I have one website created in IIS and the root web-share has some sub-folders for stroring images, css, js files which the pages are using. However, user is able to access the images if they know the image name (http://hello.com/images/abc.jpg).
Is there any way to disable direct access of resources ? Please note that I have just started learning asp.net, so it will be great if the answers could be a bit descriptive.
I have come to know about the URL rewrite method but just how could not get it to work.
EDIT: I put this web.config in my images folder and now its doing the opposite, blocking images on pages and allowing them directly.
Any help is appreciated.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<identity impersonate="true" />
</system.web>
<system.webServer>
<rewrite>
<rules>
<rule name="RequestBlockingRule1" patternSyntax="ECMAScript" stopProcessing="true">
<match url=".*\.(gif|jpg|png)$" />
<conditions>
<add input="{HTTP_REFERER}" pattern="^$" negate="true" />
<add input="{HTTP_REFERER}" pattern=" http://iolab023/.*" negate="true" />
</conditions>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden: Access is denied." statusDescription="You do not have permission to view this directory or page using the credentials that you supplied." />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
If you want to prevent direct access to context (from a client/browser), you can use the configuration section to block it. In your web.config at the root of your site, you can use this configuration to disable "images" subdir from being accessed. If you look at your applicationhost.config you'll see this section is already configured to prevent access to the "bin" folder directly by clients. You just need to add "images" to that list, either in applicationhost.config or in a web.config like below.
(if you don't see any configuration at all in applicationhost.config, that means you'll need to install requestFiltering feature in IIS using "add/remove programs" or Web Platform Installer).
<configuration>
<system.webServer>
<security>
<requestFiltering>
<hiddenSegments applyToWebDAV="true">
<add segment="images" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
Related
I have WP installed on an IIS server in the root folder. This works with pretty permalinks.
There is also another wordpress install at /development which uses the following web.config
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="WordPress1" patternSyntax="Wildcard">
<match url="*"/>
<conditions>
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true"/>
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true"/>
</conditions>
<action type="Rewrite" url="index.php"/>
</rule></rules>
</rewrite>
<staticContent>
<clientCache cacheControlCustom="public" cacheControlMode="UseMaxAge" cacheControlMaxAge="365.00:00:00"/>
<remove fileExtension=".woff"/>
<remove fileExtension=".woff2"/>
<mimeMap fileExtension=".woff" mimeType="application/x-font-woff"/>
<mimeMap fileExtension=".woff2" mimeType="application/font-woff2"/>
</staticContent>
</system.webServer>
</configuration>
However, pretty permalinks are not working on this site in the subfolder
The home page works however of this sub folder and when plain permalinks are selected
Any ideas why?
The answer as pee2pee says, is to place that line in the code.
<remove name="YourRuleName"/>
To do this you must first look at the web.config file of the root and look for this line.
<rule name = "YourRuleName" patternSyntax = "Wildcard">
and then copy the line in the web.config file of your directory or subfolder, changing "YourRuleName" to the name you found in the web.config file of the root just above the first tag.
Then, your web.config file of the sub folder should look like
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<remove name="YourRuleName"/>
<rule name="YourSubFolderRuleName" patternSyntax="Wildcard">
<match url="*"/>
<conditions>
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true"/>
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true"/>
</conditions>
<action type="Rewrite" url="index.php"/>
</rule></rules>
</rewrite>
</system.webServer>
</configuration>
I hope it is helpful, for me it has been.
Ensure the root folder (serving the primary site) and the subfolder (where the secondary or /shop resides) each have a unique web.config file.
In your subfolder’s web.config file you need to remove the rule that was set in the root folder. In our case, the WordPress rewrite rule set in the root folder was called “PrimarySite”, so in the subfolder’s web.config we have:
<remove name="PrimarySite"/>
And that’s all it took to get things working. Simple, eh?
As of WP 5.9 (but I am sure way back years and versions) there is no need to add web.config manually.
In case IIS rewrite module is installed (whichi is a prerequisite) when you modify Settings/Permalink, WP automatically emits web.config into the root of your site.
It even writes to the GUI a warning message, to revoke write access from web.config.
