Is there any way I can have IIS 7.0+ (or 7.5+) configured such that for certain paths Request Filtering is completely disabled. That is,
http://host.local/foo/bar.cs
is forbidden (since serving *.cs files is explicitly forbidden in applicationHost.config), but
http://host.local/foo/allow-all/bar.cs
is allowed.
In your allow-all directory, you can create a web.config file with the following configuration:
<configuration>
<system.webServer>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=".cs" />
</fileExtensions>
</requestFiltering>
</security>
<staticContent>
<mimeMap fileExtension=".cs" mimeType="text/plain" />
</staticContent>
</system.webServer>
</configuration>
This configuration removes the .cs extension from the request filtering. Additionally, for IIS to properly serve content, it needs a MIME type, so the .cs extension is added as text/plain.
These changes will also apply to all child directories of allow-all. This configuration works with an Integrated App Pool. Classic may require additional changes since there are HTTP handlers that explicitly disallow .cs as well.
Related
I have X the same applications in IIS(some code/exe, but different config file).
Would it be possible to put duplicate files to some folder?
For example I have applications:
Canada.weather.com
usa.weather.com
mexico.weather.com
Uses same .dll and .exe, but have different config.
As Lex says, we don't suggest you to put duplicate files to some folder. If one of the dll is missed or not, it will make all the sites down.
If you still want to do this , you could apply the setting in applicationHost.config and wrapping it in a tag.
The applicationhost.config file path :
%windir%\system32\inetsrv\config\applicationHost.config
Each sites will have its own location, you could add the custome configuration inside each location tag.
Like belowl, I enable the windows auth for "BrandoTestSite":
<location path="BrandoTestSite">
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true" />
<anonymousAuthentication enabled="false" />
</authentication>
</security>
</system.webServer>
</location>
Notice: This way is lower maintainability. We don't suggest you choose this way to manage mutiple application.
I'm having problems creating and accessing a well-known folder in an MVC 5 Web App. I need the folder to house some documents for iOS and Android mobile apps.
First, I add a well-known folder to my MVC 5 Web App. I could not add a .well-known folder. Since I could not add the "." in front of the folder, I added a virtual directory using the Azure Portal.
This seems to work, but When I try to access the files using https://portal.mydomain.com/.well-known/apple-app-site-association or this https://portal.mydomain.com/.well-known/assetlinks.json, I get the following message.
"The resource you are looking for has been removed, had its name changed, or is temporarily unavailable."
When I try to access just the directory using https://portal.mydomain.com/.well-known/ I get the following message.
"You do not have permission to view this directory or page."
Finally, I added this to my web.config in order to handle the lack of a file extension on the apple-app-site-association file.
<staticContent>
<mimeMap fileExtension="." mimeType="application/octet-stream" />
</staticContent>
Any help is much appreciated. Thanks!
I added a new web.config file to my well-known folder and configured it like so. I can now access both files. This is a new web.config and has nothing to do with the web.config in the root directory. Using this config, the apple-app-site-association downloads a file when I access it using a web browser. The assetlinks.json file displays in the web page, so they behave differently.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<staticContent>
<mimeMap fileExtension="." mimeType="application/octet-stream" />
<mimeMap fileExtension=".json" mimeType="application/json" />
</staticContent>
</system.webServer>
</configuration>
I commented out this entry in my root directory web.config because I did not need it.
<staticContent>
<mimeMap fileExtension="." mimeType="application/octet-stream" />
</staticContent>
Running ColdFusion 11 (Update 7) and IIS 7.5
My site application/root level web.config:
<configuration>
<system.webServer>
<httpErrors errorMode="Custom" />
</system.webServer>
</configuration>
My nested web.config file, which sits inside /api/eb :
<configuration>
<system.webServer>
<httpErrors errorMode="Detailed" />
</system.webServer>
</configuration>
When I visit a page that sits within the /api/eb sub-directory (e.g. 401.cfm) and trigger a 401 status code the server will return the Custom error handler response. My interpretation from the docs is that the nested web.config file should override the root web.config file but it clearly is not.
I've checked within the IIS applicationhost file and httpErrors overrideModeDefault is set to true. I also tried using a location tag within my root web.config file to do the same thing but it is also ignored unless I set the path to the wildcard character.
I'm out of ideas. Your help will be greatly appreciated. Thank you in advance.
I found this article which seems to explain your question pretty well - How to Use HTTP Detailed Errors in IIS 7.0
Specifically this excerpt:
Security Considerations
A word of caution: For architectural reasons, IIS can only execute the URL if it is located in the same Application Pool. Use the redirect feature to execute a Custom Error in a different Application Pool.
IIS can also return a 302 Redirect to the browser when a particular error occurs. Redirect is good if you have a server farm. For instance, you can redirect all your errors to a central location that you closely monitor.
There is risk however: responseMode="File" (which is the default) allows you to specify every file on the disk. This will not work if you are very security conscious.
