Develop Reference

web.config settings not respected in .net core 3.1 Azure multi-instance scaled app service?

I'm trying to add/remove certain http headers from responses coming back from a 'pure' web api application (i.e. no MVC) published to Azure.
I added the following web.config to the project in VS2019:
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-Content-Type-Options" value="nosniff"/>
<add name="X-Frame-Options" value="SAMEORIGIN"/>
<remove name="X-Powered-By"/>
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>
This works fine in my dev environment with IISExpress. It also works fine when the app is published to Azure for app services that are not configured for multi-instance scaling. However, when the app service is configured for multi-instance scaling (three instances in my case) then responses from the app contain 'X-Powered-By' and no 'X-Content-Type-Options' or 'X-Frame-Options'.
Publishing creates the following web.config in Out folder on my dev machine:
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-Content-Type-Options" value="nosniff" />
<add name="X-Frame-Options" value="SAMEORIGIN" />
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
<handlers>
<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath=".\<apname>.exe" stdoutLogEnabled="false" stdoutLogFile="\\?\%home%\LogFiles\stdout" hostingModel="inprocess" />
</system.webServer>
</configuration>
I also verified that the above web.config is present in the root of the app service in Azure.
Is there anything else that needs to be done in app service configuration in Azure for this to work with multi-instance scaling?

After testing, you do not need to make any changes. In the code or web.config, your solution is currently possible, provided that it is deployed in a windows-based webapp. If it is deployed under linux, then the web.config file is not effective. The web.config file is only applicable to iis. Under linux, the configuration file that needs to be used should be .htaccess.
Put web.config under the wwwroot path, which is the root directory of the project.
Based on windows azure webapp, the post-deployment effect should be consistent with the local iis effect. After testing, after I deploy, you can see the screenshots, and the effect in your web.config has been achieved.
Note:
Some headers cannot be deleted, but they can be overwritten. They need to be coded in the program. You are not involved in this question yet.
<httpProtocol>
<customHeaders>
<add name="X-Content-Type-Options" value="nosniff" />
<add name="X-Frame-Options" value="SAMEORIGIN" />
<-- replace server vaule -->
<add name="Server" value="N/A" />
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
Test Steps:
Method 1 with web.config
Create a sample project like below.
Deploy to azure, please see my files on scm site.
Method 2 without web.config (workaround, also works in linux)
Add below code in Startup.cs, it also works for me .
app.Use(async (context, next) =>
{
context.Response.Headers.Add("X-Content-Type-Options", "nosniff");
context.Response.Headers.Add("X-Frame-Options", "SAMEORIGIN");
context.Response.Headers.Remove("X-Powered-By");
await next.Invoke();
});

How to load index.asp in IIS 7.5

I have a site/application I would like to load in IIS. The root of the folders contains a web.config and index.asp. The sub folders are asp, scripts, styles, images.
I add Add Web site in IIS, define the physical path to the location of the index.asp, assign the IP address for host name I tried local host, IP, and leaving it blank. When I click on Browse Website I receive a HTTP 500 Internal Server Error. IIS is running and the Web Site is started in the Manage Website menu.
If I write a short index.html hello world page and set it as default document it displays ok. When I change default document back to index.asp I get the 500 error again.
Could someone give me a tip on how to proceed?
Here is my web.config:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<identity impersonate="true" />
</system.web>
<system.webServer>
<defaultDocument>
<files>
<add value="index.asp" />
</files>
</defaultDocument>
</system.webServer>
</configuration>

