Hidden redirect on IIS site? - asp.net

We have an ASP.NET webforms web application running on IIS 6. There is a permanent redirect in place, for one of its pages: https://www.deurengigant.nl/content/voorwaarden.htm to https://www.deurengigant.nl/content/voorwaarden.
This redirect isn't happening on our local testing version, nor is it happening on a live test version, using the exact same code (including web.config, which has the database connection string): http://test.deurengigant.nl/content/voorwaarden.htm. (Yes, we don't have https on the test version.)
I've already checked the URL rewrite section in IIS Manager for the web site, but there is nothing there. (Pretty sure it simply shows what's defined in web.config rewrite rules anyway.) The HTTP Redirect section shows nothing either.
I've gone through the code looking for redirects, but couldn't find the problem there; also, the test version and our local version use the same code folder.
I've also checked the URL in a Chrome incognito session, to make sure the permanent redirect isn't pulled from cache.
What could I have overlooked? Where else could the 301 Permanent Redirect be set up?

The redirect is in applicationHost.config, which is located in C:\Windows\System32\inetsrv\config.
I think it's unwise to put it there, since that file is usually not in source control, nor copied to developer machines for local debugging.
As for why the test version on the live server doesn't have the redirect… I still don't know! They both use applicationHost.config, so they should have them both! That said, check the "error pages" section of IIS Manager. For me, it gives an error for the test version, stating: "cannot add duplicate collection entry of type 'error'". This refers to the error nodes in the httpErrors section of web.config and applicationHost.config, so I think it might be related to that. Maybe a nice conundrum for a rainy day.

Related

IIS 10 web routing configuration

I am not sure how this done or what I need to do, I think all I need is a simple rewrite rule but I do not know.
I have a website that www.mysite.com loads the site, but when I browse to mysite.com it goes to a different page that basically says pageOk. I am not sure where that redirect is happening - as this was occurring with our old server (some one else managed that) - I installed IIS on a new server and so now the traffic at www.mysite.com is fine but I still have this issue of mysite.com showing a page that I do not have in my application.
What do I need to do to fix this or where might this issue be coming from ?
firest check the do any is URL rewrite rule and HTTP redirect is affecting this. check both server level and site level.
try to run failed request tracing in iis.
check browsers developer tool -> network tab which status code it is showing.
https://learn.microsoft.com/en-us/iis/troubleshoot/using-failed-request-tracing/troubleshooting-failed-requests-using-tracing-in-iis

How do I find where a redirect is occurring on my website

We're moving an instance of a third party, .NET-based website to a Win2016 server, IIS 8, from an external hosting service. Under the site, there's a WCF web service in a subfolder. There are no virtual directories or apps.
mysite.../Order/v4/service.svc
When I browse to pull the wsdl (https://MySite.../Order/v4/Service.svc?wsdl ), it is redirecting to Login.aspx (https://MySite.../Order/v4/Login.aspx).
Browsing to https://MySite/Order/v4/Service.svc?wsdl redirects to https://MySite/Order/v4/Login.aspx .
IIS has no default document set / web.config's defaultDocument is commented out.
Vendor indicates
That would be a redirect that was setup either on IIS or another
appliance that is doing that.
Same behavior occurs running on the server itself (localhost) and sys eng confirms it shouldn't be leaving the network to hit any firewall.
There are no other .config files on the server with any reference to "Login.aspx".
This still feels like it is some piece of configuration but even doing things I shouldn't need to do like restarting the server just to make sure no caching of settings is hanging around isn't affecting it.
Any guesses on what might be attempting to redirect?
Following Rich-Lang's suggestion in comments provided the information to identify that the global.asax file was handling an error in the web.config. Since the code in this case was in codebehind in a dll, and the vendor indicated their code does not redirect, I had not seen that culprit before. Removing the global.asax and turning off customErrors allowed me to see the underlying issue.

