Secure elmah directory gets 404? - iis

I've setup ELMAH on a asp.net mvc 3 site with the correct configuration detailed on another SO question here. Everything works great on my local virtual dev IIS server but when I deploy to an IIS server when I try to go to /Admin/Elmah.axd I get the standard IIS "404 - File or directory not found.". Is there an IIS setting I'm missing?
<location path="admin">
<system.web>
<httpHandlers>
<add verb="POST,GET,HEAD" path="elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" />
</httpHandlers>
<authorization>
<deny users="?"/>
</authorization>
</system.web>

You have got to add the httphandler to the System.Webserver part of the web.config so that IIS routes it:
<system.webServer>
<handlers>
<add verb="POST,GET,HEAD" path="admin/elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" name="Elmah"/>
</handlers>
</system.webServer>

I fixed the problem by installing the asp.net mvc elmah controller. You can find it here.

Related

web.config settings not respected in .net core 3.1 Azure multi-instance scaled app service?

I'm trying to add/remove certain http headers from responses coming back from a 'pure' web api application (i.e. no MVC) published to Azure.
I added the following web.config to the project in VS2019:
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-Content-Type-Options" value="nosniff"/>
<add name="X-Frame-Options" value="SAMEORIGIN"/>
<remove name="X-Powered-By"/>
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>
This works fine in my dev environment with IISExpress. It also works fine when the app is published to Azure for app services that are not configured for multi-instance scaling. However, when the app service is configured for multi-instance scaling (three instances in my case) then responses from the app contain 'X-Powered-By' and no 'X-Content-Type-Options' or 'X-Frame-Options'.
Publishing creates the following web.config in Out folder on my dev machine:
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-Content-Type-Options" value="nosniff" />
<add name="X-Frame-Options" value="SAMEORIGIN" />
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
<handlers>
<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath=".\<apname>.exe" stdoutLogEnabled="false" stdoutLogFile="\\?\%home%\LogFiles\stdout" hostingModel="inprocess" />
</system.webServer>
</configuration>
I also verified that the above web.config is present in the root of the app service in Azure.
Is there anything else that needs to be done in app service configuration in Azure for this to work with multi-instance scaling?
After testing, you do not need to make any changes. In the code or web.config, your solution is currently possible, provided that it is deployed in a windows-based webapp. If it is deployed under linux, then the web.config file is not effective. The web.config file is only applicable to iis. Under linux, the configuration file that needs to be used should be .htaccess.
Put web.config under the wwwroot path, which is the root directory of the project.
Based on windows azure webapp, the post-deployment effect should be consistent with the local iis effect. After testing, after I deploy, you can see the screenshots, and the effect in your web.config has been achieved.
Note:
Some headers cannot be deleted, but they can be overwritten. They need to be coded in the program. You are not involved in this question yet.
<httpProtocol>
<customHeaders>
<add name="X-Content-Type-Options" value="nosniff" />
<add name="X-Frame-Options" value="SAMEORIGIN" />
<-- replace server vaule -->
<add name="Server" value="N/A" />
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
Test Steps:
Method 1 with web.config
Create a sample project like below.
Deploy to azure, please see my files on scm site.
Method 2 without web.config (workaround, also works in linux)
Add below code in Startup.cs, it also works for me .
app.Use(async (context, next) =>
{
context.Response.Headers.Add("X-Content-Type-Options", "nosniff");
context.Response.Headers.Add("X-Frame-Options", "SAMEORIGIN");
context.Response.Headers.Remove("X-Powered-By");
await next.Invoke();
});

IIS windows authentication works for website but not for web application under website

I have a website hosted in IIS using windows authentication. It works fine.
But if I host it as a web application unter a website, windows authentication doesn't work and the authentication window shows and then doesn't go away even if I put in the correct user name and password.
The SPN, delegation and IIS settings should be correct, otherwise the website won't work. Only if I deploy it as web application, windows authentication stoped working. Any idea?
Thanks for the reply, the sub status code is 401.1 and here the web.config file on the application level
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="." inheritInChildApplications="false">
<system.webServer>
<handlers>
<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath=".\DataService.exe" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" />
</system.webServer>
</location>
<system.web>
<authentication mode="Windows" />
</system.web>
</configuration>
I finally found the solution.After enabling ASP.Net Impersonation on the web application, it works.Seems like, the web application needs impersonation to get the kerberos ticket from the website.