This is going to be a guess at best, since a 500 can mean anything without a sub-status code. It probably is due to configuration inheritance. index.asp is already in the default list of default documents at the server level. By adding index.asp, it may be causing a unique hey violation when the configuration inheritance is flattened into the effective configuration.
Suggestion:
Add a <clear /> element right above the <add value="index.asp" /> and try again. Otherwise, we will need to go get the sub status code of that 500 to get more information. The IIS log usually contains the sub status in the sc-substatus.
Resulting Configuration
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<identity impersonate="true" />
</system.web>
<system.webServer>
<defaultDocument>
<files>
<clear />
<add value="index.asp" />
</files>
</defaultDocument>
</system.webServer>
</configuration>
If this works, then the reason it originally works with index.html because index.html is not in the default files list.
Additional Note
The other thing I can think of is that impersonation being enabled. If you are running the application pool in Integrated Pipeline mode, you'll need to turn off integrated mode configuration validation. More information can be found here: Integrated Pipeline mode configuration validation.
New Resulting Configuration
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<identity impersonate="true" />
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="False" />
<defaultDocument>
<files>
<clear />
<add value="index.asp" />
</files>
</defaultDocument>
</system.webServer>
</configuration>

Enable cross site access in OK Hosting?

I'm trying to download the bootsrap fonts from a container I have in a site hosted by OK Hosting. I can download the font manually but when using it in a CSS on a page hosted in another server, it fails because cross site access is disabled.
I know OK Hosting uses IIS but they give you a web based control panel.
How do I enable cross site access?

Ok, you just have to add a file called web.config at the root of your site with the following:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>

You might also need the following just below the Access-Control-Allow-Origin.
<add name="Access-Control-Allow-Methods" value="GET,PUT,POST,DELETE,OPTIONS" />
<add name="Access-Control-Allow-Headers" value="Content-Type" />

500 Error on AppHarbor but downloaded build works on my machine

I'm using Visual Studio 2013 on Windows 8. I have a web service built off ServiceStack. Everything works fine on my machine but when deploying it to AppHarbor I get a 500 error. I set customErrors mode="off" and I still get a 500 error with no stack trace.
According to AppHarbor's FAQ:
If enabling Custom Errors doesn't produce a stacktrace, then that's indicative of a configuration problem that prevents the ASP.NET runtime from initializing. You can debug such problems by deploying your app (either built locally or build output downloaded from AppHarbor) to a full IIS running on your local machine. You must configure the application pool to run in Integrated Pipeline mode to properly replicate AppHarbor's environment.
So I did this. I downloaded the build output from AppHarbor and ran it on my local IIS and it worked fine!
The AppHarbor Errors page says
No errors to display.
And a AppHarbor's log session feature displays no meaningful information:
2013-12-31T09:55:20.886+00:00 appharbor web.1 Created new worker (version 1388526921)
2013-12-31T09:55:24.864+00:00 appharbor web.1 Warming up (version 1388526921)
2013-12-31T09:55:32.134+00:00 appharbor web.1 Web worker root URL returned HTTP status code 500 (Internal Server Error) (version 1388526921)
Any suggestions?
--
for references, here's an outline of my web.config:
<?xml version="1.0" encoding="utf-8"?>
<!--
For more information on how to configure your ASP.NET application, please visit
http://go.microsoft.com/fwlink/?LinkId=169433
-->
<configuration>
<configSections>
<sectionGroup name="dotNetOpenAuth" type="DotNetOpenAuth.Configuration.DotNetOpenAuthSection, DotNetOpenAuth">
<section name="openid" type="DotNetOpenAuth.Configuration.OpenIdElement, DotNetOpenAuth" requirePermission="false" allowLocation="true" />
<section name="oauth" type="DotNetOpenAuth.Configuration.OAuthElement, DotNetOpenAuth" requirePermission="false" allowLocation="true" />
<section name="messaging" type="DotNetOpenAuth.Configuration.MessagingElement, DotNetOpenAuth" requirePermission="false" allowLocation="true" />
<section name="reporting" type="DotNetOpenAuth.Configuration.ReportingElement, DotNetOpenAuth" requirePermission="false" allowLocation="true" />
</sectionGroup>
</configSections>
<appSettings>
....
</appSettings>
<connectionStrings>
....
</connectionStrings>
<system.web>
<customErrors mode="Off">
</customErrors>
<httpHandlers>
<add path="*" type="ServiceStack.WebHost.Endpoints.ServiceStackHttpHandlerFactory, ServiceStack" verb="*" />
</httpHandlers>
<compilation debug="true" />
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<handlers>
<add path="*" name="ServiceStack.Factory" type="ServiceStack.WebHost.Endpoints.ServiceStackHttpHandlerFactory, ServiceStack" verb="*" preCondition="integratedMode" resourceType="Unspecified" allowPathInfo="true" />
</handlers>
<directoryBrowse enabled="true" />
</system.webServer>
<runtime>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<dependentAssembly>
<assemblyIdentity name="MongoDB.Driver" publicKeyToken="f686731cfb9cc103" culture="neutral" />
<bindingRedirect oldVersion="0.0.0.0-1.8.2.34" newVersion="1.8.2.34" />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="MongoDB.Bson" publicKeyToken="f686731cfb9cc103" culture="neutral" />
<bindingRedirect oldVersion="0.0.0.0-1.8.2.34" newVersion="1.8.2.34" />
</dependentAssembly>
</assemblyBinding>
<!-- This prevents the Windows Event Log from frequently logging that HMAC1 is being used (when the other party needs it). -->
<legacyHMACWarning enabled="0" />
</runtime>
<uri>
<!-- The uri section is necessary to turn on .NET 3.5 support for IDN (international domain names),
which is necessary for OpenID urls with unicode characters in the domain/host name.
It is also required to put the Uri class into RFC 3986 escaping mode, which OpenID and OAuth require. -->
<idn enabled="All" />
<iriParsing enabled="true" />
</uri>
<system.net>
<defaultProxy enabled="true" />
<settings>
</settings>
</system.net>
<dotNetOpenAuth>
<!-- This is an optional configuration section where aspects of dotnetopenauth can be customized. -->
<!-- For a complete set of configuration options see http://www.dotnetopenauth.net/developers/code-snippets/configuration-options/ -->
<openid>
<relyingParty>
<security requireSsl="false">
</security>
<behaviors>
<!-- The following OPTIONAL behavior allows RPs to use SREG only, but be compatible
with OPs that use Attribute Exchange (in various formats). -->
<add type="DotNetOpenAuth.OpenId.RelyingParty.Behaviors.AXFetchAsSregTransform, DotNetOpenAuth" />
</behaviors>
</relyingParty>
</openid>
<messaging>
<untrustedWebRequest>
<whitelistHosts>
</whitelistHosts>
</untrustedWebRequest>
</messaging>
<!-- Allow DotNetOpenAuth to publish usage statistics to library authors to improve the library. -->
<reporting enabled="true" />
</dotNetOpenAuth>
</configuration>

