I'm building a simple PHP web service using Azure Web Sites and I'm having trouble getting it to support PUT and DELETE http methods. Assuming it's something that'll have to go into the web.config file - I've tried a few options from around the interwebs but non of them seem to function properly. Any ideas?
Here's the web.config file as it currently stands:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers>
</handlers>
<security>
</security>
<directoryBrowse enabled="false" />
<caching>
<profiles>
<add extension=".php" policy="DontCache" kernelCachePolicy="DontCache" />
<add extension=".html" policy="CacheForTimePeriod" kernelCachePolicy="CacheForTimePeriod" duration="14:00:00" />
</profiles>
</caching>
<rewrite>
<rules>
<rule name="block favicon" stopProcessing="true">
<match url="favicon\.ico" />
<action type="CustomResponse" statusCode="404" subStatusCode="1"
statusReason="The requested file favicon.ico was not found"
statusDescription="The requested file favicon.ico was not found" />
</rule>
<rule name="Cols Rule" stopProcessing="true">
<match url="^(.*)$" ignoreCase="false" />
<conditions>
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" ignoreCase="false" negate="true" />
<add input="{URL}" pattern="^/favicon.ico$" ignoreCase="false" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsFile" ignoreCase="false" negate="true" />
</conditions>
<action type="Rewrite" url="index.php?q={R:1}" appendQueryString="true" />
</rule>
</rules>
</rewrite>
<defaultDocument>
<files>
<remove value="index.php" />
<add value="index.php" />
</files>
</defaultDocument>
</system.webServer>
</configuration>
I do not see that you have handler added into your web.config. I haven't personally tested but someone suggested that PUT and DELETE should work with Windows Azure Website however you would need to configure them correctly on your Windows Azure Websites through web.config.
Following is the simple configuration you can use to set it up:
<configuration>
<system.webServer>
<handlers>
<remove name="PHP53_via_FastCGI" />
<add name="PHP53_via_FastCGI" path="*.php"
verb="GET, PUT, POST, HEAD, DELETE"
modules="FastCgiModule"
scriptProcessor="D:\Program Files (x86)\PHP\v5.3\php-cgi.exe"
resourceType="Either" requireAccess="Script" />
</handlers>
</system.webServer>
</configuration>
It didn't work with DELETE as the last option, and here's the code modified for PHP54 on Azure. But thanks to Avkash!
<handlers>
<remove name="PHP54_via_FastCGI" />
<add name="PHP54_via_FastCGI" path="*.php"
verb="GET, PUT, POST, DELETE, HEAD"
modules="FastCgiModule"
scriptProcessor="D:\Program Files (x86)\PHP\v5.4\php-cgi.exe"
resourceType="Either" requireAccess="Script" />
</handlers>
Related
They changed the url rewrite Module version (URL Rewrite Module 2.1) and now the redirection from http to https is not working.
Has anyone encountered the same problem?
Application : Angular
System : Windows Server IIS 10
This is the web.config file (it was working for the earliest version of URL rewrite : urlrewrite2.exe)
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<security>
<requestFiltering>
<fileExtensions applyToWebDAV="false">
<add fileExtension=".pdf" allowed="true" />
</fileExtensions>
</requestFiltering>
</security>
<directoryBrowse enabled="true" />
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Credentials" value="true" />
<add name="Access-Control-Allow-Headers" value="Content-Type" />
<add name="Access-Control-Allow-Methods" value="GET,POST,PUT,DELETE,OPTIONS" />
<add name="Access-Control-Allow-Origin" value="*" />
</customHeaders>
</httpProtocol>
<rewrite>
<rules>
<rule name="redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
Thanks.
For http://example.com:80 to https://example.com:443 your rule posted in the question is correct and working fine on my side.
If it is not working on your side, you could check the Failed Request Tracing logs might give you the information about the issue. The issue might be something else.
For http://example.com:81 to https://example.com:443, you could refer to the rule below.
<rule name="Redirect with port" stopProcessing="true">
<match url=".*" />
<conditions>
<add input="{HTTP_HOST}" pattern="^(.*):81$" />
</conditions>
<action type="Redirect" url="https://{C:1}:443/{R:0}" />
</rule>
Output:
Let me know if you have further questions.
