I have a web app hosted on IIS 7.
I need to block requests that do not match the following pattern:
/static/index.html[\?a-zA-Z0-9_]*
So that the following request will be blocked:
http://www.example.com/static/index.html?javascript:alert(0)
I've tried to add denyUrlSequences config in my web.config but it seems like regex patterns are not supported there.
Are there any other options?
Thanks in advance.
Yes this is possible. You'll have to install the IIS URL Rewriting module. Details on how to do this can be found here:
http://www.iis.net/learn/extensions/url-rewrite-module/iis-request-filtering-and-url-rewriting
Related
I have configured a webserver on localhost with https using Microsoft IIS Administration. I am able to browse directory with files with browsers and Visual Studio using localhost prefixed with https, such as https://localhost/trial etc.
I wish to upload a file to the said directory, ie., trial, using Libcurl to test some features. Unfortunately I'm unable to do so.
Using the same Libcurl example as given on
Libcurl File Upload
-modified for https, the console window tells me that the following has occurred, upon running the code :
IIS 10.0 Detailed Error - 405.0 - Method Not Allowed
HTTP Error 405.0 - Method Not Allowed The page you are
looking for cannot be displayed because an invalid method (HTTP verb)
is being used.
I checked the IIS Administrator and saw that all authorizations are allowed. I suppose the fact that it is flagging a HTTP verb issue rather than HTTPS as I'd enabled and used as URL in code isn't a big thing?
Libcurl uses PUT for uploading files, so should be an allowed verb.
I am quite new to this, so I'm not certain I did something incorrect with the setting up of the webserver, or whether there are security issues or permission issues which are causing a problem here.
As far as I know, there is impossible to use http put or post a file to a IIS web application's folder without writing server-side code. Otherwise, configure an FTP site on your IIS installation. Then you could use ftp command to upload the file.
If you really need using HTTP put or post to upload the file, you could consider using WebDav.
More details about what is webdev and how to use it, you could refer to below article.
https://learn.microsoft.com/en-us/iis/install/installing-publishing-technologies/installing-and-configuring-webdav-on-iis
https://learn.microsoft.com/en-us/iis/get-started/whats-new-in-iis-7/what39s-new-for-webdav-and-iis-7
Try hostname instead of localhost
Add a trailing slash (/) for the directory.
I want to use a reverse proxy to point one of my endpoints to a resource that's hosted elsewhere. My primary server (where everything else is hosted) is in an Azure Web App and is otherwise working perfectly.
I've been using this seemingly failproof article along with the other links mentioned at the bottom of it: https://blogs.msdn.microsoft.com/zhiliang_xus_blog/2016/01/19/build-a-google-reverse-proxy-site-on-azure-web-app-in-less-than-3-minutes/
As a baseline, I used a Web App with no additional code and confirmed that the reverse proxy works. This was done by manually creating/editing the web.config file and applicationHost.xdt file then restarting the server.
I've tried 3 separate approaches (all on clean, new web apps) all of which are failing for me:
Push my code, confirm it works, then follow the reverse proxy steps manually
Follow the steps manually, confirm reverse proxy works, then push my code
Put the reverse proxy files into my codebase and push everything at the same time
None of these 3 approaches are working. Is this a bug in Azure? How can I try to figure this out?
Post XML Transformation (XDT), have you restarted the site?
I would suggest you to take a look at this blog from Ruslan:
http://ruslany.net/2014/05/using-azure-web-site-as-a-reverse-proxy/
It talks about using a Site extension. It implements the reverse proxy and it does the XDT transformation for you.
If the above is setup correctly, then there is something wrong with the URL Rewrite rules. I would recommend you to enable Failed Request Tracing and debug this further.
The link/way you posted used URL Rewrite to implement a reverse proxy. I tested it and it worked fine with my empty web application. After published a web application to the Azure Web App(For example, an ASP.NET MVC web application), the URL Rewrite stopped working. The reason is that all the requests to your web application are routed by ASP.NET route module.
To enable URL Rewrite for some URLs, we need to disable ASP.NET route for these URLs. For example, if you want to rewrite all the requests with "product/xxx" format to another site. You could add following code to RouteConfig.cs file.
routes.Ignore("product/{action}");
The problem in this specific case was the location of my web.config file.
It needs to be in the root directory of the application which, in my case, was not site\wwwroot. My code was being generated and copied into site\wwwroot\dist. Putting the config file in that directory fixed the problem.
Additionally, there are logs that can be enabled to get some insight as to what's going on: https://learn.microsoft.com/en-us/azure/app-service-web/web-sites-enable-diagnostic-log
I am facing an issue where server header information is showing up in IIS. I know by using URL rewrite module and creating outbound rule will resolve the issue. Problem here is when i am checking individual severs i am seeing server header information as Server:-Microsoft-IIS/7.5. and when i am checking LB URL i am seeing server:- IA Web server. not sure from where this text is coming up.I checked the web.config file but the entry for witting own server information is not present in an tag. Also one more information i have akamai implemented after the web servers. Could some one help in this context.
This is added by IIS Server. Adding outbound URL-Rewrite rule is the best way to go as adding a custom HTTPModule to remove headers or through global.asax.cs as explained in this answer won't work for static files.
See detailed blog here - https://blogs.msdn.microsoft.com/varunm/2013/04/23/remove-unwanted-http-response-headers/
My web host told me that they are using Windows IIS (not sure about the version) and are unable to implement a URL rewrite for me. I am now looking at alternative ways to do this. Obviously, I don't have access to the IIS server. I read somewhere that using a custom 404 page, I am able to implement a URL rewrite from my end using classic ASP.
I want to do a URL rewrite for subdomain.mydomain.com to www.mydomain.com/subdomain.
I am a bit lost about the steps that must be taken to implement URL rewrite. Can someone take me through the steps?
Thanks
Request.ServerVariables("HTTP_HOST") will give you the subdomain.
if Request.ServerVariables("HTTP_HOST")="subdomain.domain.com" then
response.redirect("http://domain.com/subdomain")
end if
You can get URL Rewriting on IIS6 with IIRF - it's free. If your web host can install it for you., it's easy to get rewrites on IIS. If the web host has IIS7 or later, then they can use the URL Rewriting module that's included in IIS7.
I'm looking into to having IIS doing authentication in an application being executed on a J2EE server (JBoss). Is there any ways to have IIS work as reverse proxy and propagating the username and/or roles of the user the proxied application (JBoss). And also what IIS version would I need, if it's possible?
I have license for IIS, so I'd like to do it in IIS, but otherwise I'd prefer open source.
Thanks!
Tomas
It's not open source, but ApplicationRequestRouting for IIS 7.0 can act as a reverse proxy.
More Info:
http://blogs.iis.net/wonyoo/archive/2008/07/09/application-request-routing-arr-as-a-reverse-proxy.aspx
Download:
http://www.iis.net/extensions/ApplicationRequestRouting
Microsoft ISA server does that - you may want to look at that first.
IIRF does reverse proxy and URL rewriting for IIS5/6/7.
It's open source, and uses a syntax evry similar to mod_proxy / .htaccess for its rules.
You need v2.0 to get the reverse proxy capability.
You might like to look at http://www.managedfusion.com/products/url-rewriter/