I need to translate a .htaccess file to web.config for use on IIS 7.5:
IndexIgnore */*
<Files *.php>
Order Deny,Allow
Deny from all
</Files>
This is intended to prevent public access to any file in the /core directory by locating the file at /core/.htaccess.
The application still requires access to php files and other assets from the /core directory.
I tried hiddenSegments:
<security>
<requestFiltering>
<hiddenSegments>
<add segment="core"/>
</hiddenSegments>
</requestFiltering>
</security>
and denyUrlSequences:
<security>
<requestFiltering>
<denyUrlSequences>
<add sequence="/core/" />
</denyUrlSequences>
</requestFiltering>
</security>
however these prevent the admin panel from functioning as requests like the following are blocked:
http://www.domain.com/admin/assets/core/admin.js
because the URL contains the blocked sequence core.
Can anyone suggest how public access to resources in the /core directory can be prevented while allowing the admin panel to function?
I've implemented a solution by placing the following web.config in the directory that URL access should be denied for:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<security>
<requestFiltering>
<!-- prevent url access to this and sub directories -->
<denyUrlSequences>
<add sequence="/" />
</denyUrlSequences>
</requestFiltering>
</security>
</system.webServer>
</configuration>
Related
Just created a new Asp.Net Core MVC App and published it to Azure.
By adding the location/path element to a web.config and re-publishing the site.... my azure-app is immediately broken.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="authenticate" allowOverride="true">
<system.webServer>
<security>
<access sslFlags="SslNegotiateCert" />
</security>
</system.webServer>
</location>
</configuration>
Why is the below not working in Azure Web App?
Could you please try the below code, assuming you want to restrict user to access anything under authenticate folder:-
The following web.config example would apply any settings within the elements only to any resources located within the /authenticatedirectory of the site:
<location path="~/authenticate" allowOverride="true">
<system.webServer>
<security>
<access sslFlags="SslNegotiateCert" />
</security>
</system.webServer>
</location>
If it doesn't work, can you enable the under system.web and let me know what errors are you getting.
I have a site/application I would like to load in IIS. The root of the folders contains a web.config and index.asp. The sub folders are asp, scripts, styles, images.
I add Add Web site in IIS, define the physical path to the location of the index.asp, assign the IP address for host name I tried local host, IP, and leaving it blank. When I click on Browse Website I receive a HTTP 500 Internal Server Error. IIS is running and the Web Site is started in the Manage Website menu.
If I write a short index.html hello world page and set it as default document it displays ok. When I change default document back to index.asp I get the 500 error again.
Could someone give me a tip on how to proceed?
Here is my web.config:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<identity impersonate="true" />
</system.web>
<system.webServer>
<defaultDocument>
<files>
<add value="index.asp" />
</files>
</defaultDocument>
</system.webServer>
</configuration>
This is going to be a guess at best, since a 500 can mean anything without a sub-status code. It probably is due to configuration inheritance. index.asp is already in the default list of default documents at the server level. By adding index.asp, it may be causing a unique hey violation when the configuration inheritance is flattened into the effective configuration.
Suggestion:
Add a <clear /> element right above the <add value="index.asp" /> and try again. Otherwise, we will need to go get the sub status code of that 500 to get more information. The IIS log usually contains the sub status in the sc-substatus.
Resulting Configuration
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<identity impersonate="true" />
</system.web>
<system.webServer>
<defaultDocument>
<files>
<clear />
<add value="index.asp" />
</files>
</defaultDocument>
</system.webServer>
</configuration>
If this works, then the reason it originally works with index.html because index.html is not in the default files list.
Additional Note
The other thing I can think of is that impersonation being enabled. If you are running the application pool in Integrated Pipeline mode, you'll need to turn off integrated mode configuration validation. More information can be found here: Integrated Pipeline mode configuration validation.
New Resulting Configuration
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<identity impersonate="true" />
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="False" />
<defaultDocument>
<files>
<clear />
<add value="index.asp" />
</files>
</defaultDocument>
</system.webServer>
</configuration>
We are using azure webapps for sitecore infrastructure.