I have a WebApp with an AspNetCore WebAPI + AngularApp on Azure with IIS rewrite rules in my Web.Config based on this article: https://weblog.west-wind.com/posts/2017/Apr/27/IIS-and-ASPNET-Core-Rewrite-Rules-for-AspNetCoreModule
I would like to avoid rewriting on Swagger, so I added this rule as the first rule:
<rule name="swagger" enabled="true" stopProcessing="true">
<match url="swagger/.*" />
<action type="None" />
</rule>
Based on this website: https://www.regextester.com/
The rules is supposed to exclude swagger/ and all the subfolders and files too. But It s not the case.
This is what I can see when I open http://[MYWEBSITE]/swagger/
The Angular app works correctly.
I already made some search about that:
How to exclude a directory with IIS URL rewriting?
How to Exclude Directories from Rules in Web.config (ASP.NET)
https://learn.microsoft.com/en-us/iis/extensions/url-rewrite-module/url-rewrite-module-configuration-reference
Thanks for your help.
EDIT 1:
Just to let you know, with the default web.config:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<handlers>
<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModule" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="dotnet" arguments=".\[MYWEBAPP].Api.dll" stdoutLogEnabled="false" stdoutLogFile="\\?\%home%\LogFiles\stdout" />
</system.webServer>
</configuration>
I can correctly see Swagger working:
EDIT 2:
During my tests, I removed the rewrite rules to focus only on the Handlers and I noticed that theses rules make problem:
It s normal, Swagger is build in the .NetCore WebApi. I m looking for a way to exclude a specific folder from a handlers.
Based on this response: IIS Handlers exclude a Directory when processing htm requests
I created a web.config in 'D:\home\site\wwwroot\wwwroot\swagger' on Azure with the following configuration:
<system.webServer>
<handlers>
<remove name="StaticFileModuleHtml" />
<remove name="StaticFileModuleJs" />
<remove name="StaticFileModuleCss" />
<remove name="StaticFileModulePng" />
</handlers>
</system.webServer>
EDIT 3:
Clearly the problem comes from the Static handlers.
If I want to use Swagger, I need to disable them.
If I want to access to my angular App, I need to add them.
I saw here: https://github.com/domaindrivendev/Swashbuckle.AspNetCore#swashbuckleaspnetcorecli
That it seems possible to extract the content from the SwaggerUi directly in a folder on built, but currently, the Nugget Package is not available:
https://github.com/domaindrivendev/Swashbuckle.AspNetCore/issues/601
I will keep you update. If someone has an idea, it will be helpful. I m probalbly not the only to try to do that :).
But the problem is still there.
I finally found a solution!
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="wwwroot-static" stopProcessing="true">
<match url="([\S]+[.](html|htm|svg|js|css|png|gif|jpg|jpeg))" />
<conditions logicalGrouping="MatchAll">
<add input="{REQUEST_URI}" pattern="swagger/" negate="true" />
</conditions>
<action type="Rewrite" url="wwwroot/{R:1}" />
</rule>
<rule name="empty-root-index" stopProcessing="true">
<match url="^$" />
<action type="Rewrite" url="wwwroot/index.html" />
</rule>
<rule name="AngularJS-Html5-Routes" stopProcessing="true">
<match url=".*" />
<conditions logicalGrouping="MatchAll">
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
<add input="{REQUEST_URI}" pattern="api/" negate="true" />
<add input="{REQUEST_URI}" pattern="swagger/" negate="true" />
</conditions>
<action type="Rewrite" url="wwwroot/index.html" />
</rule>
</rules>
</rewrite>
<handlers>
<add name="StaticFileModuleHtml" path="*.htm*" verb="*" modules="StaticFileModule" resourceType="File" requireAccess="Read" />
<add name="StaticFileModuleSvg" path="*.svg" verb="*" modules="StaticFileModule" resourceType="File" requireAccess="Read" />
<add name="StaticFileModuleJs" path="*.js" verb="*" modules="StaticFileModule" resourceType="File" requireAccess="Read" />
<add name="StaticFileModuleCss" path="*.css" verb="*" modules="StaticFileModule" resourceType="File" requireAccess="Read" />
<add name="StaticFileModuleJpeg" path="*.jpeg" verb="*" modules="StaticFileModule" resourceType="File" requireAccess="Read" />
<add name="StaticFileModuleJpg" path="*.jpg" verb="*" modules="StaticFileModule" resourceType="File" requireAccess="Read" />
<add name="StaticFileModulePng" path="*.png" verb="*" modules="StaticFileModule" resourceType="File" requireAccess="Read" />
<add name="StaticFileModuleGif" path="*.gif" verb="*" modules="StaticFileModule" resourceType="File" requireAccess="Read" />
<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModule" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="dotnet" arguments=".\[MYWEBAPP].dll" stdoutLogEnabled="false" stdoutLogFile="\\?\%home%\LogFiles\stdout" />
</system.webServer>
</configuration>
My mistake during the Edit 2 was to create a Swagger folder in wwwroot/wwwroot instead of wwwroot/ directly.
