I'm trying to configure web.config for my Azure web app service. I want to restrict the ftp access to only specific URLs. But when i am adding the tag, it is giving me the error -
Parser Error Message: Unrecognized configuration section system.ftpServer.
Can you please guide me where i am doing the mistake.
Thanks in advance
My Web.config file -
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<customErrors mode="Off" />
</system.web>
<system.webServer>
<httpErrors errorMode="Detailed" />
</system.webServer>
<location path="<<FTP hostname>>">
<system.ftpServer>
<security>
<authorization>
<add accessType="Allow" roles="administrators" permissions="Read, Write" />
</authorization>
<requestFiltering>
<fileExtensions allowUnlisted="true">
<add fileExtension=".exe" allowed="false" />
<add fileExtension=".bat" allowed="false" />
<add fileExtension=".cmd" allowed="false" />
</fileExtensions>
<requestLimits maxAllowedContentLength="1000000" maxUrl="1024" />
<hiddenSegments>
<add segment="_vti_bin" />
</hiddenSegments>
</requestFiltering>
<ipSecurity enableReverseDns="false" allowUnlisted="true">
<add ipAddress="127.0.0.1" allowed="true" />
<add ipAddress="169.254.0.0" subnetMask="255.255.0.0" allowed="false" />
</ipSecurity>
</security>
</system.ftpServer>
</location>
Some verisons of IIS donot support 'system.ftpServer' configuration or you need to download ftp module manually. You can reference the artice https://www.iis.net/configreference/system.ftpserver and check your IIS version.
Related
I'd like to make my website accessible only by a few IP addresses. I've added the <ipSecurity> tag but it seems to get ignored.
This is my current config:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers>
<remove name="PHP" />
<add name="PHP" path="*.php" verb="*" modules="CgiModule" scriptProcessor="C:\PHP\5.4.0\php-cgi.exe" resourceType="File" requireAccess="Script" />
</handlers>
<defaultDocument>
<files>
<remove value="index.htm" />
<remove value="index.html" />
<remove value="index.asp" />
<add value="index.html" />
<add value="index.php" />
<add value="index.asp" />
</files>
</defaultDocument>
<httpErrors errorMode="Detailed" />
</system.webServer>
<location path="Default Web Site">
<system.webServer>
<security>
<ipSecurity allowUnlisted="false">
<add ipAddress="79.1.2.3" />
</ipSecurity>
</security>
</system.webServer>
</location>
</configuration>
But the site is accessible by everywhere.
If I add the <security> block inside <system.webServer> then no IP can see the site, not even the one listed, by getting 403.
What's wrong?
Try to add below code in your site web.config file:
<system.webServer>
<security>
<ipSecurity allowUnlisted="true">
<add ipAddress="ip" allowed="true" /> <!--allow-->
<add ipAddress="ip" allowed="false" /> <!--deny-->
</ipSecurity>
</security>
deny:
allow:
Regards,
Jalpa
I added X-frame-Options in my web.config.
This is my web.config
<system.web>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
After restarting IIS I got 500 error!!!
Can someone help me to find out the problem?
Modify your customHeaders as below:
<customHeaders>
<clear />
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
I suspect that your application is located within a virtual folder, if that's the case then two web.config files are processed. First is the global one, the the second time is yours. So you end up having two collection of customHeaders.
Blog post IIS 7: But why do I get a 500.19 explains in more details why it is happening and how to fix it.
Your location to add CustomHeaders is wrong. Correct location is :
....
</system.web>
<system.webServer>
<security>
<requestFiltering>
<verbs allowUnlisted="true">
<add verb="OPTIONS" allowed="false" />
</verbs>
</requestFiltering>
</security>
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="ALLOW" />
<remove name="X-Powered-By" />
<add name="X-XSS-Protection" value="1; mode=block" />
<add name="X-Content-Type-Options" value="nosniff" />
</customHeaders>
</httpProtocol>
<modules>
<remove name="FormsAuthentication" />
</modules>
</system.webServer>
....
Other option is Useful for your application security.
I have a problem with form authentication from IIS. The problem is that i can't access the login.html file, even though a put the tag location in my web.config file. I use only form authentication.
