ASP.NET disable debug error messages on localhost - asp.net

I have a project that is running a small node.js application as a reverse proxy. Some of the requests the reverse proxy receives are directed to IIS installed on the same machine, which naturally hit IIS over localhost / 127.0.0.1.
As a result, IIS automatically returns detailed error messages in the case of an error. Naturally, the proxy sends these to the user, which is not good because they contain more information than I want external users to see. I have tried to turn off the detailed error messages by explicitly setting compilation debug="false" in web.config, but since the requests come over the localhost, IIS seems determined to return detail debug error messages.
Is there a way to disable these debug error messages from being returned even when the request is coming over localhost?
I am running Windows 2012 RS, IIS 8, .NET 4.6.

OK, I found what I needed to do to make sure that IIS never returns detailed error messages, local or not.
More details can be found here.
The short answer is: Launch IIS Manager, click on the website, under IIS go to Error Pages, right click on the pre-defined error message and select "Edit Feature Settings", and select "Custom error pages". Then define the page that you want displayed.
Alternatively, you can define your preferences in web.config under system.webServer with values such as those listed below. The "errorMode" defaults to "DetailedLocalOnly", which causes the issue I am trying to avoid. Setting to "Custom" resolves the issue.
<httpErrors errorMode="Custom">
<remove statusCode="401" subStatusCode="-1"/>
<error statusCode="401" prefixLanguageFilePath="" path="/errors/401.html" responseMode="ExecuteURL"/>
</httpErrors>

Related

ASP.NET/IIS HttpErrors and access denied response

I have a site where only authorizated users can access.
I also have a custom error page if a 401.2 is raised.
I configured web.config in the following way:
<system.webServer>
<httpErrors errorMode="Custom">
<remove statusCode="401" subStatusCode="-1" />
<error statusCode="401" subStatusCode="-1"
path="ERRORS\unauthorized.html"
responseMode="File">
</error>
</httpErrors>
</system.webServer>
However when I try access to my site the following happen:
http://localhost --> the ERRORS\unauthorized.html is showed;
http://localhost/index.html --> the ERRORS\unauthorized.html is not showed and I can access the page!
I also noticed two things:
if I change the page to index.aspx the ERRORS\unauthorized.html is showed;
if I use a different statusCode, i.e., 404 the HTML page is showed.
so what am I not understanding? Where is my mistake?
P.S.
I'm using IIS 10 and .NET 4.7
What authentication are you using?
Assuming you are using Anonymous authentication at the IIS level and some kind of authentication in asp.net or system.web layer, the asp.net pipeline doesn't come into picture when you access the static files as they are handled by the static file handler. SO the authorization is not coming into picture. ALso try to configure the app pool to run in integrated mode and try, because integrated mode combines iis and asp.net pipeline, if youa are running in classic it won't
ALso to add another note on the line, 401.2 is a status responded back by the server that there is no user info being passed and client has to login, this doesn't necessarily have to deal with authorization and it is a way of authentication how servers work.

IIS 8.5: Detailed errors for remote calls

I have a ASP.Net 5.2.3 WebAPI application running on a Windows Server 2012R2 with IIS 8.5.
When I make a local request that causes exceptions in the ASP.Net code, I get a nice, complete error message with stack traces. When I send the same request from another host, I only get a HTTP500 with body { "Message": "An error has occurred." }. I think this is the default behavior.
Now I want to enable these detailed error messages for remote requests, too. I searched around for a few hours already, and found these measures:
Edit Web.config
<system.web>
<customErrors mode="Off" />
</system.web>
<system.webServer>
<httpErrors errorMode="Detailed" existingResponse="PassThrough" />
</system.webServer>
Enable 'Send errors to browser' in IIS Mangaer (IIS->ASP)
as described here: https://serverfault.com/questions/670853/iis-8-show-classic-asp-errors-in-browser
Enable "Detailed" IIS Error Page settings in IIS Manager (IIS->Error pages->500)
as described here: https://blogs.msdn.microsoft.com/rakkimk/2007/05/25/iis7-how-to-enable-the-detailed-error-messages-for-the-website-while-browsed-from-for-the-client-browsers
None of which seems to work, so I'm out of ideas by now.
Maybe it has to do with that my ASP.Net application is hosted in an existing IIS Site. I checked that the above modifications (step 2 & 3) are correctly applied on each level.
Give this a try...
To set the error policy in the application, modify the global Web API configuration:
GlobalConfiguration.Configuration.IncludeErrorDetailPolicy
= IncludeErrorDetailPolicy.Always;
https://lostechies.com/jimmybogard/2012/04/18/custom-errors-and-error-detail-policy-in-asp-net-web-api/