Upload large file (>4MB) with asp.net 5.0 app hosted on windows azure

I want to upload a large file ( >4mb ) to my asp.net 5.0 app, everything works great on my computer using this config :
<configuration>
<system.webServer>
<security>
<requestFiltering>
<requestLimits maxAllowedContentLength="2147483648" maxQueryString="2000">
</requestLimits>
</requestFiltering>
</security>
<handlers>
<add name="httpPlatformHandler" path="*" verb="*" modules="httpPlatformHandler" resourceType="Unspecified" />
</handlers>
<httpPlatform processPath="%DNX_PATH%" arguments="%DNX_ARGS%" forwardWindowsAuthToken="false" startupTimeLimit="3600" />
</system.webServer>
<system.web>
<httpRuntime maxRequestLength="102400000" />
</system.web>
</configuration>
But on azure ( Web Role ) it only works for files under 4MB.
I think that IIS is fine, it's Kestrel or the webListner which doesn't want to process the request ( I get "The specified CGI application encountered an error and the server terminated the process." ), I don't know if it possible to configure it too.
Sounds like another limit being hit. The system.web section is ineffective on ASP.NET 5 applications
From this article (vNext maxRequestLength):
There are no predefined configurations in ASP.NET 5.0 :
All configuration is done in code
There is no System.Web in ASP.NET 5.0.
You can still use web.config for IIS settings only
Support for MaxRequestLength is coming

Sitecore Content Delivery security hardening admin folder

We are using azure webapps for sitecore infrastructure.
We need to apply security hardening on CD i.e. disable the sitecore client access. I had a look at security hardening guide which mentions about disabling annonymous access to sitecore/admin access.
https://doc.sitecore.net/sitecore_experience_platform/security_hardening/deny_anonymous_users_access_to_a_folder
However this is not possible in Azure web-apps as we don't have access to IIS.
What's the best way to resolve this?
Another option is to use request filters. See https://sitecorecommerce.wordpress.com/2015/11/19/block-access-to-sitecore-folder-for-content-delivery-with-requestfilters/
Here's the relevant config from the post:
<system.webServer>
<security xdt:Transform ="Replace" >
<requestFiltering>
<denyUrlSequences>
<add sequence ="/sitecore/" />
<add sequence ="/_Dev/" />
</denyUrlSequences>
</requestFiltering>
</security>
</system.webServer>
Additional references are available here: https://www.iis.net/configreference/system.webserver/security/requestfiltering
you can configure the security configurations in the web.config for your Sitecore CD server. E.g. Add this configuration under the root element at the end of your web.config.
<location path="App_Config">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
</authentication>
<authorization>
<add accessType="Deny" users="*" />
</authorization>
</security>
</system.webServer>
</location>

ServiceStack REST service custom path error

I am having trouble configuring my ServiceStack REST service to work on my production IIS 7.5 box. It works fine running localhost, and it also works fine if I deploy in the root of "Default Web Site" - /EmployeeSvc. I have a virtual directory structure under Default Web Site for organizational purposes (note custom path in web.config). I can browse successfully to the default.htm at this location, but when I try to execute the built-in /hello example I receive:
Server Error 404 - File or directory not found.
The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.
Like I said, the built-in /hello example works perfectly from localhost and from a root iis folder under default web site, but not from within a directory structure. What am I doing wrong with the location-path?
Thanks in advance! Here is web.config:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="Employees-NoAuth/WebServices/EmployeeSvc">
<system.web>
<httpHandlers>
<add path="*" type="ServiceStack.WebHost.Endpoints.ServiceStackHttpHandlerFactory, ServiceStack" verb="*" />
</httpHandlers>
</system.web>
<!-- Required for IIS 7.0 -->
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
<validation validateIntegratedModeConfiguration="false" />
<handlers>
<add path="*" name="ServiceStack.Factory" type="ServiceStack.WebHost.Endpoints.ServiceStackHttpHandlerFactory, ServiceStack" preCondition="integratedMode" resourceType="Unspecified" allowPathInfo="true" verb="*" />
</handlers>
</system.webServer>
</location>
<system.web>
<customErrors mode="RemoteOnly"/>
<compilation debug="true" targetFramework="4.0" />
</system.web>
</configuration>
I'd try the following:
1. Remove location node from web.config. Move SS configuration out of it.
2. Register base URL path in your class derived from AppHostBase:
public override void Configure(Container container)
{
this.SetConfig(new EndpointHostConfig { ServiceStackHandlerFactoryPath = "base/path" });
}

Resources