I'm using IIS8 on my Windows 8 development machine. I'm developing an ASP.NET MVC 4 WebAPI-based application, which interfaces with 3rd party servers.
One of these servers (Kaltura content management system) sends a notification which I just can't "catch" with my routing and/or controllers. I'm trying to log the full request's URL on IIS to investigate it's syntax.
I've installed IIS Advanced Logging and configured it to log the all available fields (other than performance counters), but the logs does not contain the URL or the request's contents (a form).
My question is, is it possible to log the full URL in IIS?
There is no default way to log all form fields. Logging everything would make log files go huge very quickly. If there was a way to log everything that would mean logging viewstate and all post fields (what if you’re uploading a 20MB file).
If you want to support something like this you would have to create a custom handler or do it in the website code itself (for example in master page so you don’t have to add logging code to every page).
Related
We have an .NET app. After deployment, we noticed that a number of users had to clear their cache in order for the page to work properly.
I was wondering if an IIS app recycling would do the same thing so the users do not need to clear their local cache.
The server provides caching hints to the client in the response to each resource--many websites have different responses depending on the resource type (static files like .js libraries, css and images, versus dynamic results from .asp pages or API calls). You can use Postman or Fiddler or the developer tools in your browser to view the response headers...and then you can control expiration either in the web.config, the global.asax or your individual code file.
For more information see:
https://learn.microsoft.com/en-us/iis/configuration/system.webserver/staticcontent/clientcache
https://thedeveloperblog.com/expiration#:~:text=Expiration%20is%20key%20to%20caching%20in%20ASP.NET.%20We,performance%2C%20resulting%20in%20pages%20being%20expired%20much%20sooner.
We are working in an environment where UI Requests flow to a WildFly Server (where the WAR is deployed) versioned 10.1.0 via an Apache Web Server versioned 2.4
We were running Security tests and when using a VirtualDirContext, it was possible to bypass the security constraints and view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request via Burp.
How we reproduce the vulnerability in Burp:
We capture a random Request via the UI and replicate it in Burp.
We turn the Request into a GET Request, mention the path of a JSP file and add %2520 to it.
This issue is reproducible even if the Requests go directly to the WildFly Server instead of via the Apache Web Server.
Is there a way to prevent this vulnerability? We believe validating each Request for the presence of %2520 in it in the Filter layer may not be a comprehensive fix.
In simple words, when we use a URL that contains the path of a JSP file present in the code, appended with %2520, the content of the JSP was disclosed. Is there a way to prevent this?
Say we have an internal URL https://my.internal.url (in our case a Liferay Portal) and from a web application firewall an external URL https://my.external.url pointing to this internal URL.
The internet user is using the external URL.
PrimeFaces extends attributes like for example
onclick="...;window.open('https://my.interal.url'..."
This leads to CORS problems.
The HTTP header Access-Control-Allow-Origin is not an option, since the internal URL is internal.
We'll talk with the WAF people about URL replacement, but I'd like to know wether or not we can tell PrimeFaces to use the external URL (or maybe relative URLs in case this would work).
The portal doesn't know about the external URL but of course we could implement this as a configuration option.
(watching the source code, there are more occurences of the internal URL outside of the jsf/PrimeFaces portlet, so I add the liferay tag too)
Update
The question is obsolete, WAF has to handle this correctly (an old SSL environment did it, a new WAF environment doesn't)
You say
The portal doesn't know about the external URL
however, any properly configured reverse proxy (or WAF) should forward the actual host name used to request the current page.
On Apache httpd's mod_proxy_http, this is done with the option ProxyPreserveHost On. When forwarding with AJP, the host is automatically forwarded. Other WAF/Proxy configurations - of course - differ. But the proper way to generate the URL is to let the generating server know what URLs it should generate.
If you need to worry about the proper host name, you'll need to do so by request: Liferay is well able to use Virtual Host names to distinguish between different sites - and if they're completely different, you might be signed in to one of them, but not to the other. This has a repercussion on the permissions.
Have the infrastructure handle it for you. Don't write code (or application configuration) for it.
I want to use a reverse proxy to point one of my endpoints to a resource that's hosted elsewhere. My primary server (where everything else is hosted) is in an Azure Web App and is otherwise working perfectly.
I've been using this seemingly failproof article along with the other links mentioned at the bottom of it: https://blogs.msdn.microsoft.com/zhiliang_xus_blog/2016/01/19/build-a-google-reverse-proxy-site-on-azure-web-app-in-less-than-3-minutes/
As a baseline, I used a Web App with no additional code and confirmed that the reverse proxy works. This was done by manually creating/editing the web.config file and applicationHost.xdt file then restarting the server.
I've tried 3 separate approaches (all on clean, new web apps) all of which are failing for me:
Push my code, confirm it works, then follow the reverse proxy steps manually
Follow the steps manually, confirm reverse proxy works, then push my code
Put the reverse proxy files into my codebase and push everything at the same time
None of these 3 approaches are working. Is this a bug in Azure? How can I try to figure this out?
Post XML Transformation (XDT), have you restarted the site?
I would suggest you to take a look at this blog from Ruslan:
http://ruslany.net/2014/05/using-azure-web-site-as-a-reverse-proxy/
It talks about using a Site extension. It implements the reverse proxy and it does the XDT transformation for you.
If the above is setup correctly, then there is something wrong with the URL Rewrite rules. I would recommend you to enable Failed Request Tracing and debug this further.
The link/way you posted used URL Rewrite to implement a reverse proxy. I tested it and it worked fine with my empty web application. After published a web application to the Azure Web App(For example, an ASP.NET MVC web application), the URL Rewrite stopped working. The reason is that all the requests to your web application are routed by ASP.NET route module.
To enable URL Rewrite for some URLs, we need to disable ASP.NET route for these URLs. For example, if you want to rewrite all the requests with "product/xxx" format to another site. You could add following code to RouteConfig.cs file.
routes.Ignore("product/{action}");
The problem in this specific case was the location of my web.config file.
It needs to be in the root directory of the application which, in my case, was not site\wwwroot. My code was being generated and copied into site\wwwroot\dist. Putting the config file in that directory fixed the problem.
Additionally, there are logs that can be enabled to get some insight as to what's going on: https://learn.microsoft.com/en-us/azure/app-service-web/web-sites-enable-diagnostic-log
I have enabled 'Directory Browsing' for only "logs" folder of my Web Application hosted via IIS 7.5
Whenever I type www.domain.name//logs in my Browser, I could see the log files listed.
I would like to see the files sorted by 'Date Modified',i.e, the latest log must come at top and the oldest log must be present at the bottom.
How to go about this?
Is this possible in IIS 7.5 in first place?
As far as I know there is no out of box setting/configuration available with which you can sort directory/file list displayed in browser. Of course that doesn't stop you writing your own custom HTTP module. Here is broad idea.
Intercept directory requests to your application.
In Http module handle OnPreRequestHandlerExecute event.
In even handler get directory/file list.
Create nicely formatted page which will display list from step 3. Here you can format/sort way you like it.