I'm exploring HTTP verbs like LINK and UNLINK. There is a simple website on IIS 10 for this purpose but looks like it doesn't allow these methods by default. I added a couple of rules in Request Filtering for verbs and still getting 405 error.
UPD
web.config
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<trace enabled="true" writeToDiagnosticsTrace="true" />
</system.web>
<system.webServer>
<security>
<requestFiltering>
<verbs>
<add verb="LINK" allowed="true" />
<add verb="UNLINK" allowed="true" />
</verbs>
</requestFiltering>
</security>
</system.webServer>
</configuration>
Related
The MVC project has a Startup.cs file in its root. When i run the project it throws
HTTP Error 404.7 - `Not Found. The request filtering module is configured to deny the file extension
web.config
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
</system.web>
<system.webServer>
<defaultDocument>
<files>
<add value="Startup.cs" />
</files>
</defaultDocument>
</system.webServer>
</configuration>
I added the following lines of config inside system.webserver tag - but there is no change:
<security>
<requestFiltering>
<fileExtensions allowUnlisted="true">
<remove fileExtension="." />
<add fileExtension="." allowed="true" />
</fileExtensions>
</requestFiltering>
</security>
You do not need to add any defaultDocuments, and should not use cs files there.
If you are using the default route, it is sufficient to add a Home controller with a Index action, which will be called by default. You can adapt the default route to use another controller/action.
I am converting my app from .net framework to .net core 2.1. Now I am facing two issues
1) In .net framework we could use HttpClientCertificate cert = Request.ClientCertificate; So how can we use Request.ClientCertificate in .net core.
2) In .net framework we could set location config like
<location path="MyPath">
<system.webServer>
<security>
<access sslFlags="Ssl.SslRequireCert,SslNegotiateCert,Ssl128" />
</security>
</system.webServer>
</location>
I want to use <access sslFlags="Ssl.SslRequireCert,SslNegotiateCert,Ssl128" /> in net core. How can I do these 2 things. Any help?
To access client certificate you can either:
use HttpContext.Connection.ClientCertificate property
get certificate using header: Request.Headers["X-ARR-ClientCert"]
To use sslFlags you have to add it in the web.config file (exactly like for the standard .NET Framework). webconfig file is auto-generated once you publish your app. Once you open it you can add
access sslFlags to it:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="." inheritInChildApplications="false">
<system.webServer>
<handlers>
<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModule" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="dotnet" arguments=".\IdentityServer4Demo.dll" stdoutLogEnabled="false" stdoutLogFile="\\?\%home%\LogFiles\stdout" />
</system.webServer>
</location>
<location path="account">
<system.webServer>
<security>
<access sslFlags="Ssl,SslNegotiateCert,SslRequireCert" />
</security>
</system.webServer>
</location>
<system.webServer>
<security>
<access sslFlags="SslNegotiateCert" />
</security>
</system.webServer>
</configuration>
I have an asp.net webforms application that has windows authentication enabled. I need to enable anonymous authentication on a folder “Test” in the website which contains images . I did that by adding
<location path="Test">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="true"/>
</authentication>
</security>
</system.webServer>
Now any requests to images in Test folder is unauthenticated and everything works as expected until I introduced a generic handler for this folder which fetches files from the backend storage if the file is not found in the “Test” folder and boom it broke! Anonymous authentication doesn’t work anymore. Updated web.config file below -
<location path="Test">
<system.webServer>
<handlers>
<add verb="*" path="Test" requireAccess="None" name="Handler1" type="WebApplication1.Test.Handler1, Anonymous" />
</handlers>
<security>
<authentication>
<anonymousAuthentication enabled="true"/>
</authentication>
</security>
</system.webServer>
I inspected the request using fiddler and it returns HTTP/1.1 401 Unauthorized message if I have the handler section in config but if I remove the handler section from config everything just works fine and I can see the valid response in fiddler. Any insight into what could be wrong here?
Finally I was able to resolve it myself by modifying the location configuration as shown below by adding system.web to allow all users
<location path="Test">
<system.webServer>
<handlers>
<add verb="*" path="Test" requireAccess="None" name="Handler1" type="WebApplication1.Test.Handler1, Anonymous" />
</handlers>
<security>
<authentication>
<anonymousAuthentication enabled="true"/>
</authentication>
</security>
</system.webServer>
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
I wanted to add some IIS requestFiltering rules to my web application. I followed folling guides:
http://www.iis.net/configreference/system.webserver/security/requestfiltering/alwaysallowedurls
http://www.iis.net/configreference/system.webserver/security/requestfiltering/denyurlsequences
For example, I want to deny Url test but enable testallowed
So I made following configuration in my web.config:
<system.webServer>
<security>
<requestFiltering>
<denyUrlSequences>
<add sequence="test" />
</denyUrlSequences>
<alwaysAllowedUrls>
<add url="testallowed" />
</alwaysAllowedUrls>
</requestFiltering>
</security>
</system.webServer>
Wenn calling mypage/test, I get the IIS HTTP Error 404.5 Page, which is correct. But I get the same page when calling mypage/testallowed. And in my web.config, the Tag alwaysAllowedUrls is underlined and it says:
The element 'requestFiltering' has invalid child element 'alwaysAllowedUrls'. List of possible elements expected: 'fileExtensions, requestLimits, verbs, hiddenSegments, denyUrlSequences'.
this is the syntax as per the IIS documentation :
<system.webServer>
<security>
<requestFiltering>
<denyUrlSequences>
<add sequence="bad" />
<add sequence="sequence" />
</denyUrlSequences>
<alwaysAllowedUrls>
<add url="/bad_sequence.txt" />
</alwaysAllowedUrls>
</requestFiltering>
</security>
</system.webServer>
https://www.iis.net/configreference/system.webserver/security/requestfiltering/alwaysallowedurls?showTreeNavigation=true
I added the following to my web.config so users can not download my plugins:
<system.webServer>
<security>
<requestFiltering>
<hiddenSegments>
<add segment="Plugins" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
Now I have the problem that not only domain.com/Plugins/MyPlugin.dll is blocked, but also domain.com/Scripts/ckeditor/plugins/ckplugin.js.
Is there a way to configure a hiddenSegment to only affect the root directory?
I solved this via a web.config inside my plugins folder, where I block *.dll files from being downloaded:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<handlers>
<add name="Plugins*.dll_*" path="*.dll" verb="*" type="System.Web.HttpForbiddenHandler" />
<add name="Plugins*.pdb_*" path="*.pdb" verb="*" type="System.Web.HttpForbiddenHandler" />
</handlers>
</system.webServer>
</configuration>
I've made some additional modifications on top of Christoph's answer to suite my use case, but I will leave this here for future references.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<!-- Make sure this directory cannot be served. -->
<location path="Plugins"> <!-- Change this to your path -->
<system.webServer>
<handlers>
<add name="DisallowServe" path="*.*" verb="*" type="System.Web.HttpNotFoundHandler" /> <!-- Return 404 instead of 403 -->
</handlers>
</system.webServer>
</location>
</configuration>