I'm trying to download the bootsrap fonts from a container I have in a site hosted by OK Hosting. I can download the font manually but when using it in a CSS on a page hosted in another server, it fails because cross site access is disabled.
I know OK Hosting uses IIS but they give you a web based control panel.
How do I enable cross site access?
Ok, you just have to add a file called web.config at the root of your site with the following:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>
You might also need the following just below the Access-Control-Allow-Origin.
<add name="Access-Control-Allow-Methods" value="GET,PUT,POST,DELETE,OPTIONS" />
<add name="Access-Control-Allow-Headers" value="Content-Type" />
Related
I'm trying to add/remove certain http headers from responses coming back from a 'pure' web api application (i.e. no MVC) published to Azure.
I added the following web.config to the project in VS2019:
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-Content-Type-Options" value="nosniff"/>
<add name="X-Frame-Options" value="SAMEORIGIN"/>
<remove name="X-Powered-By"/>
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>
This works fine in my dev environment with IISExpress. It also works fine when the app is published to Azure for app services that are not configured for multi-instance scaling. However, when the app service is configured for multi-instance scaling (three instances in my case) then responses from the app contain 'X-Powered-By' and no 'X-Content-Type-Options' or 'X-Frame-Options'.
Publishing creates the following web.config in Out folder on my dev machine:
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-Content-Type-Options" value="nosniff" />
<add name="X-Frame-Options" value="SAMEORIGIN" />
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
<handlers>
<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath=".\<apname>.exe" stdoutLogEnabled="false" stdoutLogFile="\\?\%home%\LogFiles\stdout" hostingModel="inprocess" />
</system.webServer>
</configuration>
I also verified that the above web.config is present in the root of the app service in Azure.
Is there anything else that needs to be done in app service configuration in Azure for this to work with multi-instance scaling?
After testing, you do not need to make any changes. In the code or web.config, your solution is currently possible, provided that it is deployed in a windows-based webapp. If it is deployed under linux, then the web.config file is not effective. The web.config file is only applicable to iis. Under linux, the configuration file that needs to be used should be .htaccess.
Put web.config under the wwwroot path, which is the root directory of the project.
Based on windows azure webapp, the post-deployment effect should be consistent with the local iis effect. After testing, after I deploy, you can see the screenshots, and the effect in your web.config has been achieved.
Note:
Some headers cannot be deleted, but they can be overwritten. They need to be coded in the program. You are not involved in this question yet.
<httpProtocol>
<customHeaders>
<add name="X-Content-Type-Options" value="nosniff" />
<add name="X-Frame-Options" value="SAMEORIGIN" />
<-- replace server vaule -->
<add name="Server" value="N/A" />
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
Test Steps:
Method 1 with web.config
Create a sample project like below.
Deploy to azure, please see my files on scm site.
Method 2 without web.config (workaround, also works in linux)
Add below code in Startup.cs, it also works for me .
app.Use(async (context, next) =>
{
context.Response.Headers.Add("X-Content-Type-Options", "nosniff");
context.Response.Headers.Add("X-Frame-Options", "SAMEORIGIN");
context.Response.Headers.Remove("X-Powered-By");
await next.Invoke();
});
I have a website hosted in IIS using windows authentication. It works fine.
But if I host it as a web application unter a website, windows authentication doesn't work and the authentication window shows and then doesn't go away even if I put in the correct user name and password.
The SPN, delegation and IIS settings should be correct, otherwise the website won't work. Only if I deploy it as web application, windows authentication stoped working. Any idea?
Thanks for the reply, the sub status code is 401.1 and here the web.config file on the application level
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="." inheritInChildApplications="false">
<system.webServer>
<handlers>
<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath=".\DataService.exe" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" />
</system.webServer>
</location>
<system.web>
<authentication mode="Windows" />
</system.web>
</configuration>
I finally found the solution.After enabling ASP.Net Impersonation on the web application, it works.Seems like, the web application needs impersonation to get the kerberos ticket from the website.
I have a site/application I would like to load in IIS. The root of the folders contains a web.config and index.asp. The sub folders are asp, scripts, styles, images.
I add Add Web site in IIS, define the physical path to the location of the index.asp, assign the IP address for host name I tried local host, IP, and leaving it blank. When I click on Browse Website I receive a HTTP 500 Internal Server Error. IIS is running and the Web Site is started in the Manage Website menu.
If I write a short index.html hello world page and set it as default document it displays ok. When I change default document back to index.asp I get the 500 error again.
Could someone give me a tip on how to proceed?
