I'm trying to serve the extensions .ldf and .mdf and even though files of these types actually exist on the server, IIS keeps throwing 404 error whenever they are requested.
I've double checked IIS manager and both extensions are added MIME-types of application/octet_stream. Is there perhaps some other setting or place I've missed that needs something set?
Thanks for your help chaps.
Adding the following to web.config worked as suggested by Sergey Kornilov:
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=".ldf" />
<remove fileExtension=".mdf" />
</fileExtensions>
</requestFiltering>
</security>
Related
VS will generate (and override) a web.config file as part of publishing to IIS. I have various items I need to include in the file (like extending the file upload max size limit, redirecting to HTTPS, etc.). I am currently having to copy and paste the contents into the file after every publish.
Is there a way to define the contents of the web.config file that Visual Studio generates when publishing a .NET Core 2 web app for IIS?
not sure if you solved this, but if anyone else runs across this problem, I had this issue and finally went looking for the source code for the transform task. it contains some logging, so I ran the dotnet publish with a /v:n parameter, which sets the logging verbosity to "normal":
dotnet publish src\MyProject -o ..\..\publish /v:n
when I ran this, I saw this in the output:
_TransformWebConfig:
No web.config found. Creating 'C:\Development\MyProject\publish\web.config'
even though there is a web.config in the project. I changed the properties of the web.config "Copy to Output Directory" to "Always", and now the web.config in my project gets merged with the auto-generated contents.
my csproj now has this in it:
<None Include="web.config">
<CopyToOutputDirectory>Always</CopyToOutputDirectory>
</None>
and the publish output has:
_TransformWebConfig:
Updating web.config at 'C:\Development\MyProject\publish\web.config'
NOTE: if you are publishing to an existing directory that already has web.config in it, it will update that file. (i.e., an old publish). if you don't specify an output directory, it will publish to something like /bin/Debug/net471/publish/, which may have old files in it.
NOTE2: you still need the Sdk="Microsoft.NET.Sdk.Web" attribute on the Project node in your csproj file, or it won't even bother looking for Web.configs.
for reference, here is the task source code:
https://github.com/aspnet/websdk/blob/master/src/Publish/Microsoft.NET.Sdk.Publish.Tasks/Tasks/TransformWebConfig.cs
I finally got back to this and wound up using a transform:
Create a web.release.config file in the root of the project
Set that file's properties to Build Action = None so it doesn't get copied directly to the destination folder
Use the transformation syntax to define the sections that need to be inserted:
<?xml version="1.0" encoding="utf-8"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<location>
<system.webServer>
<security xdt:Transform="Insert">
<requestFiltering>
<requestLimits maxAllowedContentLength="209715200" />
</requestFiltering>
</security>
<rewrite xdt:Transform="Insert">
<rules>
<rule name="HTTP/S to HTTPS Redirect" enabled="true" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAny">
<add input="{SERVER_PORT_SECURE}" pattern="^0$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" />
</rule>
</rules>
</rewrite>
<modules xdt:Transform="Insert" runAllManagedModulesForAllRequests="false">
<remove name="WebDAVModule" />
</modules>
</system.webServer>
</location>
</configuration>
I'm building a basic website with Node.js, and I don't want anyone to be able to access my server-side source code (it contains login credentials for a database). My main application is in a file called 'app.js' in the root directory where the application is run. If I browse to mysite.com/app.js, the source code file is served. Is there a way to disallow access to certain files with Node.js or just in general? The site is hosted on Microsoft Azure, if that makes a difference (my research seems to indicate that Microsoft and Apache handle this differently).
Basically, Azure uses IIS to serve your Node.js app. So, you'll need to add the IIS configuration file called web.config to app's root folder to restrict access to the server-side source code.
web.config
<?xml version="1.0" encoding="utf-8"?>
<!--
This configuration file is required if iisnode is used to run node processes behind
IIS or IIS Express. For more information, visit:
https://github.com/tjanczuk/iisnode/blob/master/src/samples/configuration/web.config
-->
<configuration>
<system.webServer>
<!-- Visit http://blogs.msdn.com/b/windowsazure/archive/2013/11/14/introduction-to-websockets-on-windows-azure-web-sites.aspx for more information on WebSocket support -->
<webSocket enabled="false" />
<handlers>
<!-- Indicates that the app.js file is a node.js site to be handled by the iisnode module -->
<add name="iisnode" path="app.js" verb="*" modules="iisnode"/>
</handlers>
<rewrite>
<rules>
<!-- Do not interfere with requests for node-inspector debugging -->
<rule name="NodeInspector" patternSyntax="ECMAScript" stopProcessing="true">
<match url="^app.js\/debug[\/]?" />
</rule>
<!-- First we consider whether the incoming URL matches a physical file in the /public folder -->
<rule name="StaticContent">
<action type="Rewrite" url="public{REQUEST_URI}"/>
</rule>
<!-- All other URLs are mapped to the node.js site entry point -->
<rule name="DynamicContent">
<conditions>
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="True"/>
</conditions>
<action type="Rewrite" url="app.js"/>
</rule>
</rules>
</rewrite>
<!-- bin directory has no special meaning in node.js and apps can be placed in it -->
<security>
<requestFiltering>
<hiddenSegments>
<remove segment="bin"/>
</hiddenSegments>
</requestFiltering>
</security>
<!-- Make sure error responses are left untouched -->
<httpErrors existingResponse="PassThrough" />
<!--
You can control how Node is hosted within IIS using the following options:
* watchedFiles: semi-colon separated list of files that will be watched for changes to restart the server
* node_env: will be propagated to node as NODE_ENV environment variable
* debuggingEnabled - controls whether the built-in debugger is enabled
To debug your node.js application:
* set the debuggingEnabled option to "true"
* enable web sockets from the portal at https://manage.windowsazure.com/#Workspaces/WebsiteExtension/Website/aarontestnode/configure
* browse to https://aarontestnode.azurewebsites.net/app.js/debug/
See https://github.com/tjanczuk/iisnode/blob/master/src/samples/configuration/web.config for a full list of options
-->
<iisnode watchedFiles="web.config;*.js" debuggingEnabled="false" />
</system.webServer>
</configuration>
In app service you can declare key value pairs including connection strings in the "Application Settings" blade. The same will be available as environment variables for Java, Node, PHP and Python applications. This way they will be secure. https://learn.microsoft.com/en-us/azure/app-service-web/web-sites-configure
2 problems here:
Restricting Access To Static Files
Protecting Credential Information
Restricting Access To Static Files
Both with Apache and Nginx it is possible to specify how to serve static assets. requests for static assets should map to a specific assets folder. So that requests to yourdomainname.com/myfile.js will map to /path/to/static/assets/myfile.js. Research their docs to see how to to this.
