I want to restrict access using HTTP Basic Auth for a specific path so that someone who visits /www/private will be prompted with the authentication but not /www/public , /www/public/dashboard, ....
note: "private", "public", "dashboard", etc are not folders, but url rewrite
My current webconfig:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Imported Rule 1" stopProcessing="true">
<match url="\.(pdf|js|ico|gif|jpg|png|css|rar|zip|tar\.gz)$" ignoreCase="false" negate="true" />
<conditions logicalGrouping="MatchAll">
<add input="{REQUEST_FILENAME}" matchType="IsFile" ignoreCase="false" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" ignoreCase="false" negate="true" />
</conditions>
<action type="Rewrite" url="index.php" />
</rule>
</rules>
</rewrite>
</system.webServer>
<location path="mysite/www/private">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<basicAuthentication enabled="true" />
<windowsAuthentication enabled="false" />
</authentication>
</security>
</system.webServer>
</location>
<location path="mysite/www">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="true" />
<basicAuthentication enabled="false" />
<windowsAuthentication enabled="false" />
</authentication>
</security>
</system.webServer>
</location>
I also enabled basic auth and anonymous authorization in IIS Manager
However this does not work - it never prompts for authorization
IIS URLRewrite module rewrites the request before the authentication kicks in so with your current rewrite rule,this is not possible.
Exceprts from here
The URL Rewrite module is a native code module that plugs into the
request-processing pipeline at the Pre-begin Request or Begin Request
stages, and then evaluates the requested URL path by using a set of
rewrite rules. Each rewrite rule analyzes the URL path and, if all the
rule conditions are met, changes the original path to a new path.
After all the rules have been evaluated, the URL Rewrite module
produces a final URL path that is used for the request through the
remainder of the IIS pipeline processing. This means that the handler
selection in the IIS pipeline is made based on the rewritten URL that
is produced by the URL Rewrite module.
Your rewrite rule is in such a way that it rewrites any path which is not to a static file to index.php. Rest of the IIS pipeline sees the path as index.php. You have to implement your authentication inside index.php.Or you can easily write a simple IIS module,this SO question talks about it. You have to add little bit more logic to check the URL(if contains www/private) and send 401 etc.
Related
So my domain url does not start with www as I use abc and whenever I follow any instructions on how to setup iis for a http to https redirect it does not seem to work for my domain structure so I am curious if there is a seperate approach for this. In particular I followed this approach:
https://www.namecheap.com/support/knowledgebase/article.aspx/9595/33/http-to-https-redirection-on-iis/
And it works for my server name called directly http://servername will redirect to https://servername but for my assigned domain name http://abc.mydomain.com will not redirect and I get a 403 forbidden error.
Any ideas?
*Edit
If I go into IIS manager and for my site uncheck require ssl the redirect now works. Does requiring ssl not allow the redirect to happen since its expecting only https request hence you shouldnt check this item if you plan to do a redirect?
My web config is as follows:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="." inheritInChildApplications="false">
<system.webServer>
<handlers>
<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="dotnet" arguments=".\website.dll" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" hostingModel="inprocess" />
</system.webServer>
</location>
<system.webServer>
<rewrite>
<rules>
<rule name="Http to Https" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" appendQueryString="false" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
This is a follow-up question to my previous one, focused on the fact that I'm getting a 404 error when I try to call a DELETE or a PUT verb for an Node.JS application on IIS configured with iisnode and URL Rewrite as follows:
<handlers>
<add name="iisnode" verb="*" path="app.js" modules="iisnode" />
</handlers>
<rewrite>
<rules>
<rule name="my app rule" stopProcessing="true" patternSyntax="Wildcard">
<match url="*" />
<action type="Rewrite" url="app.js" />
</rule>
</rules>
</rewrite>
The script app.js is not even called, the url is not rewritten.
Is it a well known bug or what else am I supposed to do?
No issues for GET and PUT verbs instead (and of course I've already implemented a workaround using the latter).
That was due to the Request Filtering of IIS (tab HTTP Verbs)
Added there the missing verbs as shown in the screenshot below and problem solved.
As text, directly inside the system.webServer of the web.config:
<security>
<requestFiltering>
<verbs>
<add verb="PUT" allowed="true" />
<add verb="DELETE" allowed="true" />
</verbs>
</requestFiltering>
</security>
In azure app services you are able to redirect HTTP traffic to HTTPS either via the web.config file or through the custom domains blade in azure portal. Is it possible to disable HTTP completely without doing a redirect?
