I'm currently working on a ASP.NET WebSite Security Project in School.
My objective is to start up my website with the URL of HTTPS, securing it with SSL.
I have been researching high and low over the net for guidance on how to properly enable SSL.
I'm using VISUAL STUDIO 2015 , and i have seen that the project properties can automatically enable SSL and then create a self-signed certificate.
I have actually gotten my website to be running at a URL - https://localhost:443/Example.aspx
It worked.. Then i played around with it here and there and i realised it requires VS 2015 to be run as administrator for it to work..
But i'm not sure if i'm setting up the SSL properly..
My queries are actually..
How do i properly set up SSL for my project using self signed certificate, with makecert to create a localhost certificate and assigning port 443 via IIS (Default WebSite bindings) ?
How do i set the start up URL to be HTTPS?
Do i have to enabled SSL for my project?
For query 2, i have actually researched, and many stated that, right clicking on my project then Property Pages -> Start Options -> Configure from there.
But this is actually what i get..
I tried playing around with the Start URL but it doesn't work at all.. I think maybe IIS is preventing it from working.. And i know there must be of something that i'm doing wrongly.. And i compared the Property Pages window and it's different from what i see from others..
Query 3,
These are the codes i used for my Web.Config file.
<system.webServer>
<!--<modules runAllManagedModulesForAllRequests="true" >
<remove name="UrlRoutingModule"/>
</modules>-->
<modules>
<remove name="UrlRoutingModule-4.0" />
<add name="UrlRoutingModule-4.0" type="System.Web.Routing.UrlRoutingModule" preCondition="" />
</modules>
</system.webServer>
Inside my applicationhost.config file
<site name="FinancialHub" id="2">
<application path="/" applicationPool="Clr4IntegratedAppPool">
<virtualDirectory path="/" physicalPath="C:\Users\Dom\Documents\Visual Studio 2015\WebSites\FinancialHub" />
</application>
<bindings>
<binding protocol="http" bindingInformation="*:6868:localhost" />
<binding protocol="https" bindingInformation="*:443:localhost" />
</bindings>
</site>
Might have more queries along the way.. All i can think of now is the foundation and fundamentals which i have done wrongly i presume..
Everything is messy.. I sincerely apologise.. I tried my best to search for what i can but to no avail..
Really appreciate any procedural help..
In Web.Config:
<system.webServer>
<rewrite>
<rules>
<rule name="Redirect to https" enabled="True">
<match url="(.*)"/>
<conditions>
<add input="{HTTPS}" pattern="Off"/>
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}"/>
</rule>
</rules>
</rewrite>
</system.webServer>
Related
We have an Asp.Net Core web application which is running on .Net framework (net452), and hosted in Azure as a Web App.
I'm trying to redirect all http requests to https.
My current understanding is:
I can't specify IIS rewrite rules in web.config as the application
is an Asp.Net Core application
I can't use the
Microsoft.AspNetCore.Rewrite middleware as of version 2.0.0.0 it
requires .Net Standard 2.0, and net452 only supports .Net Standard
1.5.
If the above are correct, what is the best way of doing this?
I'm currently considering writing a small piece of middleware, but feels like there must be an easier way...
i really doubt for point 1.
because it is an IIS setting.
anything under <system.webServer> is only related to IIS not the tech you are using, even with PHP/Java/pureHtml applications, you can still use that section to add rewrite rules. the rewrite will happen before your requests reach your application. BUT for azure apps, you mean need to enable ARR, it used to have some issue with rewrite rules, but now it should be fine because recently i just set some rules for a PHP application in a new Azure app
You could use an App Service custom extension.
For example, there's an extension that forces traffic to go via HTTPS, described in this post.
This redirects all http traffic to https. It also makes sure that the site warmup request gets through, which makes things work correctly in site swap and Always On scenarios.
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-
Transform">
<location path="%XDT_SITENAME%" xdt:Transform="InsertIfMissing"
xdt:Locator="Match(path)">
<system.webServer xdt:Transform="InsertIfMissing">
<applicationInitialization xdt:Transform="InsertIfMissing">
<add initializationPage="/" xdt:Transform="InsertIfMissing"/>
</applicationInitialization>
<rewrite xdt:Transform="InsertIfMissing">
<rules xdt:Transform="InsertIfMissing">
<rule name="Force HTTPS" enabled="true" stopProcessing="true">
<match url="(.*)" ignoreCase="false" />
<conditions>
<add input="{HTTPS}" pattern="off" />
<add input="{WARMUP_REQUEST}" pattern="1" negate="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}"
appendQueryString="true" redirectType="Permanent" />
</rule>
</rules>
</rewrite>
</system.webServer>
When I added the URL rewrite code in web.config and then publish it into azure. it will automatically redirects to https even I am trying to access website with http.
<rewrite>
<rules>
<rule name="Redirect to https">
<match url="(.*)"/>
<conditions>
<add input="{HTTPS}" pattern="Off"/>
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}"/>
</rule>
</rules>
</rewrite>
But when I run the same code in my local machine it gives the below error.
