
<h3> HTTP Error 502.5 - Process Failure </h3>
</div>
<div class = "content-container">
<fieldset>
<h4> Common causes of this issue: </h4>
<ul>
<li> The application process failed to start </li>
<li> The application process started but then stopped </li>
<li> The application process started but failed to listen on the configured port </li>
</ul>
</fieldset>
</div>
<div class = "content-container">
<fieldset>
<h4> Troubleshooting steps: </h4>
<ul>
<li> Check the system event log for error messages </li>
<li> Enable logging the application process’ stdout messages </li>
<li> Attach a debugger to the application process and inspect </li>
</ul>
</fieldset>
<fieldset>
<h4> For more information visit:
<a href="https://go.microsoft.com/fwlink/?linkid=808681">
<cite> https://go.microsoft.com/fwlink/?LinkID=808681 </cite>
</a>
</h4>
</fieldset>
</div>
</div>
</body>
</html>
for each and every request. In my Event log I can see:
Application 'MACHINE/WEBROOT/APPHOST/DEFAULT WEB SITE/X.API' with
physical root 'C:\inetpub\wwwroot\X.Api\' failed to start process
with commandline '"dotnet" .\X.Web.dll', ErrorCode =
'0x80004005 : 80008081.
The questions are:
1) what can be a problem
2) Why in the event log I can see ...failed to start process
with commandline '"dotnet" .**X.Web.dll**...
3) Is there any other way to achieve this simple requirement of my client
So, just to make sure I understand you properly, initially, you had: www.example.com/X.Web and www.example.com/X.Api, and X.Web was calling X.Api, right? Then you moved X.Web files from wwwroot/X.Web to wwwroot directly, and it worked on your env but not on the production env? Which version of IIS are you using?
1/ Maybe an idea: by moving X.Web maybe you have changed the user under which your X.Web application was running, making it unable to launch your ASP.NET Core application.
2/ My suggestion to 1 could explain, credentials issues.
3/ I would definitively avoid putting the file of X.Web directly under wwwroot and instead I would configure IIS to get a redirection from www.example.com to www.example.com/X.Wep. You could use URL Rewrite module (maybe an overkill in that case but it's a module that is very good to know in my opinion because it can help in various scenario) or simply configure IIS to redirect, this SO thread could be helping How to redirect a URL path in IIS?
Related
For me very basic navigation is not working with newly generated jHipster app.
I have 2 html pages in the root: index.html and network.html
Here is how I would like to redirect to network.html:
<a href="/network.html">
<button type="submit"
class="btn btn-info btn-sm">
<fa-icon icon="project-diagram"></fa-icon>
<span class="d-none d-md-inline">Network</span>
</button>
</a>
Unfortunately this doesn't work and I get 404 Not Found.
Can you please advise how to make external navigation working with JHipster? I have tried all examples from How to redirect to an external URL from angular2 route without using component? and nothing works
You have to modify src/main/java/{your-package}/config/WebConfigurer.java and add a resource handler for your static file. By default, all routes are redirected to index.html, which is how most SPA applications work.
The iis server in production is behaving differently from my pc for my restful api project. There are two below issues.
1) if the endpoint doesn’t exist under the website (eg https://xxx/website/invalidapi/), production iis is returning http status 404 instead of local pc is returning 500.
Below is error msg.
*<div class="content-container">
<h3>HTTP Error 404.0 - Not Found</h3>
<h4>The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.
</h4>
</div>
<div class="content-container">
<fieldset>
<h4>Most likely causes:</h4>
<ul>
<li>The directory or file specified does not exist on the Web server.</li>
<li>The URL contains a typographical error.</li>
<li>A custom filter or module, such as URLScan, restricts access to the file.</li>
</ul>
</fieldset>
</div>*
If the website/application doesn’t exist (eg, https://xxx/invalidwebsite/api/), production iis is returning http status 500 instead of local pc returning 404.
Below is 500 error msg
*<div id="header">
<h1>Server Error</h1>
</div>
<div id="content">
<div class="content-container">
<fieldset>
<h2>500 - Internal server error.</h2>
<h3>There is a problem with the resource you are looking for, and it cannot be displayed.</h3>
</fieldset>
</div>
</div>*
Is there some configuration in production iis to behave that way?
2) I am implementing iis rewrite rule to my website, the rule is to redirect the request with invalid (non-existing website) to default another website.
It is working well in my local pc. But in production iis, it is not redirecting and returning http status 403 for invalid website. If I tested to a test (existing site), it can rewrite correctly.