Here is a way to achieve this:
Go to Kudu console for the Web App
Go into the D:\home\site folder
Create a file called applicationhost.xdt in that folder, with the following content (you can drag/drop it from your local machine):
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<location path="%XDT_SITENAME%" xdt:Transform="InsertIfMissing" xdt:Locator="Match(path)">
<system.webServer xdt:Transform="InsertIfMissing">
<rewrite xdt:Transform="InsertIfMissing">
<rules xdt:Transform="InsertIfMissing">
<rule name="Disable HTTP" enabled="true" stopProcessing="true">
<match url="(.*)" ignoreCase="false" />
<conditions>
<add input="{HTTPS}" pattern="off" />
<add input="{WARMUP_REQUEST}" pattern="1" negate="true" />
</conditions>
<action type="CustomResponse" statusCode="401" />
</rule>
</rules>
</rewrite>
</system.webServer>
</location>
</configuration>
This will make http requests fail with 401 (you can customize the response in the <action> tag).
I have a simple wildcard routing rule I want to apply for my Azure web app.
<rule name="MyRule">
<match url="*" />
<action type="Rewrite" url="/index.html" />
</rule>
Do I have any option here given I can't RDP into the machine and fiddle with IIS? This is not an ASP.Net website, it's a simple SPA application.
You need to create a web.config file in your wwwroot folder and put the relevant config entries there.
Here's an example of an web.config rule, to give you an idea of what it should look like.
The below example redirect the default *.azurewebsites.net domain to a custom domain (via http://zainrizvi.io/blog/block-default-azure-websites-domain/)
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Redirect rquests to default azure websites domain" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAny">
<add input="{HTTP_HOST}" pattern="^yoursite\.azurewebsites\.net$" />
</conditions>
<action type="Redirect" url="http://www.yoursite.com/{R:0}" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
If simply want all URL's that resolve to this server & site to redirect to index.html you could use this rewrite section:
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="SPA">
<match url=".*" />
<action type="Rewrite" url="index.html" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
This is very similar to what you have except some minor syntax fixes e.g. the pattern should be ".*" and the rewrite URL target simply "index.html".
Note this means that ALL URL's to your site will be rewritten, even for other resources like CSS and JS files, images etc. So you'd better be fetching your resources from other domains.
If you want to do actual rewrites (not redirects), dont forget enabling ARR with applicationHost.xdt file put to the site folder with the following content:
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<system.webServer>
<proxy xdt:Transform="InsertIfMissing" enabled="true" preserveHostHeader="false" reverseRewriteHostInResponseHeaders="false" />
<rewrite>
<allowedServerVariables>
<add name="HTTP_ACCEPT_ENCODING" xdt:Transform="Insert" />
<add name="HTTP_X_ORIGINAL_HOST" xdt:Transform="Insert" />
</allowedServerVariables>
</rewrite>
</system.webServer>
</configuration>
I have a URL rewrite in my web.config. The rewrite directives are intended to do two things:
If the URL refers to an actual file (such as a css file or image) don't rewrite
If the URL does not refer to an actual file, rewrite to index.php?request={R:1}
Case 2 works perfectly. However, if the requested file exists, I get a generic IIS response indicating an error: HTTP Error 500.50 - URL Rewrite Module Error. - and no other details. The error codes just indicate a generic rewrite module error.
What have I done wrong? This is IIS 10.0
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Do not rewrite existing files and folders" enabled="true" stopProcessing="true">
<match url="^(.*)$" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
<add input="{REQUEST_FILENAME}" matchType="IsFile" />
</conditions>
<action type="None" url="{R:0}" appendQueryString="true" logRewrittenUrl="true" />
</rule>
<rule name="Framework Parsing" stopProcessing="true">
<match url="^(.*)$" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
<action type="Rewrite" url="index.php?request={R:1}" logRewrittenUrl="true" />
</rule>
</rules>
</rewrite>
<caching>
<profiles>
<remove extension=".php" />
</profiles>
</caching>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
<add name="Access-Control-Allow-Origin" value="*" />
<add name="X-Content-Type-Options" value="nosniff" />
<add name="X-Xss-Protection" value="1; mode=block" />
<add name="X-Frame-Options" value="SAMEORIGIN" />
<add name="Referrer-Policy" value="origin" />
</customHeaders>
</httpProtocol>
<!-- staticContent>
<clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="8.00:00:00" setEtag="true" />
</staticContent -->
</system.webServer>
</configuration>
This is the error page details:
Module RewriteModule
Notification BeginRequest
Handler StaticFile
Error Code 0x80070005
Requested URL XXXXXXXXX/css/foundation/foundation.min.css
Physical Path XXXXXXXXX\public\css\foundation\foundation.min.css
Logon Method Not yet determined
Logon User Not yet determined
I notice that its login method and user is not determined.
Please try to enable anonymous authentication for your rewrite rule. And ensure IUSR have permission to access these files.