This site can’t provide a secure connection
How can I resolve the above error when I run the above code in my local machine?
What I do personally is put that rewrite configuration into Web.Release.config precisely because it is a bit fiddly to get it working locally.
The problem is that IIS Express will expose HTTP and HTTPS on different ports, so if you redirect from http://localhost:1234 to https://localhost:1234, it simply won't work, because IIS Express is exposing HTTPS on something like https://localhost:44300.
You can enable SSL/TLS on IIS Express (and you should), but I would leave the rewrite rule only for Release mode.
Here is an example Web.Release.config file:
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<system.web>
<compilation xdt:Transform="RemoveAttributes(debug)" />
</system.web>
<system.webServer>
<rewrite xdt:Transform="Insert">
<rules>
<!-- Redirects users to HTTPS if they try to access with HTTP -->
<rule
name="Force HTTPS"
stopProcessing="true">
<match url="(.*)"/>
<conditions>
<add input="{HTTPS}" pattern="^OFF$" ignoreCase="true"/>
</conditions>
<action
type="Redirect"
url="https://{HTTP_HOST}/{R:1}"
redirectType="Permanent"/>
</rule>
</rules>
<outboundRules>
<!-- Enforces HTTPS for browsers with HSTS -->
<!-- As per official spec only sent when users access with HTTPS -->
<rule
xdt:Transform="Insert"
name="Add Strict-Transport-Security when HTTPS"
enabled="true">
<match serverVariable="RESPONSE_Strict_Transport_Security"
pattern=".*" />
<conditions>
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
</conditions>
<action type="Rewrite" value="max-age=31536000" />
</rule>
</outboundRules>
</rewrite>
</system.webServer>
</configuration>
Note that I also add HSTS here. It inserts the <rewrite> element into Web.config in Release mode. The <system.webServer> element already exists in Web.config, otherwise I would be inserting that.
This always solves the issue for me.
In Solution Explorer, click your project.
Hit the F4 key (view properties).
Copy the URL (NOT the SSL URL).
Paste the URL into the Project Url on the Web Tab, Save.
In Solution Explorer, click your project.
Hit the F4 key (view properties).
Change SSL Enabled to false.
Change it back to true. There should be a new SSL URL. Copy it.
Paste the new SSL URL into Project URL on Web tab. Click Create Virtual Directory.
Click Override application root URL, and paste in SSL URL. Save.
You will have to configure Visual Studio Server to be used with HTTPS.
Please go through this link for details:
HTTPS with Visual Studio's built-in ASP.NET Development Server
I solved this problem with older version of Chrome web browser.
This is the list of older chrome versions where you can download and install it.
60.0.3112.90 - for Ubuntu is the version that works just fine for me.
Maybe it's little slower then newer versions but i found it's pretty good for production (:
On my end, I found out that there was a javascript code that redirects the site from http to https. So try to explore your environment if there are other code responsible for that issue. Hope this can help. Thanks
I just changed the URL in the Web tab of the project properties to use a PORT that starts with 443, e.g. 44301. Also be sure to change http to https. It works for me.
I have an Azure Web App with basic authentication configured for non-PROD environments inside web.config, like below:
<configSections>
<section name="basicAuth" type="Devbridge.BasicAuthentication.Configuration.BasicAuthenticationConfigurationSection" />
</configSections>
<basicAuth allowRedirects="true">
<credentials>
<add username="username" password="password"/>
</credentials>
</basicAuth>
<system.webServer>
<modules>
<add name="MyBasicAuthenticationModule" type="Devbridge.BasicAuthentication.BasicAuthenticationModule"/>
</modules>
<!-- the rest of the web.config follows -->
Everything works fine, but whenever we do a PROD deployment with changes to web.config, a manual change to the file is required to disable basic auth (as mentioned, we need it on non-prod only).
So I wonder - is there a way to enable basic authentication with applicationHost.xdt file? Since this is a file that is not changed very often, it would make our life easier.
I already checked the IIS Manager extension, but don't see anything that would allow me to make this work. Any hints are appreciated!
UPDATES - adding my web.config (that I'd like to update with applicationHost.xdt)
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Redirect to HTTPS" stopProcessing="true">
<match url="(.*)"/>
<conditions>
<add input="{HTTPS}" pattern="^OFF$"/>
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent"/>
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
According to your description, I assumed that you are using DevBridge Azure Power Tools which supports basic authentication for Windows Azure websites. I followed this project Devbridge.BasicAuthentication.Test to test XDT Transform on my side. I could make it work on my side, you could refer to it.
1.Create a Release-dev configuration
Click "Build > Configuration Manager", add a new configuration for the web project.
