Here is my problem.
I have one server on the other side of the world with IP 1.2.3.4
If I put in web.config this
<compilation defaultLanguage="c#" debug="true" />
everyone sees a debug, I want to set something like
<compilation defaultLanguage="c#" debug="true" IP="4.3.2.1" />
So only IP 4.3.2.1 can see debug for that site all other IPs should see like
<compilation defaultLanguage="c#" debug="false" />
is set.
The setting says how the whole page is compiled. Then in this form it is served to all clients. If you want this, you can have two sites - one normal and one debug - and if there is one particular IP requesting your site you can redirect it to the debug version.
What do you intend to do? You are fiddling with the compilation element, that is, you try to modify the compilation of your code. Code is not compiled per-request or per-user.
If you want to reveal/hide stack traces you may want to use this instead:
<customErrors mode="RemoteOnly" />
However, this does not allow to filter by IP except the loop-back. IP addresses are generally not a very secure way to identify a person or to prevent an authorized person from retrieving the stacktrace.
If you have remote access to the web server, you can log in and use http://localhost to access your web site. If you have RemoteOnly active, you will find the stacktrace of your error then.
If you still want to go for an IP-based approach, you might find something at Rich Custom Error Handling with ASP.NET. The section "Rich Custom Error Pages" mentions "Logic to display detailed information only to certain IP addresses may be included here."
(I found the article by googling for "asp.net reveal stacktrace to certain ip only")
Related
Context
Umbraco CMS website runs on Azure as App Service
Scheduled Publishing
One of the Umbraco functionalities is to allow to publish content on a given time. The publish functionality makes a HTTP call to same web site (or a different server but same website in load balanced environment).
API call url:
http://sample-site-umbraco.azurewebsites.net/umbraco/RestServices/ScheduledPublish/Index
IP Security
Due to client requirements, access to the site is restricted to a given list of IP addresses. This task is being completed with IP Security restriction in web.config.
<security>
<requestFiltering>
<requestLimits maxAllowedContentLength="52428800" />
</requestFiltering>
<ipSecurity allowUnlisted="false" denyAction="NotFound">
<!-- "clear" removes all upstream restrictions -->
<clear />
<!-- permit the loopback address -->
<add ipAddress="127.0.0.1" allowed="true" />
...
...
...
<!-- domain Name for Scheduled Publishing -->
<add allowed="true" domainName="sample-site-umbraco.azurewebsites.net"/>
</ipSecurity>
</security>
Problem
When IP Security is turned on, the HTTP call to publish API is being blocked as not white listed one.
API call response Status Code and Content:
404 - NotFound
"The resource you are looking for has been removed, had its name changed, or is temporarily unavailable."
Problem Thread on our.umbraco.com
Fix attempts
Adding domainName to the list of allowed entries
<!-- domain Name for Scheduled Publishing -->
<add allowed="true" domainName="sample-site-umbraco.azurewebsites.net"/>
This solution doesn't work. Calls are still being blocked.
Question
How this can be fixed? Is there any functionality that can be override?
Ok, I've found the solution. I think it will work.
I've found this question on stackoverflow and it worked :)
Solution
Solution is to add ALL outbound IP addresses into System.WebServer > Security > ipSecurity > [List].
Outbound Ip Addresses are comma separated list of ips.
You need to add all of them to the WhiteList in web.config.
Drawback
I'm not sure if the list of Outbound Ips is static and will not change in the future...
I have three systems running on IIS7 with static IP address 192.168.66.5. I have configured the system to run on the same IP address with different ports and subdmain like;
192.168.66.5:81 hostname ams.tpf.go.tz
192.168.66.5:82 hostname gmis.tpf.go.tz
192.168.66.5:83 hostname records.tpf.go.tz
192.168.66.5:84 hostname cmis.tpf.go.tz
I configure all these on IIS7 and defined them in the router.
When the client opens ams.tpf.go.tz without specifying the port number, the error 404 is returned: the requested resource is not found.
This recently occurred to me also - make sure your IIS Website is started - mine had been stopped. This is the error I was receiving in Visual Studio:
Unable to start debugging on the web server. The web server could not find the requested resource.
Right Click on your Website (i.e. Default Website) in IIS Manager and click Manage Web Site --> Start.
Navigating to any applications in the IIS Website was showing this error:
HTTP Error 404. The requested resource is not found.
The easiest way to achieve this is to set the port 80 for the site you want to be the "default" one, since this is the default HTTP port.
Some times IIS Manager -> Manage Web Site -> Start, will not work if the below 2 services are not running
1. Windows Activation Technologies Service
2. World Wide Web Publishing Service
Start these services manually under windows services then start IIS again.
Another cause that happens to me with some frequency is to set the permissions correctly to the physical directory. It can be achieved going to IIS -> clicking on the website and then in the actions panel click over Edit Permissions. Be sure that the user you are going to assign the permissions, are the same as defined on Authentication -> Anonymous Authentication or ASP.NET Impersonation, if any of those authentication methods are enabled.
