I have a MVC4 project that is deployed to Azure. The bundling and minification works absolutely fine.
All the script files are in a folder /js which are bundled to /scripts/js
When I publish to Azure using msdeploy, I would like only the bundled/minified script files to be deployed. I don't want anyone getting access to my un-minified scripts by guessing the url.
I understand MVC bundling happens at runtime hence it would require the unbundled files to create the bundles on the fly. This probably needs to be automated with something like grunt maybe?
Want to know what deploy strategy people use in such cases when you dont want to publish unbundled js.
using Web Deploy you can set the skip parameter:
http://technet.microsoft.com/en-us/library/dd569089%28WS.10%29.aspx
here's a sample:
http://blog.richardszalay.com/2012/12/18/demystifying-msdeploy-skip-rules/
They get your scripts on pageload, so I don't see why them seeing the unminified version should be a big concern, unless maybe you have crazy or offensive comments in your unminified version. Users could use a javascript formatter, like discussed in this SO post to get the minified files back into a readable format.
Though, for your concerns, you could simply drop a web.config file in the deployed /js folder to keep anything from being served up. In my testing, this did not impact minification. Although if you put it in your local folder, you'll have errors bundling in debug mode (since debug mode serves up the individual files and this web.config keeps anything from being served):
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</configuration>
Another concern is, depending on how paranoid you are at someone seeing an unminified script, you may have to write your own BundleBuilder class for reasons detailed in How to prevent User-Agent: Eureka/1 to return source code, which reveals how users can see unminified bundles with comments by changing their user-agent.
Related
Is there a way to tell IIS to read configurations from a different file than web.config?
Why would anyone do this?
Convenience. When working with static resources like an .aspx, or .js, or an MVC view file, it is often sufficient to hit Refresh in the browser to see the effect of that change.
Also, more specific to our scenario is that we re-use some of our code-base in different flavors of the web site, their differences being defined in their respective .config files, and each of these sites run locally on our development clients.
Getting the change to a different location than the one you are actually working in is somewhat time-consuming: A Publish operation will properly compile and copy the entire web application to the target location, copying the individually changed file manually is often... fiddly.
So what I would like for to be possible is this:
I work on my project in c:\workbench\FlavMaster3000. In this folder I create the various flavors of web.config files:
web.apple.config
web.banana.config
web.cherry.config
I create sites in IIS that represents each flavour and set their directory to the same as above.
https://local-apple/
https://local-banana/
https://local-cherry/
And I would like for IIS to read each site's configurations from the respective flavor of .config.
Is this at all possible, or am I a dreamer with a hopeless dream?
-S
You can put your specific configuration in external file(s) and link those files in your web.config file as shown below. However downside is way web.config is watched for any changes in it and gets applied immediately when you save web.config, these external files will not be monitored and you will require to manually restart app pool.
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<appSettings configSource="Myconfigs/myappSettings.config"/>
<connectionStrings configSource="Myconfigs/myconnections.config"/>
<system.web>
<pages configSource="Myconfigs/mypages.config"/>
<profile configSource="Myconfigs/myprofile.config"/>
<httpHandlers configSource="Myconfigs/myhttpHandlers.config"/>
<httpModules configSource="Myconfigs/myhttpModules.config"/>
</system.web>
</configuration>
NOTE: This is for a Visual Studio Web Site Project and NOT a Web Application
I am using web deploy to push changes from my development machine to my staging server. I would like to push any files that are different to the staging server except for one particular file (lets call it myFile.whatever)
So far I have tried editing the C:\Program Files\IIS\Microsoft Web Deploy V3\msdeploy.exe.config file to look like so:
<configuration>
<startup>
<supportedRuntime version="v2.0.50727" />
<supportedRuntime version="v4.0" />
</startup>
<rules> <------------ ADDED THIS NODE
<rule name="skipConfig" type="Microsoft.Web.Deployment.DeploymentSkipRuleHandler"
objectName="filePath" skipAction="Delete"
absolutePath="C:\inetpub\wwwroot\MyProject\myFile.whatever"/>
</rules>
</configuration>
But it is still overwriting the file in question on my staging server. I started by editing the msdeploy.exe.config on my dev machine and when that didn't work I updated the msdeploy.exe.config on my staging server as well, but again, still not working.
Am I going about this wrong? Any suggestions on preventing this file from being overwritten?
Since transforms are painful with web site projects you might be able to use this method: http://blogs.msdn.com/b/webdev/archive/2010/04/22/web-deployment-excluding-files-and-folders-via-the-web-application-s-project-file.aspx
As stated in the comments, what you would normally do is to have a base Web.config file, then one specific for debug and one specific for release. The debug or release portion would add/override the base one with things that are particular to this scenario. This way you can just upload both and everything will work fine.
To understand more about web.config transformation, please refer to: http://msdn.microsoft.com/en-us/library/dd465326(v=vs.110).aspx
I am creating a very simple site that was originally just a bunch of HTML / CSS files. Then I needed to add a little bit of server-side logic so I thought I'd use ASP.NET Web Pages as they sound like a suitable solution.
So I changed index.html to index.cshtml, added the code I needed and I though that would be it (I also added this basic web.config file:
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
</system.web>
</configuration>
However, launching this on local IIS Express yielded this error:
Could not determine which version of ASP.NET Web Pages to use.