How to turn off a 302 redirect in Azure Websites

I know this is strange.
I have an azure website. If you visit it, e.g. web1.azurewebsites.net you will be immediately redirected (302) to https://web1.azurewebsites.net
I do not have any code in the deployed application that does, this, nor anything in my web.config.
To test, I created another S1 (i.e. SSL capable) azure websites from scratch, deployed the EXACT same code (even used the same database), and I do not get the redirects.
Where is this 302 redirect setup in Azure?
to be clear.
1) Exact same code, webconfig etc.
2) only difference is the Azure publish location
3) I do have some recollection of ticking a box somewhere saying 'only allow ssl', but I really can't find it anywhere now.
All references online are a) to turn ssl ON, b) talk about web config and mvc code. Neither apply here due to test.
For you info, in Edge, F12 tools, I can see the redirect under Network tab.
and X-Powered-By: ASP.NET etc. etc.
I can't find a setting anywhere in Azure portal to turn this off. Any help appreciated.
Hard to investigate without demo or code.
If your project doesn't have any rewrite rules then it must be an app service that is doing this.
You might have an extension installed that does this: https://blog.nicholasrogoff.com/2017/01/12/azure-app-service-force-redirect-from-http-to-https-the-easy-way/
Or rewrites happen at a higher level. Do you have some kind of service that sits on the top of you app service e.g. cloudflare?
You can try clone your existing app (requires premium subscription) to see if the problem is reproduced
The real problem was the browser! not the code....
I had once, at some point put in the HSTS headers for testing. Once you do that in Chrome, it will always 'redirect' itself to the https version.
You can
Use incogneto mode
clear the 'you must always redirect to https' setting in chrome using the advanced chrome settings.

need to generate 404 for folders on IIS7.5 but not their contents

I would like to be able to hide the existence of folders in my DotNet 2.0 website which is being hosted via IIS 7.5 that contain files that must continue to be accessible. For example, I want a person's web browser to be able to retrieve the file domain.com/css/style.css (which is needed to render the page) but if the person tries to access the URLs domain.com/css/ or domain.com/css I want them to receive a 404 error. (not a 403 error)
By default IIS 7.5 will give a 403 error which would still allow an attacker to know about the existence of the folder. I realize that an attacker could easily discover the existence of the "css" folder by visiting the site in their browser and seeing that files are being pulled from the "css" folder. That said, this is a requirement of the project that I have to comply with.
In IIS6 I used to be able to set the hidden attribute for the folder which would give me the 404 behavior I wanted, but this is no longer the case in IIS7.5. (IIS 7.5 gives a 500 error if I try to do this) IIS 7.5 is another requirement of this project. Also, in IIS6 I want able to create a wildcard mapping that would cause all requests to route through DotNet which would then allow me to create a 404, but again, this does not appear to work on IIS7.5.
I have already tried creating handlers in the web.config ( node) which works on my staging system but not on my production system. Also, this method seems like overkill because I have to create a c# handler and have a handler entry in the web.config for each folder I want to hide. I'd like a simpler solution, but also, the solution just seems to not work on my production system.
Ideally, requests to the folder that do not include the trailing forward slash should NOT cause a 301 redirect but should also cause a 404.
You could always put a handler/ASPX page as the default page for directories, and have that handler return a 404 error code.

IIS - "The system cannot find the file specified."

I am building an asp.net web application which has been working on local and staging. however, when i deployed to live, there is a little weird issue occurred. below is the live environment details.
live environment:
Server 2003
IIS 6
when the request url is below, if page not found, it will redirect to page 404 configured in the IIS.
"http://www.xxxx.com/folder1/default.aspx"
however, when the request url is below (with a dot in the folder), it will show a IIS default 404 message which is "The system cannot find the file specified." which isn't what i configured in the IIS and it seems like it skips all the http handlers and modules. Therefore, my custom http handler stop working with this kind of url.
"http://www.xxxx.com/folder.1/default.aspx"
My guess it something to do with the IIS setting. i have have several research, there is no other issue like me.
appreciated if anyone can help. Thanks a lot.
Dion
One of the possible reason could be tool such as UrlScan - you need to explicitly configured it to allow dot(.)s in the url - this can be done by editing <Windows Folder>\system32\inetsrv\urlscan.ini and setting AllowDotInPath=1

Resources