To know the user assigned on those authentication methods, go to the Authentication icon, select any of the authentication methods mentioned before, right click on it and select edit. After that, you have the option to select the user you want.
Hoping this helps.
My issue for anyone else that comes here from google. I am hosting a django website so in my webconfig file it is set to process requests using the python virtual environment. In the web.config file it is this portion:
<configuration>
<system.webServer>
<handlers>
<add name="Python FastCGI"
path="*"
verb="*"
modules="FastCgiModule"
scriptProcessor="C:\inetpub\wwwroot\receipts\venv\Scripts\python.exe|C:\inetpub\wwwroot\receipts\venv\Lib\site-packages\wfastcgi.py"
resourceType="Unspecified"
requireAccess="Script" />
</handlers>
...
</configuration>
When there was requests to the media folder IIS would say great I know what to do send it through the scriptProcessor (python processor). Requests to the media folder should not do that they only need to serve static files (no extra processing). I placed this web.config in the media directory and it solved my problem!
<configuration>
<system.webServer>
<handlers>
<!-- this configuration overrides the FastCGI handler to let IIS serve these static files -->
<clear />
<add name="StaticFile"
path="*"
verb="*"
modules="StaticFileModule"
resourceType="File"
requireAccess="Read" />
</handlers>
</system.webServer>
</configuration>
In my case IIS server and resolved with the below steps.
Check the security groups - whether we have opened the required ports from ALB SG to EC2 SG.
Login to server and check does IIS server's default site has 443 port opened if your health-check is on 443. (whatever port you are using for health checks).
Use the curl command to troubleshoot the issue.
If you would like to check on HTTPS use the below command to check the response. Use -k or --insecure to ignore the SSL issue.
curl https://[serverIP] -k
For HTTP test use the below command.
curl http://[serverIP]
During security review of our asp.net web application we got reported that some input fields doesn't restrict length of user input on server side. There is said in execution report that this vulnerability can be used to consume large amount of resources in the server or database which can cause Denial of Service attacks.
I would like to ask what options are here to fix this. Of course we can implement the validation on web server side for every field and e.g. throw some exception and reject if input is longer then some predefined value. But I am curious if there is some more other ways how to do it. Maybe some configuration in web.config or on IIS server level, some global handler etc.
Check out maxRequestLength setting in web.config.
Specifies the limit for the input stream buffering threshold, in KB. This limit can be used to prevent denial of service attacks that are caused, for example, by users posting large files to the server.
The default is 4096 (4 MB).
<configuration>
<system.web>
<httpRuntime maxRequestLength="1024" />
</system.web>
</configuration>
This would be a better solution than restricting each individual field as it is protecting your application as a whole as it sounds like they haven't found any specific inputs that are vulnerable.
If you want this to only apply to certain sections of your application you could add an override using the <location> element:
<location path="Attachments/Upload">
<system.web>
<httpRuntime maxRequestLength="20480" />
</system.web>
</location>
I want to carry the machine name in ELMAH subject line. As in developing environment want to keep the track that from which machine error is coming. So I want implement subject line with proper machine name. What I should do?
<elmah>
<errorMail name="exceptionMail"
from="devsupport#abc.co.in"
to="devsupport#abc.co.in"
async="true"
subject="Error log from [should come machine name here]"
smtpPort="0"
useSsl="true"/>
<security allowRemoteAccess="yes" />
</elmah>
As far as I can see, there's no way to do this in config alone - you would have to write some code to handle this requirement.
On the other hand - it seems pretty simple and straightforward to write that code.
See this blog post Customizing ELMAH’s Error Emails by Scott Mitchell on how to do it.
I need one help here. We have our site is running on windows server 2008\IIS7.5. we did PCI scan for our site today and we getting below vulnerability message.
Vulnerability : - ASP.NET Detailed Error Messages Enabled
The web server running on this host is configured to display verbose
error messages for ASP.NET applications. This could give an attacker
information about the ASP.NET applications on the server, as well
as information about the host itself. However, if you view
the source of the page, hidden at the bottom of the document is quite a
bit of debugging information that includes the path of the web server.
Service: Microsoft-IIS/7.5
Remediate Action : - It is recommended that any sort of debugging information be disabled
for production systems. Displaying custom error messages prevents
the debugging information from being provided to users. In web.config,
set the customErrors mode to "On" or "RemoteOnly" (displays
debugging information to browsers accessing the site from the local
host).
I checked our web.config and we can see below settings there
<customErrors mode="On" defaultRedirect="/ProcessError.aspx" redirectMode="ResponseRewrite">
<error statusCode="404" redirect="/PageNotFound.aspx" />
<error statusCode="500" redirect="/ProcessError.aspx"/>
</customErrors>
According to the remediation action, we have set CustomErrors mode to "On" or "RemoteOnly" . As you can see from the above web.config file it is already set to on. Not sure what other changes has to be done.
Do you have any advice?