In order to use this site, specify a version in the site’s web.config file. For more information, see the following article on the Microsoft support site: http://go.microsoft.com/fwlink/?LinkId=254126
So I added this to my web.config:
<appSettings >
<add key="webPages:Version" value="2.0" />
</appSettings >
Now the site starts but handles UTF-8 really weirdly - although all the HTTP headers, file encodings and meta tags are correctly set to UTF-8, my national characters display incorrectly. I found this question: Do I need web.config for non-ASCII characters? but it didn't really solve my problem.
I though, what can be wrong with my setup? When I create a new site in WebMatrix and copy my files over to it, it all works fine, even without specifying the Web Pages version in web.config. And the only difference I can see is the presence of bin folder in the WebMatrix-generated project.
So the question is, do I need to have the bin folder as part of my source files too? I don't really feel like checking 1.5MB worth of binary files into Git should be necessary just to add one dynamic line in my index.cshtml but maybe that's how it is?
Thanks for either confirming this or showing me some better way.
ASP.NET WebPages requires a BOM on UTF-8 pages or it won't read the page as UTF-8. And if it doesn't do that, it won't output a UTF-8 encoded page.
This isn't an ASP.NET issue, but rather a WebPages issue. WebPages processes the real page, and it doesn't interpret the html to know that it should be UTF-8. The only way it knows is by looking for a BOM.
I started a new solution with a website project and a logic project for all my class files.
I copied the web.config file I use for all my other projects and just changed the database name in the connection string. When I run this project to be debugged, it won't let me access any files until I login. This includes javascript files, html files, css files etc.
On all my other projects the only files which require a login by the user to access are .aspx files and .asmx files. The web.config security settings on all several of my projects are as follows:
<authentication mode="Forms">
<forms loginUrl="/Default.aspx" name="ADMINAUTH2" cookieless="UseCookies"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
If I set test.htm as my start page, when I run the debugger the url heads straight to:
http://localhost:2154/Default.aspx?ReturnUrl=%2ftest.htm
In VS on my solution exporler under script documents that are being loaded, any javascript file is shown as: Default.aspx?ReturnUrl=/Functions.js etc, and css files are not applied.
I have tried creating a new web.config file and only adding my auth properties and connection string but to no avail.
I am utterly confused as this works on all my other projects, just not this latest one!
Have you tried deploying this project to IIS or are you just running it from Visual Studio?
Authentication rules specified in the web.config apply to all files which are processed by the ASP.NET ISAPI filter. By default in IIS this is only things like .aspx and .asmx, etc - as you expect. However, the Visual Studio web server processes everything through ASP.NET, so the authentication rules apply to all files.
On the flip-side, this information can be quite useful when you actually do want to secure static assets in production - do so simply by setting IIS to have ASP.NET process those file extensions.
On Apache/PHP sites if I want to put a senstive file within my website folders, I put a .htaccess file in that folder so users can't download the sensitive file.
Is there a similar practice for IIS/ASP.NET sites, i.e. if I have a shared hosting account and don't have access to IIS server. Can I do this in web.config for instance?
e.g. the ASPNETDB.MDF file that ASP.NET Configuration put in the App_Data directory. I would assume this is protected by default but where can I change the settings for this folder as I could with a .htaccess file?
Inside of an ASP.Net web.config you can setup locations to add security to specific files and folders. In addition, you can remove all verbs from those directories:
<location path="Secret" allowOverride="false">
<system.web>
<authorization>
<deny users="*" />
</authorization>
<httpHandlers>
<remove path="*.*" verb="*"/>
</httpHandlers>
</system.web>
</location>
I have only used the authorization portion of that snippet and it works great. The handler should further lock it down and using a ISAPI filter would be able to put the finishing touches on it.
Well, if you can access IIS settings, UrlScan can help. For IIS 7, request filtering can help a lot.
http://learn.iis.net/page.aspx/473/using-urlscan
http://learn.iis.net/page.aspx/143/how-to-use-request-filtering/
There are some things you can do with web.config like defining security settings etc...
Other times you have to use HttpModules or HttpHandlers, look here:
http://msdn.microsoft.com/en-us/library/aa719858(VS.71).aspx
If not, you can find different ISAPI, but in this case you need access to IIS.
For example, the ISAPI for emulating rewrite mod apache:
> http://www.codeplex.com/IIRF
The other question, yes ASPNETDB.MDF in APP_Data is protected normally (it depends on your administrator). To change the path, change the connectionstring.
There are two cases:
If the server is using IIS7 then there is equivalent functionality available using the web.config approach for all files.
If the server is using IIS6 or earlier (and for the time being this is by far the most likely case for shared hosting) then its more of a problem. If you can force all your requests to go via the ASP.NET handler (which normally requires access to the server to configure) then again the web.config approach will work but otherwise you're going to need other tools and a sympathetic hosting provider. For this reason alone one probably wants IIS7...
That said for asp.net there are files that are protected by default anyway - files in app_data as already mentioned plus specific file types (like .config). Additionally one would expect a decent host to provide a directory that is not accessible via the web - ours offer a private and a web folder, both accessible via FTP but only the contents of the latter via the web.
As per the [documentation on Application Folders][1], IIS won't serve requests to content stored in the /app_data folder although your application can read and interact with those files.
ASP.NET recognizes certain folder names that you can use for specific types of content. The following table lists the reserved folder names and the type of files that the folders typically contain.
Note
The content of application folders, except for the App_Themes folder, is not served in response to Web requests, but it can be accessed from application code.