Here is the web.config to add in wwwroot/swagger:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<handlers>
<!--We need to add this web.config to avoid conflict on Azure between Angular App and Swagger -->
<remove name="StaticFileModuleHtml" />
<remove name="StaticFileModuleSvg" />
<remove name="StaticFileModuleJs" />
<remove name="StaticFileModuleCss" />
<remove name="StaticFileModuleJpeg" />
<remove name="StaticFileModuleJpg" />
<remove name="StaticFileModulePng" />
<remove name="StaticFileModuleGif" />
</handlers>
</system.webServer>
</configuration>
You can now access to:
http(s)://[MYWEBAPP]
http(s)://[MYWEBAPP]/[ANGULAR ROUTE]
http(s)://[MYWEBAPP]/Swagger
I hope it will help someone :). If you have any questions, please ask.
First of all, because Swagger does not make a real folder, so it is not a perfect idea to make a folder in wwwroot named swagger and make that web.config inside of it. I consider that the default address for your swagger UI is: localhost:[random-port-number]/swagger/index.html. It can be different based on your swagger version and you can also change it to something else like below:
app.UseSwagger(c =>
{
c.RouteTemplate = "SampleApi/swagger/{documentName}/swagger.json";
});
app.UseSwaggerUI(c =>
{
c.SwaggerEndpoint("/SampleApi/swagger/v1/swagger.json", "Sample API");
c.RoutePrefix = "SampleApi/swagger";
});
For more information see this article. The version of my Swashbuckle.AspNetCore is 4.0.1
I also added API to the routes in order to be able to use your Microsoft web APIs in your project from font-end by React or Angular or anything else,
you just need to add this to your main web.config in the project:
<rules>
<rule name="wwwroot-static" stopProcessing="true">
<match url="([\S]+[.](html|htm|svg|js|css|png|gif|jpg|jpeg|ico|axd))" />
<!--Handle static file requests and server them from the wwwroot-->
<conditions logicalGrouping="MatchAll">
<add input="{HTTP_METHOD}" pattern="GET|HEAD" />
<add input="{REQUEST_URI}" pattern="/swagger/.*" negate="true" />
</conditions>
<action type="Rewrite" url="wwwroot/{R:1}" />
</rule>
<rule name="html5-routes" stopProcessing="true">
<match url=".*" />
<!-- Handle all paths except /api/ and pass the route onto the wwwroot/index.html -->
<conditions logicalGrouping="MatchAll">
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
<!-- Add rule to negate file requests e.g. css/html/images-->
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
<!-- Add rule to negate directories-->
<add input="{REQUEST_URI}" pattern="^/api/" negate="true" />
<add input="{REQUEST_URI}" pattern="/swagger/.*" negate="true" />
<!-- Add rule to negate paths and let them through the MVC-->
<add input="{HTTP_METHOD}" pattern="GET|HEAD" />
</conditions>
<action type="Rewrite" url="wwwroot/index.html" />
</rule>
</rules>
I am trying to remove .html extensnion during the browse in iis when i browse localhost that should show index or default html that is not showing and when i browse any file in folder with extension.html as o that says HTTP Error 404.0 - Not Found
The resource you are looking for has been removed, had its name changed, or is temporarily unavailable. thought the file exist.