If IIS rewrite module is not installed, all of this above is not possible, neither manually, so WP will include the /index.php/ fragment in the path. If you overwrite this setting with a custom permalink setting, then the links will adopt (so will not contain the /index.php/ fragment, but because of lack of rewrite facility IIS will give 404.
I have an Azure Web App with basic authentication configured for non-PROD environments inside web.config, like below:
<configSections>
<section name="basicAuth" type="Devbridge.BasicAuthentication.Configuration.BasicAuthenticationConfigurationSection" />
</configSections>
<basicAuth allowRedirects="true">
<credentials>
<add username="username" password="password"/>
</credentials>
</basicAuth>
<system.webServer>
<modules>
<add name="MyBasicAuthenticationModule" type="Devbridge.BasicAuthentication.BasicAuthenticationModule"/>
</modules>
<!-- the rest of the web.config follows -->
Everything works fine, but whenever we do a PROD deployment with changes to web.config, a manual change to the file is required to disable basic auth (as mentioned, we need it on non-prod only).
So I wonder - is there a way to enable basic authentication with applicationHost.xdt file? Since this is a file that is not changed very often, it would make our life easier.
I already checked the IIS Manager extension, but don't see anything that would allow me to make this work. Any hints are appreciated!
UPDATES - adding my web.config (that I'd like to update with applicationHost.xdt)
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Redirect to HTTPS" stopProcessing="true">
<match url="(.*)"/>
<conditions>
<add input="{HTTPS}" pattern="^OFF$"/>
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent"/>
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
According to your description, I assumed that you are using DevBridge Azure Power Tools which supports basic authentication for Windows Azure websites. I followed this project Devbridge.BasicAuthentication.Test to test XDT Transform on my side. I could make it work on my side, you could refer to it.
1.Create a Release-dev configuration
Click "Build > Configuration Manager", add a new configuration for the web project.
2.Add a web configuration file named Web.Release-dev.config and configuration the content as follows:
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<!--make sure the configSections is the first child element under configuration-->
<configSections xdt:Transform="InsertBefore(/configuration/*[1])" />
<configSections xdt:Locator="XPath(/configuration/configSections[last()])">
<section name="basicAuth" type="Devbridge.BasicAuthentication.Configuration.BasicAuthenticationConfigurationSection" xdt:Transform="InsertIfMissing" xdt:Locator="Match(name)"/>
</configSections>
<configSections xdt:Transform="RemoveAll" xdt:Locator="Condition(count(*)=0)" />
<basicAuth allowRedirects="true" xdt:Transform="InsertAfter(/configuration/configSections)">
<credentials xdt:Transform="InsertIfMissing">
<add username="test" password="test" xdt:Transform="InsertIfMissing"/>
</credentials>
</basicAuth>
<system.webServer xdt:Transform="InsertIfMissing">
<modules xdt:Transform="InsertIfMissing">
<add name="MyBasicAuthenticationModule" type="Devbridge.BasicAuthentication.BasicAuthenticationModule" xdt:Transform="InsertIfMissing" xdt:Locator="Match(name)"/>
</modules>
</system.webServer>
</configuration>
Note: You could refer to Xdt transform samples. Also, you could follow this official document about the syntax of xdt:Transform and xdt:Locator attributes that you use in your Web.config transform files.
3.Publish the web project by using the release-dev configuration:
4.Check the deployed web.config file via KUDU:
Browser the site, you could see the following screenshot:
UPDATE
For a workaround, I assumed that you could exclude web.config file from your git repository. And add the web.config file under "D:\home\site\wwwroot" and Devbridge.BasicAuthentication.dll under "D:\home\site\wwwroot\bin" for your DEV and QA environment to enable basic auth as follows:
I upgrading my project to ASPNET5. I'm hitting a snag regarding upgrading my web.config file.
I tried using Microsoft.Framework.ConfigurationModel.Xml package to read a URL Rewrite configuration. The config looks like:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="MainRule" stopProcessing="true">
<match url=".*" />
<conditions logicalGrouping="MatchAll">
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
<add input="{REQUEST_URI}" matchType="Pattern" pattern="api/(.*)" negate="true" />
<add input="{REQUEST_URI}" matchType="Pattern" pattern="signalr/(.*)" negate="true" />
</conditions>
<action type="Rewrite" url="default.html" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
but of course I'm getting duplicate key issues when it tries to convert it to the object that aspnet5 uses.