Just a wild guess: (not much to go on) but I have had similar problems when, for example, I was using the IIS rewrite module on my local machine (and it worked fine), but when I uploaded to a host that did not have that add-on module installed, I would get a 500 error with very little to go on - sounds similar. It drove me crazy trying to find it.
So make sure whatever options/addons that you might have and be using locally in IIS are also installed on the host.
Similarly, make sure you understand everything that is being referenced/used in your web.config - that is likely the problem area.

Orchard CMS Theme Images Not Showing Up

I'm using the correct helper call to get the URL for an image in my theme:
#Url.Content(Html.ThemePath(WorkContext.CurrentTheme, "/Content/Images/my-image.png")
...and I know the image is there and is readable. Yet it's not showing up when I try to browse to it! Why is this happening?

From the docs (http://docs.orchardproject.net/Documentation/Anatomy-of-a-theme):
To enable files to be served, each of the folders that contains static files such as style sheets, images, or JavaScript code should contain a web.config file that contains the following content:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<httpHandlers>
<!-- iis6 - for any request in this location,
return via managed static file handler -->
<add path="*" verb="*" type="System.Web.StaticFileHandler" />
</httpHandlers>
</system.web>
<system.webServer>
<handlers accessPolicy="Script,Read">
<!-- iis7 - for any request to a file exists on disk,
return it via native http module.
accessPolicy 'Script' is to allow for a managed 404 page. -->
<add name="StaticFile" path="*" verb="*" modules="StaticFileModule"
preCondition="integratedMode" resourceType="File"
requireAccess="Read" />
</handlers>
</system.webServer>
</configuration>