I have REST url which is like '/api/abc/xyz/pqr.Config'. This is invalid URL as ASP.NET considers this as possible security breach. I used 'alwaysAllowedUrls' tag in web.config but there can be 100's of such kind of URL. So is there a way I can specify RegEx which will allow URLs matching that RegEx. This is not available in 'alwaysAllowedUrls'.
Add this code to your <system.webServer> of web.config, this is dynamic path, every where which you have pqr.config file this can be shown to everyone.
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=".config" />
<add fileExtension=".config" allowed="true" />
</fileExtensions>
</requestFiltering>
</security>
<staticContent>
<mimeMap fileExtension="/api/abc/xyz/*.*.config" mimeType="text/xml" />
</staticContent>
Related
In my ASP.NET MVC 5 app, I have used the clientCache web.config attribute to customize the caching behavior for static files.
<system.webServer>
<staticContent>
<clientCache cacheControlCustom="private,max-age-300" setEtag="true" />
</staticContent>
</system.webServer>
This is working fine for .css and image files, but I'm noticing in my browser's dev tools that .js files are not getting the custom cache-control and etag headers that the other file types are getting.
In addition, I've tried adding a custom handler, but it hasn't had any effect from what I can tell.
<handlers>
<add name="StaticHandler_js" verb="*" path="*.js" type="System.Web.StaticFileHandler" />
</handlers>
Any ideas on how I can get ASP.NET/IIS to treat .js files the same way as other static files?
I was able to get around this by adding path-specific configuration to clear out all handlers and add only the static file defaults to those paths. This is an imperfect solution because it's based on the file path, not the file type, but because all of my JavaScript files are in this singular folder, it does the job.
<location path="Scripts">
<system.webServer>
<handlers>
<clear />
<add name="StaticFile" path="*" verb="*" modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule" resourceType="Either" requireAccess="Read"/>
</handlers>
</system.webServer>
</location>
If anyone has a better solution that doesn't rely on file path, I'll gladly accept that as the solution.
<system.webServer>
<staticContent>
<clear/>
<clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="00:01:00" />
<mimeMap fileExtension=".jpg" mimeType="image/jpg"/>
<mimeMap fileExtension=".png" mimeType="image/jpg"/>
<mimeMap fileExtension=".css" mimeType="text/css"/>
<mimeMap fileExtension=".js" mimeType="text/javascript"/>
</staticContent>
<validation validateIntegratedModeConfiguration="false" />
</system.webServer>
I need to use IIS only for directory browsing. The directory contains ASP.NET Core files and IIS automatically attempts to serve them normally.
Is there a way to force IIS to display all files as static files?
In order to let IIS serves everything as static content, you have to
Keep only Static Files handlers
enable directory browsing
Add mime type for every file. Without that IIS won't know how to serve unknown file type
Disable request filtering to download .config file, bin folder content, etc.
You will find below the corresponding web.config
WARNING : big security issue. Be sure to understand the risk before applying this configuration
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers>
<clear />
<add name="StaticFiles" path="*" verb="*" modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule" resourceType="Either" requireAccess="Read" />
</handlers>
<directoryBrowse enabled="true" />
<staticContent>
<mimeMap fileExtension=".*" mimeType="application/octet-stream" />
</staticContent>
<security>
<requestFiltering>
<hiddenSegments>
<clear />
</hiddenSegments>
<fileExtensions>
<clear />
</fileExtensions>
</requestFiltering>
</security>
</system.webServer>
</configuration>
I wanted to add some IIS requestFiltering rules to my web application. I followed folling guides:
http://www.iis.net/configreference/system.webserver/security/requestfiltering/alwaysallowedurls
http://www.iis.net/configreference/system.webserver/security/requestfiltering/denyurlsequences
For example, I want to deny Url test but enable testallowed
So I made following configuration in my web.config:
<system.webServer>
<security>
<requestFiltering>
<denyUrlSequences>
<add sequence="test" />
</denyUrlSequences>
<alwaysAllowedUrls>
<add url="testallowed" />
</alwaysAllowedUrls>
</requestFiltering>
</security>
</system.webServer>
Wenn calling mypage/test, I get the IIS HTTP Error 404.5 Page, which is correct. But I get the same page when calling mypage/testallowed. And in my web.config, the Tag alwaysAllowedUrls is underlined and it says:
The element 'requestFiltering' has invalid child element 'alwaysAllowedUrls'. List of possible elements expected: 'fileExtensions, requestLimits, verbs, hiddenSegments, denyUrlSequences'.