Here is my config file:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<appSettings>
<add key="autoFormsAuthentication" value="false" />
<add key="enableSimpleMembership" value="false"/>
</appSettings>
<system.web>
<authentication mode="Forms">
<forms loginUrl="login.html" name="formsauth1" timeout="60" defaultUrl="index.html">
<credentials passwordFormat="Clear">
<user name="username" password="pass" />
</credentials>
</forms>
</authentication>
</system.web>
<system.webServer>
<modules>
<remove name="FormsAuthentication" />
<remove name="DefaultAuthentication" />
<add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" preCondition="" />
<add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" preCondition="" />
</modules>
</system.webServer>
<location path="login.html">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
</configuration>
I'm trying to start my web site on iis server and I use php for that.
every thing is fine on server but defaultDocument.
how can I set that on web.config file.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<defaultDocument enabled="true">
<files>
<remove value="default.aspx" />
<remove value="iisstart.htm" />
<remove value="index.html" />
<remove value="index.htm" />
<remove value="Default.asp" />
<remove value="Default.htm" />
<add value="index.php" />
</files>
</defaultDocument>
</system.webServer>
</configuration>
this is the default xml and I try other thing like:
<clear />
or try to remove other pages...
any Idea how can I set this file?
after some more researches, the only suitable config was this...
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<defaultDocument>
<files>
<clear />
<add value="index.php" />
<add value="index.html" />
<add value="index.htm" />
</files>
</defaultDocument>
</system.webServer>
<system.data>
<DbProviderFactories>
<remove invariant="System.Data.SqlServerCe.4.0" />
<add invariant="System.Data.SqlServerCe.4.0" name="Microsoft® SQL Server® Compact 4.0" description=".NET Framework Data Provider for Microsoft SQL Server Compact" type="System.Data.SqlServerCe.SqlCeProviderFactory, System.Data.SqlServerCe, Version=4.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" />
</DbProviderFactories>
</system.data>
</configuration>
For security reasons I want to disable those methods through application level
so I have this web.config file:
<configuration>
<location path="index.php">
<system.webServer>
<directoryBrowse enabled="false" />
</system.webServer>
<system.web>
<authorization>
<deny verbs="OPTIONS" users="*" />
<deny verbs="TRACE" users="*" />
<deny verbs="HEAD" users="*" />
<deny verbs="PROPFIND" users="*" />
<deny verbs="COPY" users="*" />
<deny verbs="LOCK" users="*" />
<deny verbs="UNLOCK" users="*" />
<deny verbs="PROPPATCH" users="*" />
<deny verbs="MKCOL" users="*" />
<deny verbs="MOVE" users="*" />
<deny verbs="DELETE" users="*" />
</authorization>
</system.web>
</location>
</configuration>
But this didn't work - any ideas?
Finaly I found another answer for this problem. and this is working for me. Just add below datas to the your webconfig file.
<configuration>
<system.webServer>
<security>
<requestFiltering>
<verbs allowUnlisted="true">
<add verb="OPTIONS" allowed="false" />
</verbs>
</requestFiltering>
</security>
</system.webServer>
</configuration>
Form more information, you can visit this web site: http://www.iis.net/learn/manage/configuring-security/use-request-filtering
if you want to test your web site, is it working or not... You can use "HttpRequester" mozilla firefox plugin. for this plugin: https://addons.mozilla.org/En-us/firefox/addon/httprequester/
This worked for me but only after forcing the specific verbs to be handled by the default handler.
<system.web>
...
<httpHandlers>
...
<add path="*" verb="OPTIONS" type="System.Web.DefaultHttpHandler" validate="true"/>
<add path="*" verb="TRACE" type="System.Web.DefaultHttpHandler" validate="true"/>
<add path="*" verb="HEAD" type="System.Web.DefaultHttpHandler" validate="true"/>
You still use the same configuration as you have above, but also force the verbs to be handled with the default handler and validated. Source: http://forums.asp.net/t/1311323.aspx
An easy way to test is just to deny GET and see if your site loads.
This one disables all bogus verbs and only allows GET and POST
<system.webServer>
<security>
<requestFiltering>
<verbs allowUnlisted="false">
<clear/>
<add verb="GET" allowed="true"/>
<add verb="POST" allowed="true"/>
</verbs>
</requestFiltering>
</security>
</system.webServer>
For anyone looking for a UI option using IIS Manager.
Open the Website in IIS Manager
Go To Request Filtering and open the Request Filtering Window.
Go to Verbs Tab and Add HTTP Verbs to "Allow Verb..." or "Deny Verb...".
This allow to add the HTTP Verbs in the
"Deny Verb.." Collection.
Request Filtering Window in IIS Manager
Add Verb... or Deny Verb...