my web.config
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<defaultDocument>
<files>
<clear />
<add value="index.html" />
<add value="Default.htm" />
<add value="Default.asp" />
<add value="index.htm" />
<add value="iisstart.htm" />
<add value="default.aspx" />
</files>
</defaultDocument>
<rewrite>
<rules>
<rule name="Hide .html ext">
<match url="^(.*)" ignoreCase="true" />
<conditions>
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
<add input="{REQUEST_FILENAME}.html" matchType="IsFile" />
</conditions>
<action type="Rewrite" url="{R:0}.html" />
</rule>
<rule name="Redirecting .html ext" stopProcessing="true">
<match url="^(.*).html" />
<conditions logicalGrouping="MatchAny">
<add input="{URL}" pattern="(.*).html" />
</conditions>
<action type="Redirect" url="{R:1}" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
Please make sure you have URL Rewrite feature installed in your IIS.
see the image
If it's not available, then click on Get New Web Platform Components on right hand side, search for URL Rewrite and install it. Reopen the IIS Manager.
Click on your site and open the URL Rewrite feature. You can explore your rewrite rules which are there in web.config file. see example here
I have also asked this on the iisnode github project
I am using IISNode via a Windows Azure Website.
If my Node app returns a 2xx status code (200, 201, etc), then all is well and works as expected.
if my Node app returns a 4xx status code, for example:
response.send(404, "not found") (I am using Restify) then I get a 500 sent to the client and the body is simply "The page cannot be displayed because an internal server error has occurred."
If I do azure site log tail <sitename>, then when the 500 gets sent to the client, the log contains HTML of a 404.
...
<body>
<div id="content">
<div class="content-container">
<h3>HTTP Error 404.0 - Not Found</h3>
<h4>The resource you are looking for has been removed, had its name changed,
or is temporarily unavailable.</h4>
</div>
...
I really just want IISNode/IIS to take my 404 and send it on down to the client. This is also true of 401s, 409s, etc. They all cause a 500 to get sent instead.
I have tried <customErrors mode="off" /> and <httpErrors existingResponse="passThrough" /> in my web.config to no avail. Here is my web.config now:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<customErrors mode="off" />
</system.web>
<system.webServer>
<httpErrors existingResponse="PassThrough" />
<staticContent>
<mimeMap fileExtension=".svg" mimeType="image/svg+xml" />
<mimeMap fileExtension=".ico" mimeType="image/x-icon" />
</staticContent>
<handlers>
<add name="iisnode" path="server.js" verb="*" modules="iisnode"/>
</handlers>
<rewrite>
<rules>
<rule name="DynamicContent">
<conditions>
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="True"/>
</conditions>
<action type="Rewrite" url="server.js"/>
<match url="/*" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
For what it's worth, I can't get IISnode to do anything but return 200s from my node app. Trying to get IIS to serve my static files, enable node-inspector, or really any of the more interesting IISNode features cause a 500 for me. No idea why, and would love to get past it!
Similar StackOverflow Questions
this question is pretty much exactly my problem. Except that <httpErrors existingResponse="PassThrough" /> does not work for me. I feel like I have something more fundamentally wrong with my IISNode setup, so if anyone has any ideas on things to try I'm all ears.
for some reason the following section in your config is causing this issue:
<staticContent>
<mimeMap fileExtension=".svg" mimeType="image/svg+xml" />
<mimeMap fileExtension=".ico" mimeType="image/x-icon" />
</staticContent>
As a workaround, remove this section if possible and retry. I will investigate why this section is causing this issue.
As Ranjith pointed out, the staticContent section is the cause of the conflict. I just found you can limit those entries inside of location entries, so you can get all of IISNode as desired and still serve up static content. My web.config now looks like this:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<customErrors mode="off" />
</system.web>
<system.webServer>
<handlers>
<add name="iisnode" path="server.js" verb="*" modules="iisnode"/>
</handlers>
<rewrite>
<rules>
<rule name="Redirect to https" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Found" appendQueryString="true" />
</rule>
<rule name="StaticContent">
<action type="Rewrite" url="public{REQUEST_URI}"/>
</rule>
<rule name="DynamicContent">
<conditions>
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="True"/>
</conditions>
<action type="Rewrite" url="server.js"/>
</rule>
</rules>
</rewrite>
<httpErrors existingResponse="PassThrough" />
</system.webServer>
<location path="public/fonts">
<system.webServer>
<staticContent>
<mimeMap fileExtension=".woff" mimeType="application/font-woff" />
</staticContent>
</system.webServer>
</location>
</configuration>
The added location entry at the end works around the 500 and static content conflicts.