ASP.NET. Custom Page on 401

I have a webpage(home.aspx) that requires Windows Authentication. If the browser automatically sends in valid credentials, then home.aspx is displayed. Otherwise, login.aspx is displayed.
In IE, I have checked off the "Prompt for User name and Password" checkbox in Internet Options > Local Intranet > Custom level > User Authentication.
I have following the steps in http://www.codeproject.com/Articles/11202/Redirecting-to-custom-page-when-quot-Access-de , and it works fine on my local development server. However, on the production server, it is a different story.
In IIS, Home.aspx has anonymous authentication disabled, and windows authentication enabled. Login.aspx has anonymous authentication enabled and windows authentication disabled.
In the development server, on a computer that is logged in using correct credentials, home.aspx shows up. And, when the browser does not send in the credentials, Application_EndRequest is hit with a 401 status code, then the default Windows Authentication Prompt shows.
After cancelling this dialog, login.aspx is shown. This is the correct behavior.
However, in production server, on a computer that is logged in using correct credentials, home.aspx shows up. And, when the browser does not send in the credentials, Application_EndRequest is hit with a 401 status code, then the default Windows Authentication Prompt shows. After cancelling this dialog, the default 401 page shows.
Does anyone what is going on the production server, and why I am not able to intercept the 401 status code and redirect to a custom web page.
In IIS 7, they added an attribute in web.config that controls the behavior of custom errors. By default, custom and detailed errors are only shown on the local browser. To show your custom errors, you need to change this in the web.config <httpErrors> element, errorMode attribute.
<configuration>
<system.webServer>
<httpErrors errorMode="DetailedLocalOnly" defaultResponseMode="File" >
<remove statusCode="500" />
<error statusCode="500"
prefixLanguageFilePath="C:\Contoso\Content\errors"
path="500.htm" />
</httpErrors>
</system.webServer>
</configuration>
DetailedLocalOnly is the default; other possible values are Detailed and Custom.
For more reading, here is the Microsoft article that talks about this configuration.
Aside: The article you linked is more than 10 years old, and is therefore quite suspect for "modern" development. One of the comments on the article, posted about 5 years later, points to this same problem and solution.

how to remove version information from server error "the resource cannot be found"

While browsing a page, I am getting the error :
Server Error in '/' Application.
The resource cannot be found.
Description: HTTP 404. The resource you are looking for (or one of its
dependencies) could have been removed, had its name changed, or is
temporarily unavailable. Please review the following URL and make
sure that it is spelled correctly.
Requested URL: /WebResource.axd
Version Information: Microsoft .NET Framework Version:4.0;
ASP.NET Version:4.0.33
The error is as expected and what i need is a way to hide/remove the version information.!? if there is any...
Create a custom page which you want your users to see and then in the web.config file have something like
<system.web>
<customErrors mode="RemoteOnly" defaultRedirect="404.aspx" redirectMode="ResponseRedirect">
<error statusCode="404" redirect="404.aspx" />
...
</customErrors>
</system.web>
There are 3 different mode On, Off, RemoteOnly
On - Specifies that custom errors are enabled. If no defaultRedirect attribute is specified, users see a generic error. The custom errors are shown to the remote clients and to the local host.
Off - Specifies that custom errors are disabled. The detailed ASP.NET errors are shown to the remote clients and to the local host.
RemoteOnly - Specifies that custom errors are shown only to the remote clients, and that ASP.NET errors are shown to the local host. This is the default value.
The default is RemoteOnly further reading here. Also you might want to look at this answer if you want to know the difference between customErrors and httpErrors

Classic ASP Sending errors to browser does not work on IIS7 for remote connections

I can’t get detailed error reporting for IIS7 for ASP pages on a remote browser connection.
However, when I run the page locally on the server I do see a detailed error message.
I have enabled Send Errors To Browser but IIS keeps sending an internal server error.
I have unchecked show friendly HTTP error messages on IE.
Does anyone know how to enable error messages to be sent to a remote browser?
If "Send Errors To Browser" is not working set also this:
Error Pages -> 500 -> Edit Feature Settings -> "Detailed Errors"
There is an ASP setting you need to change in IIS 7
Under the IIS heading, open the ASP properties, and under Compilation, expand the Debugging Properties, there you'll find:
Send Errors To Browser
Set it to True
As you've already done, you need to disable the show friendly HTTP error messages in IE.
IIS
- Error Pages
- Edit Feature Settings
- Check: Detailed errors
IIS
- ASP
- Compilation
- Debugging Properties
- Set: Enable Server-side Debugging = False
- Set: Send Errors To Browser = True
In my case Server-side Debugging was on and it was not displaying error details on remote side. It started showing error details as soon I set Enable Server-side Debugging = False.
By default IIS7 intercepts HTTP status codes such as 4xx and 5xx generated by applications further up the pipeline.
In web.config replace the line
<httpErrors errorMode="Detailed">
with
<httpErrors existingResponse="PassThrough" errorMode="Detailed">
under prompt
go to %windir%\system32\inetsrv
execute inetmgr
in the IIS MMC select "web sites" from the three on the left
open the menu action\properties.
in the home directory tab select "configuration..."
in the tab "debug" enable the send error to the client and flag both the checkboxes.
confirm all
restart IIS.
I had the same error and I solved following the above steps.
Simply Add following line under this
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<httpErrors errorMode="Detailed" />
</system.webServer>
</configuration>
And You are done..

Resources