Protecting Credential Information
You need to keep your credential information (API Key, Database password, etc...) outside of your code repo. To do this, you can use .env files with the dotenv package
I'm getting the following message when trying to save edits to rootweb.config:
Could not write to local resource 'D:\local\Config\rootweb.config' due
to error 'Access to the path 'D:\local\Config\rootweb.config' is
denied.'.
I'm trying to add the following to the file's default configuration after uploading my PHP project (my PHP project didn't include a web.config file):
<system.webServer>
<security>
<ipSecurity allowUnlisted="false" denyAction="NotFound">
<add allowed="true" ipAddress="<ip-address>" />
<!--add allowed="true" ipAddress="<ip-address>" /-->
</ipSecurity>
</security>
</system.webServer>
Is this file supposed to be editable, or do I need to include my own web.config?
Based on another Stack Overflow post I believe you just want to make a web.config and put it in the folder of your php app. You can not edit the configs in that folder you tried to access. You can modify the applicationHost.config via a site extension with a transform. I have experience doing that.
Windows Azure and web.config doesn't run with PHP web site
About Site extensions:
https://github.com/projectkudu/kudu/wiki/Azure-Site-Extensions
I am trying to publish a ClickOnce installer onto a website which is hosted on Windows Azure. The publishing process works as expected, nontheless the setup file is not available for download via HTTP. Obviously it is not possible to provide executables (.exe) and libraries (.dll) via HTTP. They are available via FTP, but HTTP requests yield a 'File not found' (404). After renaming the file to setup.txt, it can be downloaded, this doesn't really help, though. Can this be configured somehow?
Please try by adding the following in your web.config file:
<system.webServer>
<handlers>
<add name="Client exe" path="*.exe" verb="*" modules="StaticFileModule" resourceType="File" />
</handlers>
</system.webServer>
Source: http://mike-ward.net/blog/post/00631/how-to-configure-iis-7-to-allow-downloading-exe-files.
Add the allowed mime type to web config. Eg:
<system.webServer>
<staticContent>
<mimeMap fileExtension=".exe" mimeType="application/exe"/>
</staticContent>
</system.webServer>
I have an installation of Umbraco v4.9.0 within which I am trying to get a working install of BlogEngine.NET v2.6.0.5
This is in IIS8 on a Windows 8 machine.
I have so far been able to set up BlogEngine within a sub folder and the application works just fine until I try to open a page with the cshtml extension.
The error i am getting is
This type of page is not served.
Description: The type of page you have requested is not served because
it has been explicitly forbidden. The extension '.cshtml' may be
incorrect. Please review the URL below and make sure that it is
spelled correctly.
Requested URL: /blog/admin/default.cshtml
Both web.configs have entries designed to prevent this error from happening.
Umbraco
<buildProviders>
<add extension=".cshtml"
type="umbraco.MacroEngines.RazorBuildProvider, umbraco.MacroEngines" />
<add extension=".vbhtml"
type="umbraco.MacroEngines.RazorBuildProvider, umbraco.MacroEngines" />
<add extension=".razor"
type="umbraco.MacroEngines.RazorBuildProvider, umbraco.MacroEngines" />
</buildProviders>
BlogEngine
<buildProviders>
<remove extension=".cshtml" />
<add extension=".cshtml"
type="System.Web.WebPages.Razor.RazorBuildProvider, System.Web.WebPages.Razor"/>
</buildProviders>
I have the relevant MVC binaries in the respective bin folders and I've even tried adding request filtering instructions to both web.configs e.g
<requestFiltering>
<fileExtensions>
<add fileExtension=".cshtml" allowed="true" />
</fileExtensions>
</requestFiltering>
Have I missed something obvious?
Is your IIS site running in Classic or Integrated mode? Try switching to Integrated mode and see if that fixes your issue.