2.Add a web configuration file named Web.Release-dev.config and configuration the content as follows:
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<!--make sure the configSections is the first child element under configuration-->
<configSections xdt:Transform="InsertBefore(/configuration/*[1])" />
<configSections xdt:Locator="XPath(/configuration/configSections[last()])">
<section name="basicAuth" type="Devbridge.BasicAuthentication.Configuration.BasicAuthenticationConfigurationSection" xdt:Transform="InsertIfMissing" xdt:Locator="Match(name)"/>
</configSections>
<configSections xdt:Transform="RemoveAll" xdt:Locator="Condition(count(*)=0)" />
<basicAuth allowRedirects="true" xdt:Transform="InsertAfter(/configuration/configSections)">
<credentials xdt:Transform="InsertIfMissing">
<add username="test" password="test" xdt:Transform="InsertIfMissing"/>
</credentials>
</basicAuth>
<system.webServer xdt:Transform="InsertIfMissing">
<modules xdt:Transform="InsertIfMissing">
<add name="MyBasicAuthenticationModule" type="Devbridge.BasicAuthentication.BasicAuthenticationModule" xdt:Transform="InsertIfMissing" xdt:Locator="Match(name)"/>
</modules>
</system.webServer>
</configuration>
Note: You could refer to Xdt transform samples. Also, you could follow this official document about the syntax of xdt:Transform and xdt:Locator attributes that you use in your Web.config transform files.
3.Publish the web project by using the release-dev configuration:
4.Check the deployed web.config file via KUDU:
Browser the site, you could see the following screenshot:
UPDATE
For a workaround, I assumed that you could exclude web.config file from your git repository. And add the web.config file under "D:\home\site\wwwroot" and Devbridge.BasicAuthentication.dll under "D:\home\site\wwwroot\bin" for your DEV and QA environment to enable basic auth as follows:
I want to enforce using https on my site. If found this article and I used the code that was there. Unfortunately, after adding this code to web.config, this error appears when I try to open my website on local IIS:
An error ocurred attempting to determine the process id of the DNX process hosting your application
My web.config looks like this:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Force HTTPS" enabled="true">
<match url="(.*)" ignoreCase="false" />
<conditions>
<add input="{HTTPS}" pattern="off" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" appendQueryString="true" redirectType="Permanent" />
</rule>
</rules>
</rewrite>
<handlers>
<add name="httpPlatformHandler" path="*" verb="*" modules="httpPlatformHandler" resourceType="Unspecified"/>
</handlers>
<httpPlatform processPath="%DNX_PATH%" arguments="%DNX_ARGS%" stdoutLogEnabled="false" startupTimeLimit="3600"/>
</system.webServer>
</configuration>
Solutions from other stackoverflow questions like "Enable Anonymous Authentication" or deleting project.lock.json doesn't work.
I'm using ASP.net Core RC1
I took me a few hours of going through possible solutions of the dreaded "An error occurred attmepting to determine the process id of the DNX process hosting your application" error, until I found Tratcher's answer - which is not marked as an answer.
If everything else fails, and your project uses or enforces SSL run it without debugging (CTRL+F5) first, it will ask you to generate a local SSL cert, and after that debugging will work and the error will be gone.
Thanks Tratcher!
In addition to the great answer by Radosław Chybicki, which had worked for me a couple of times before, if it still doesn't work and you don't get the "install the certificate" stuff, you might need to repair your IIS express installation from the control panel. Go to Control Panel > Program and Features > right click on IIS Express installation and select repair.
I had accidentally deleted my IIS express certificate from my local computer certificate store.
I have one website created in IIS and the root web-share has some sub-folders for stroring images, css, js files which the pages are using. However, user is able to access the images if they know the image name (http://hello.com/images/abc.jpg).
Is there any way to disable direct access of resources ? Please note that I have just started learning asp.net, so it will be great if the answers could be a bit descriptive.
I have come to know about the URL rewrite method but just how could not get it to work.
EDIT: I put this web.config in my images folder and now its doing the opposite, blocking images on pages and allowing them directly.
Any help is appreciated.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<identity impersonate="true" />
</system.web>
<system.webServer>
<rewrite>
<rules>
<rule name="RequestBlockingRule1" patternSyntax="ECMAScript" stopProcessing="true">
<match url=".*\.(gif|jpg|png)$" />
<conditions>
<add input="{HTTP_REFERER}" pattern="^$" negate="true" />
<add input="{HTTP_REFERER}" pattern=" http://iolab023/.*" negate="true" />
</conditions>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden: Access is denied." statusDescription="You do not have permission to view this directory or page using the credentials that you supplied." />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
If you want to prevent direct access to context (from a client/browser), you can use the configuration section to block it. In your web.config at the root of your site, you can use this configuration to disable "images" subdir from being accessed. If you look at your applicationhost.config you'll see this section is already configured to prevent access to the "bin" folder directly by clients. You just need to add "images" to that list, either in applicationhost.config or in a web.config like below.
(if you don't see any configuration at all in applicationhost.config, that means you'll need to install requestFiltering feature in IIS using "add/remove programs" or Web Platform Installer).
<configuration>
<system.webServer>
<security>
<requestFiltering>
<hiddenSegments applyToWebDAV="true">
<add segment="images" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>