We need to apply security hardening on CD i.e. disable the sitecore client access. I had a look at security hardening guide which mentions about disabling annonymous access to sitecore/admin access.
https://doc.sitecore.net/sitecore_experience_platform/security_hardening/deny_anonymous_users_access_to_a_folder
However this is not possible in Azure web-apps as we don't have access to IIS.
What's the best way to resolve this?
Another option is to use request filters. See https://sitecorecommerce.wordpress.com/2015/11/19/block-access-to-sitecore-folder-for-content-delivery-with-requestfilters/
Here's the relevant config from the post:
<system.webServer>
<security xdt:Transform ="Replace" >
<requestFiltering>
<denyUrlSequences>
<add sequence ="/sitecore/" />
<add sequence ="/_Dev/" />
</denyUrlSequences>
</requestFiltering>
</security>
</system.webServer>
Additional references are available here: https://www.iis.net/configreference/system.webserver/security/requestfiltering
you can configure the security configurations in the web.config for your Sitecore CD server. E.g. Add this configuration under the root element at the end of your web.config.
<location path="App_Config">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
</authentication>
<authorization>
<add accessType="Deny" users="*" />
</authorization>
</security>
</system.webServer>
</location>
I'm trying to configure the default webpage for an IIS 7.5 website.
Request filtering is turned on. However .aspx pages are allowed, I've set default.aspx to be the default page for the website.
If I browse to localhost/default.aspx I get a webpage as expected.
IF I browse to localhost/ I get
HTTP Error 404.7 - Not Found
The request filtering module is configured to deny the file extension.
Any ideas?
It looks like the request filtering is actually filtering for a blank file name. Therefore you have to add this to the request filtering block in the web.config:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<security>
<requestFiltering>
<fileExtensions allowUnlisted="true">
<remove fileExtension="." />
<add fileExtension="." allowed="true" />
</fileExtensions>
</requestFiltering>
</security>
</system.webServer>
</configuration>
It's obvious now, but really I think its a massive gotcha.
More info: IIS 7 Not Serving Files - 404.7 Error
You can resolve by adding:
<requestFiltering>
<fileExtensions allowUnlisted="true">
<remove fileExtension="." />
<add fileExtension="." allowed="true" />
</fileExtensions>
</requestFiltering>
to your Web.Config file
You can resolve this by adding the file extension into the request filtering module of IIS.
Be sure to remove any PostBackURL="MyPage.aspx" from the button on the page. My guess is that when the postbackurl is included, IIS thinks its getting the page as a file. It rejects the .aspx file type by default. You can see this in the page error.
Bad: Creates a 404.7 (notice the PostBackURL)
<asp:FileUpload runat="server" ID="uplReplaceFile" ToolTip="Update this file" />
<asp:Button runat="server" PostBackUrl="MyPage.ascx" ID="bnHiddenFileUploadListener" OnClick="bnHiddenFileUploadListener_OnClick" />
Good: No error
<asp:FileUpload runat="server" ID="uplReplaceFile" ToolTip="Update this file" />
<asp:Button runat="server" ID="bnHiddenFileUploadListener" OnClick="bnHiddenFileUploadListener_OnClick" />
I managed to secure a folder structure with URL authorization in IIS7 with the following :
<location path="Reports">
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
</authorization>
</security>
</system.webServer>
</location>
<location path="Reports/Company1">
<system.webServer>
<security>
<authorization>
<add accessType="Allow" users="User1"/>
</authorization>
</security>
</system.webServer>
</location>
<location path="Reports/Company2">
<system.webServer>
<security>
<authorization>
<add accessType="Allow" users="User2" />
</authorization>
</security>
</system.webServer>
</location>
Now my problem is that when User1 from Company1 tries to access a file from the Company2 folder, it gets prompted for credentials. I would like that he receives an "access denied" message. I tried to add a in the second location tag but without success.
Not possible as far as I can see. You need to at least attempt to verify the user before you can display the access denied (by means of custom errors perhaps). However, before this verification has started, there is also no way to determine which user it is.