this is the syntax as per the IIS documentation :
<system.webServer>
<security>
<requestFiltering>
<denyUrlSequences>
<add sequence="bad" />
<add sequence="sequence" />
</denyUrlSequences>
<alwaysAllowedUrls>
<add url="/bad_sequence.txt" />
</alwaysAllowedUrls>
</requestFiltering>
</security>
</system.webServer>
https://www.iis.net/configreference/system.webserver/security/requestfiltering/alwaysallowedurls?showTreeNavigation=true
I want to serve x3d files by my azure asp.net website. I tried in web.config:
<system.webServer>
<security>
<requestFiltering>
<fileExtensions applyToWebDAV="false">
<add fileExtension=".x3d" allowed="true" />
<add fileExtension=".bin" allowed="true" />
</fileExtensions>
<requestLimits maxAllowedContentLength="1048576000" />
</requestFiltering>
</security>
</system.webServer>
What is wrong?
You need to edit the web.config and add those file extensions as mime types.
Please see the following artcile: http://blogs.iis.net/richma/adding-mime-types-to-your-windows-azure-web-site
The following example is for .woff font files:
Add the following to the section of your web.Config.
<staticContent>
<mimeMap fileExtension=".woff" mimeType="application/x-font-woff" />
</staticContent>
Note : If the element already exists you just need to add the element to this section for the type you want to add
I want to upload images, it works fine on my machine but when I put my website on IIS7 server for public I can't upload anything.
Error
The request filtering module is configured to deny a request that
exceeds the request content length.
Most likely causes
Request filtering is configured on the Web server to deny the request
because the content length exceeds the configured value.
Things you can try
Verify the configuration/system.webServer/security/requestFiltering/requestLimits#maxAllowedContentLength
setting in the applicationhost.config or web.config file.
system.webServer in Web.config
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<modules runAllManagedModulesForAllRequests="true" />
<security>
<requestFiltering>
<requestLimits maxAllowedContentLength="1048576" />
</requestFiltering>
</security>
</system.webServer>
As you can see I set my maxAllowedContentLength to 1gb. Restarted my website and still getting this error. I made an /uploads/ folder on my file system where it suppose to be as well. Have no idea what causes this error and why I can't upload images.
<configuration>
<system.web>
<httpRuntime maxRequestLength="1048576" />
</system.web>
</configuration>
From here.
For IIS7 and above, you also need to add the lines below:
<system.webServer>
<security>
<requestFiltering>
<requestLimits maxAllowedContentLength="1073741824" />
</requestFiltering>
</security>
</system.webServer>
The following example Web.config file will configure IIS to deny access for HTTP requests where the length of the "Content-type" header is greater than 100 bytes.
<configuration>
<system.webServer>
<security>
<requestFiltering>
<requestLimits>
<headerLimits>
<add header="Content-type" sizeLimit="100" />
</headerLimits>
</requestLimits>
</requestFiltering>
</security>
</system.webServer>
</configuration>
Source: http://www.iis.net/configreference/system.webserver/security/requestfiltering/requestlimits
I had similar issue, I resolved by changing the requestlimits maxAllowedContentLength ="40000000" section of applicationhost.config file, located in "C:\Windows\System32\inetsrv\config" directory
Look for security Section and add the sectionGroup.
<sectionGroup name="requestfiltering">
<section name="requestlimits" maxAllowedContentLength ="40000000" />
</sectionGroup>
*NOTE delete;
<section name="requestfiltering" overrideModeDefault="Deny" />