Whats the best way to port your existing web.config to the new aspnet model? This is a small case I realize but in the real world these configs are really intense.
I've created an example project that I'm hoping to share with others when i get a few of these cases figured out.
the web.config file you posted only has url rewrite rules for iis. Do you really need to access those from your app? IIS will read those directly from the web.config but you shouldn't need that stuff in your app so you don't need to try to parse that file with the new classes in Microsoft.Framework.Configuration at all.
if your app needs some other settings then you might as well use a json.config file as shown in many examples for your own application settings.
you can still drop that web.config file into the application root and assuming your app is hosted in IIS it should still do its job and tell IIS to do some url rewriting. you should not rename it to config.xml as it appears you have done, since IIS won't notice the file unless it is named web.config
why would you need to access those url rewrite rules from application code at all since it is IIS and not application code that does the url rewriting?
I think the new paradigm is use json.config and/or environment variables in azure for application configuration
The only thing you might still use a web.config file for is IIS configuration but that is separate from application configuration and that is the only thing you would use web.config files for going forward and you should not need to access web.config file from application code at all.
I have an HTML page in my old website which needs 301 redirect to the aspx page of new website, both websites have been built on asp.net platform. Please suggest me that how could I configure my web.config file to achieve this task.
At the moment I am using Meta Refresh to do this, but that is possibly 200 not 301.
Any help would be highly appreciated,Thanks.
I have used following piece of code in my old website web.config file, but it isn't working as well
<configuration>
<location path="http://example.htm">
<system.webServer>
<httpRedirect enabled="true" destination="http://newwebsite.com/test.aspx" httpResponseStatus="Permanent" />
</system.webServer>
</location>
</configuration>
Create rules in your web.config file put
<system.webServer>
<rewrite>
<rules>
<rule name="URL1" stopProcessing="true">
<match url="^abc.html" ignoreCase="true" />
<action type="Redirect" url="Your current page path" redirectType="Permanent" />
</rule>
</rules>
</rewrite>
</system.webServer>
<configuration>
<system.webServer>
<httpRedirect enabled="true" destination="http://uri" httpResponseStatus="Permanent" />
</system.webServer>
</configuration>
Sorry I don't have a web.config solution for single page. You'll want to place this in your markup page near the top:
<% RedirectPermanent("http://url", true) %>
If it doesn't work for you post your markup here and I'll update it for you.
I'd like to set a request header (HTTP_HOST to be precise) from Web.config, using the IIS URL Rewrite module, on Azure Websites. Basically I'd like to have something like this in my site's Web.config:
<system.webServer>
<rules>
<clear />
<rule name="My rule" enabled="true">
<match url=".*" />
<serverVariables>
<set name="HTTP_HOST" value="my value" />
</serverVariables>
<action type="None" />
</rule>
This results in an error that HTTP_HOST is not allowed to be set. This is normal and with standard IIS the next step would be to add HTTP_HOST to the <allowedServerVariables> element to applicationhost.config directly or through AppCmd. However I couldn't find any hints on being able to access this config somehow.
Is it possible to somehow modify the apphost config, or add allowed server variables somehow else?
It is possible to alter Azure's ApplicationHost.config by applying xdt transformations.
Upload the file to the /site and restart your site for the changes to to take effect:
ApplicationHost.xdt
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<system.webServer>
<rewrite>
<allowedServerVariables>
<add name="HTTP_HOST" xdt:Transform="Insert" />
</allowedServerVariables>
</rewrite>
</system.webServer>
</configuration>
See also:
https://github.com/projectkudu/kudu/wiki/Xdt-transform-samples
http://azure.microsoft.com/nl-nl/documentation/articles/web-sites-transform-extend/
Expanding on Joris' answer, you should use xdt:Transform="InsertIfMissing" and xdt:Locator="Match(name)" otherwise it won't work the way you expect it to (here's an example of it not working as-expected, and another example).
So your applicationHost.xdt should look like this:
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<system.webServer>
<rewrite>
<allowedServerVariables>
<add name="HTTP_HOST" xdt:Transform="InsertIfMissing" xdt:Locator="Match(name)" />
</allowedServerVariables>
</rewrite>
</system.webServer>
</configuration>