A workable scenario might include only allowing the delegation of the errorMode setting. This enables a developer to receive Detailed Errors for his application even if he is using a remote client. All that is necessary is to set errorMode="Detailed". Here is how to configure this scenario:
Allow the delegation of the httpErrors section:
<section name="httpErrors" overrideModeDefault="Allow" />
Second, go to the section in applicationHost.config and change it so that only errorMode is delegated:
<httpErrors lockAllAttributesExcept="errorMode" lockElements="error">
<error statusCode="404" prefixLanguageFilePath="E:\inetpub\custerr" path="404.htm" />
<error statusCode="401" prefixLanguageFilePath="E:\inetpub\custerr" path="401.htm" />
<error statusCode="403" prefixLanguageFilePath="E:\inetpub\custerr" path="403.htm" />
<error statusCode="405" prefixLanguageFilePath="E:\inetpub\custerr" path="405.htm" />
<error statusCode="406" prefixLanguageFilePath="E:\inetpub\custerr" path="406.htm" />
<error statusCode="412" prefixLanguageFilePath="E:\inetpub\custerr" path="412.htm" />
<error statusCode="500" prefixLanguageFilePath="E:\inetpub\custerr" path="500.htm" />
<error statusCode="501" prefixLanguageFilePath="E:\inetpub\custerr" path="501.htm" />
<error statusCode="502" prefixLanguageFilePath="E:\inetpub\custerr" path="502.htm" />
</httpErrors>
Notice that the correct value for the overrideModeDefault attribute is Allow, not true as you mentioned in your question.
This article further explains the overrideModeDefault attribute - Understanding IIS 7.0 Configuration Delegation
Excerpt:
The overrideModeDefault attribute is an optional attribute that defines the locked state of a section. Its available values are either Allow or Deny. The default value is "Allow". All IIS sections that are related to any performance, security or critical aspect of the server are locked with this attribute set to "Deny". If the overrideModeDefault attribute is set to "Deny", then any configuration files at a lower level (i.e. web.config files) that set a value for a property for the specific configuration section are not able to take effect and override the global values. This incurs in a lock violation and an error occurs.
Adding to my web.config
<system.webServer>
<staticContent>
<mimeMap fileExtension=".json" mimeType="application/json" />
</staticContent>
</system.webServer>
Allows my application to run on Azure, but will crash my remote IIS server because its already included. Removing the remote IIS mimeType is not practical in this particular case. I end up using a different web.config
Is there another mechanism by which I can configure Azure IIS mimeType so I don't have this problematic web.config?
I would like a single deployment package that will work on Azure and non Azure.
This should work:
<system.webServer>
<staticContent>
<remove fileExtension=".json" />
<mimeMap fileExtension=".json" mimeType="application/json" />
</staticContent>
</system.webServer>
See also here: http://blogs.msdn.com/b/chaun/archive/2009/12/04/iis7-error-cannot-add-duplicate-collection-entry-of-type-mimemap-with-unique-key-attribute-fileextension.aspx
This doesn't make any difference to your overall IIS configuration, it just conditionally removes the mimeMap from the configuration of this particular site (as governed by this web.config) before adding it again.
You can create a startup task that adds the mime type on IIS level. This way you won't need to include it in your web.config:
"%windir%\System32\inetsrv\appcmd.exe" set config /section:staticContent /+"[fileExtension='.json',mimeType='application/json']"
exit /b 0
I had an application that was running on IIS 6. All requests went through aspnet_isapi.dll. This was achieved via a wildcard application mapping (which did not verify the file existed).
I have copied said application to a machine running IIS7, and would like to get it working again.
In the application, any request with an extension of .aspx (or .ashx) are handled in the normal way. Other requests with different extensions (such as .html and .xml) are handled by a custom http module. Some requests have no extension, and are dynamically redirect to a file with an extension (e.g. visiting …/item/1 might redirect to …/item/1.html or …/item/1.xml, depending on values in the accept header).
The new location probably does not exist, but a response is generated dynamically.
Currently, the application pool is in “classic” mode, and is using .NET v4.0 (it was previously using .NET 3.5, but that doesn’t seem to be related to the problem). The custom http module is set only in the web.config.
The redirect (from …/item/1 to …/item/1.html) seems to work, which suggests that extension less requests are indeed being processed by the application (that redirect is written in the application itself). I think that means that the custom module is working.
Requests with extensions (.html, .xml etc) are failing however. The error I get is:
HTTP Error 404.0 - Not Found
The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.
Module: IIS Web Core
Notification: MapRequestHandler
Handler: StaticFile
Error Code: 0x80070002
I have tried:
Adding a wildcard script mapping that mapped * to aspnet_isapi.dll
Tried adding a specific mapping for *.html to aspnet_isapi.dll
These still result in the same error message, and still seem to go to the handler "StaticFile".
I tried modifying "StaticFile" so that it uses the aspnet_isapi.dll executable, and this results in a new error:
HTTP Error 404.4 - Not Found
The resource you are looking for does not have a handler associated with it.
Handler: Not yet determined
Any help would be greatly appreciated.
Set application pool in integrated mode and set that all request run all managed modules
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
...
</modules>
...
</system.webServer>
Use this config in service config it worked for me.
<?xml version="1.0"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
</system.web>
<system.serviceModel>
<services>
<service name="WcfService.Service1">
<endpoint address=""
binding="basicHttpBinding"
bindingConfiguration="secureHttpBinding"
contract="WcfService.IService1"/>
<endpoint address="mex"
binding="mexHttpsBinding"
contract="IMetadataExchange" />
</service>
</services>
<bindings>
<basicHttpBinding>
<binding name="secureHttpBinding">
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior>
<!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
<serviceMetadata httpsGetEnabled="true"/>
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="false"/>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
</configuration>