Here is my web.config:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<identity impersonate="true" />
</system.web>
<system.webServer>
<defaultDocument>
<files>
<add value="index.asp" />
</files>
</defaultDocument>
</system.webServer>
</configuration>
This is going to be a guess at best, since a 500 can mean anything without a sub-status code. It probably is due to configuration inheritance. index.asp is already in the default list of default documents at the server level. By adding index.asp, it may be causing a unique hey violation when the configuration inheritance is flattened into the effective configuration.
Suggestion:
Add a <clear /> element right above the <add value="index.asp" /> and try again. Otherwise, we will need to go get the sub status code of that 500 to get more information. The IIS log usually contains the sub status in the sc-substatus.
Resulting Configuration
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<identity impersonate="true" />
</system.web>
<system.webServer>
<defaultDocument>
<files>
<clear />
<add value="index.asp" />
</files>
</defaultDocument>
</system.webServer>
</configuration>
If this works, then the reason it originally works with index.html because index.html is not in the default files list.
Additional Note
The other thing I can think of is that impersonation being enabled. If you are running the application pool in Integrated Pipeline mode, you'll need to turn off integrated mode configuration validation. More information can be found here: Integrated Pipeline mode configuration validation.
New Resulting Configuration
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<identity impersonate="true" />
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="False" />
<defaultDocument>
<files>
<clear />
<add value="index.asp" />
</files>
</defaultDocument>
</system.webServer>
</configuration>
We are using azure webapps for sitecore infrastructure.
We need to apply security hardening on CD i.e. disable the sitecore client access. I had a look at security hardening guide which mentions about disabling annonymous access to sitecore/admin access.
https://doc.sitecore.net/sitecore_experience_platform/security_hardening/deny_anonymous_users_access_to_a_folder
However this is not possible in Azure web-apps as we don't have access to IIS.
What's the best way to resolve this?
Another option is to use request filters. See https://sitecorecommerce.wordpress.com/2015/11/19/block-access-to-sitecore-folder-for-content-delivery-with-requestfilters/
Here's the relevant config from the post:
<system.webServer>
<security xdt:Transform ="Replace" >
<requestFiltering>
<denyUrlSequences>
<add sequence ="/sitecore/" />
<add sequence ="/_Dev/" />
</denyUrlSequences>
</requestFiltering>
</security>
</system.webServer>
Additional references are available here: https://www.iis.net/configreference/system.webserver/security/requestfiltering
you can configure the security configurations in the web.config for your Sitecore CD server. E.g. Add this configuration under the root element at the end of your web.config.
<location path="App_Config">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
</authentication>
<authorization>
<add accessType="Deny" users="*" />
</authorization>
</security>
</system.webServer>
</location>
I'm trying to configure the default webpage for an IIS 7.5 website.
Request filtering is turned on. However .aspx pages are allowed, I've set default.aspx to be the default page for the website.
If I browse to localhost/default.aspx I get a webpage as expected.
IF I browse to localhost/ I get
HTTP Error 404.7 - Not Found
The request filtering module is configured to deny the file extension.
Any ideas?
It looks like the request filtering is actually filtering for a blank file name. Therefore you have to add this to the request filtering block in the web.config:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<security>
<requestFiltering>
<fileExtensions allowUnlisted="true">
<remove fileExtension="." />
<add fileExtension="." allowed="true" />
</fileExtensions>
</requestFiltering>
</security>
</system.webServer>
</configuration>
It's obvious now, but really I think its a massive gotcha.
More info: IIS 7 Not Serving Files - 404.7 Error
You can resolve by adding:
<requestFiltering>
<fileExtensions allowUnlisted="true">
<remove fileExtension="." />
<add fileExtension="." allowed="true" />
</fileExtensions>
</requestFiltering>
to your Web.Config file
You can resolve this by adding the file extension into the request filtering module of IIS.
Be sure to remove any PostBackURL="MyPage.aspx" from the button on the page. My guess is that when the postbackurl is included, IIS thinks its getting the page as a file. It rejects the .aspx file type by default. You can see this in the page error.
Bad: Creates a 404.7 (notice the PostBackURL)
<asp:FileUpload runat="server" ID="uplReplaceFile" ToolTip="Update this file" />
<asp:Button runat="server" PostBackUrl="MyPage.ascx" ID="bnHiddenFileUploadListener" OnClick="bnHiddenFileUploadListener_OnClick" />
Good: No error
<asp:FileUpload runat="server" ID="uplReplaceFile" ToolTip="Update this file" />
<asp:Button runat="server" ID="bnHiddenFileUploadListener" OnClick="bnHiddenFileUploadListener_OnClick" />