I'm getting the exact same...500 error page returned from Azure/IIS. I used the web.config that Azure automatically generated as the basis, then added <customErrors mode="off" /> and <httpErrors existingResponse="PassThrough" />. I also removed the default staticContent node. Nothing is working.
Below is the web.config that I'm uploading to Azure. What in here is causing IIS/iisnode to return a 500 error page instead of the simple text error message I have node/express returning to the client?
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<customErrors mode="off" />
</system.web>
<system.webServer>
<httpErrors existingResponse="PassThrough" />
<webSocket enabled="false" />
<handlers>
<add name="iisnode" path="server.js" verb="*" modules="iisnode"/>
</handlers>
<rewrite>
<rules>
<rule name="NodeInspector" patternSyntax="ECMAScript" stopProcessing="true">
<match url="^server.js\/debug[\/]?" />
</rule>
<rule name="DynamicContent">
<conditions>
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="True"/>
</conditions>
<action type="Rewrite" url="server.js"/>
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
This works for me:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<handlers>
<add name="iisnode" path="app.js" verb="*" modules="iisnode"/>
</handlers>
<rewrite>
<rules>
<rule name="DynamicContent">
<match url="/*" />
<action type="Rewrite" url="app.js"/>
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
I had the same issue (IIS Node on Win Server 2012R2). So I did not get the target content in the body.
At the beginning I had response:
code: 400
body: Bad Request
Then I added <httpErrors existingResponse="PassThrough" /> and I got response:
code: 500
body: The page cannot be displayed because an internal server error has occurred
Then I have changed IIS Feature Delegation for "Error Pages" to "Read/Write" and this resolved my issue. Finally I had proper response:
code: 400
body: { "error": {...} }
I hope this helps.
I'm deploying a web application as an Azure Cloud Service.
The Cloud Service config specifies endpoints for both HTTP & HTTPS.
All the relevant CSCFG & CSDEF Cert stuff is configured correctly and the cert deployed and this all works.
I'd now like to add a HTTP->HTTPS rewrite rule to force any calls to HTTP to get redirected to the secure site.
I have a web.production.config transform on my web.config which adds the following block.
(Taken from http://blog.smarx.com/posts/redirecting-to-https-in-windows-azure-two-methods )
<system.webServer>
<rewrite xdt:Transform="Insert">
<rules>
<rule name="RedirectToHTTPS">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
<add input="{URL}" pattern="/$" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
</conditions>
<action type="Redirect" url="https://{SERVER_NAME}/{R:1}" redirectType="SeeOther" />
</rule>
</rules>
</rewrite>
</system.webServer>
This results in the following <system.webServer> section in the deployed config file.
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<handlers>
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" />
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" />
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<add name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness32" responseBufferLimit="0" />
<add name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
<add name="DotLess" preCondition="integratedMode" type="dotless.Core.LessCssHttpHandler,dotless.Core" path="*.LESS" verb="*" />
</handlers>
<rewrite>
<rules>
<rule name="RedirectToHTTPS">
<match url="(.*)"/>
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true"/>
<add input="{URL}" pattern="/$" negate="true"/>
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true"/>
</conditions>
<action type="Redirect" url="https://{SERVER_NAME}/{R:1}" redirectType="SeeOther"/>
</rule>
</rules>
</rewrite>
</system.webServer>
When I launch the site and browse to any of the urls (http or https, cloudapp.net or customdomain), I get an 500.19 error.
From googling, this would seem to indicate that the URLRewrite module isn't turned on, but everything I've read says that it's on by default for Cloud Service Applications.
In addition, I've scoured the log files. I can see the 500 errors in the BLOB Storage, wad-iis-logfiles container. But can't find anything else in any of the event logs under table storage. The service is configured to be dumping the most verbose Application Event & Diagnostic logging information.
Is there anyway to figure out the exact error for the 500.19 page, or any pointers based on the above for what might be going wrong ?
I finally figured out the issue.
I was using an xdt:insert on the transform, and because of the build & deploy process, it was actually running the Transformation twice, resulting in 2 rewrite sections appearing in the deployed web.config.
The solution was to add an empty
<system.webServer>
<rewrite />
</system.webServer>
To the template config file, and perform an xdt:Replace instead.
I was able to debug it by enabling the RDP settings on the publish deployment and then examing the Event Log, IIS Config & Web.Config on the actual instance.