Is it due to the same reason as above? Kindly advise how I can fix ? Thanks.
I found some article about HTTPS iframe either on Google or StackExchange's site, but none of those questions match my question since most one is asking HTTPS frame in HTTP site.
So my question is let's support there is a domain secureframe.com with an SSL issue from Let's encrypt, and there is an app hosted on Heroku with domain secureapp.herokuapp.com, and we send sensitive data in that site, will there be security issue if we submit the data at secureframe.com where it makes an iframe that embed secureapp.herokuapp.com's webpage?
Or in another word, if we rewrite the secureframe.com to secureapp.herokuapp.com using .htaccess wildcard but NOT REDIRECT, will it also cause security issue?
Details:
First case:
secureframe.com:
<!DOCTYPE HTML>
<html>
<body>
<iframe src="https://secureapp.herokuapp.com" width="100%" height="100vh" />
</body>
</html>
secureapp.herokuapp.com:
<!DOCTYPE HTML>
<html>
<body>
<form action="/data" method="post">
<b>Security Number:</b>
<br />
<input type="password" name="security number">
</form>
</body>
</html>
No , there will be no security issue since from the context of your parent site , you tunnel over HTTPS to the content in the iframe . At no point of time is your data outside the tunnel.
A web page hosted on Node.js server in Azure cloud displays the page correctly (confirmed with browser console), but Azure webserver console stil creates/logs detailed error pages for various "missing" files (js, ico, css, ttf...).
Example error page in server console (from azure site log tail <site>):
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>IIS Detailed Error - 404.0 - Not Found</title>
...
<table border="0" cellpadding="0" cellspacing="0">
<tr class="alt"><th>Requested URL</th><td> http://servername:80/js/ripples.min.js</td></tr>
<tr><th>Physical Path</th><td> D:\home\site\wwwroot\js\ripples.min.js</td></tr>
<tr class="alt"><th>Logon Method</th><td> Anonymous</td></tr>
<tr><th>Logon User</th><td> Anonymous</td></tr>
</table>
...
How can I "fix" IIS not to raise/log these false positives?
I was able to solve this by disabling 'Detailed Error Messages' in the Azure website configuration:
My site has just been hacked and I suspect that it was a remote file inclusion attack. These are my server specs:
Windows Server 2008 R2 running ColdFusion 9 (9.0.1.274733) and IIS 7.5
This is the source code of the page that appeared after my site was hacked:
<!-- # sql_master : securiiity#gmail.com #-->
<html>
<head>
<title>0wned !</title>
<Meta http-equiv="content-type" content="text/html; charset=windows-1254">
<Meta http-equiv="content-type" content="text/html; charset=ISO-8859-9">
</head>
<body bgcolor="black">
<center>
<font color="#ffffff" size="3" face="Tahoma">0wned By <br>SQL_Master , Z0mbi3_Ma , xMjahd !</font>
<br><br>
<img src="http://fc08.deviantart.net/fs71/f/2010/255/e/7/never_look_back_by_arbebuk-d2yiadv.jpg" width="600" height="500"/>
<br><br> </div> </td>
<font color="#ffffff" size="3" face="Tahoma"><a class="__cf_email__" href="http://www.cloudflare.com/email-protection" data-cfemail="d389e3beb1bae08c9eb293bbbca7beb2babffdb0bcbe">
[email protected]</a>
<script type="text/javascript"> /* <![CDATA[ */ (function(){try{var s,a,i,j,r,c,l,b=document.getElementsByTagName("script");l=b[b.length-1].previousSibling;a=l.getAttribute('data-cfemail');if(a){s='';r=parseInt(a.substr(0,2),16);for(j=2;a.length-j;j+=2){c=parseInt(a.substr(j,2),16)^r;s+=String.fromCharCode(c);}s=document.createTextNode(s);l.parentNode.replaceChild(s,l);}}catch(e){}})(); /* ]]> */ </script>
</font><br><br> <font color="#ffffff" size="3" face="Tahoma">FROM MOROCCO</font> </tr>
</table>
</body> </html>
My site and server are periodically scanned by Symantec and it only picked out the IP of the person who hacked my site.
After the site was hacked, I went and cleared the ColdFusion Verity search and in IIS, I made .cfm the default file type to give preference to and the site was back on line.
However, I did a whole site search but was unable to find the above code anywhere.
Can someone please explain to me how this types of attacks are made and how I can clean my site and server and prevent this from happening again in the future.
Thank you.