I added the following to my web.config so users can not download my plugins:
<system.webServer>
<security>
<requestFiltering>
<hiddenSegments>
<add segment="Plugins" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
Now I have the problem that not only domain.com/Plugins/MyPlugin.dll is blocked, but also domain.com/Scripts/ckeditor/plugins/ckplugin.js.
Is there a way to configure a hiddenSegment to only affect the root directory?
I solved this via a web.config inside my plugins folder, where I block *.dll files from being downloaded:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<handlers>
<add name="Plugins*.dll_*" path="*.dll" verb="*" type="System.Web.HttpForbiddenHandler" />
<add name="Plugins*.pdb_*" path="*.pdb" verb="*" type="System.Web.HttpForbiddenHandler" />
</handlers>
</system.webServer>
</configuration>
I've made some additional modifications on top of Christoph's answer to suite my use case, but I will leave this here for future references.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<!-- Make sure this directory cannot be served. -->
<location path="Plugins"> <!-- Change this to your path -->
<system.webServer>
<handlers>
<add name="DisallowServe" path="*.*" verb="*" type="System.Web.HttpNotFoundHandler" /> <!-- Return 404 instead of 403 -->
</handlers>
</system.webServer>
</location>
</configuration>
Related
I'm exploring HTTP verbs like LINK and UNLINK. There is a simple website on IIS 10 for this purpose but looks like it doesn't allow these methods by default. I added a couple of rules in Request Filtering for verbs and still getting 405 error.
UPD
web.config
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<trace enabled="true" writeToDiagnosticsTrace="true" />
</system.web>
<system.webServer>
<security>
<requestFiltering>
<verbs>
<add verb="LINK" allowed="true" />
<add verb="UNLINK" allowed="true" />
</verbs>
</requestFiltering>
</security>
</system.webServer>
</configuration>
I need to deploy my work using nuget and to change the web.config in the process.
I used XDT to add the following code:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
<add name="MyModule" type="My.Module" />
</modules>
</system.webServer>
I wrote a simple XDT web.config.install.xdt which looks like this:
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<system.webServer xdt:Transform="InsertIfMissing">
<modules runAllManagedModulesForAllRequests="true">
</modules>
</system.webServer>
<system.webServer>
<modules>
<add name="MyModule" type="My.Module" xdt:Transform="InsertIfMissing" />
</modules>
</system.webServer>
</configuration>
And this works great. Until I met a system that puts their module under location instead of under configuration, like this:
<configuration>
<location path="." inheritInChildApplications="false">
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
<add name="MyModule" type="My.Module"/>
</modules>
....
So in this case, my XDT doesn't find the path and creates a new element towards the end of the file, which kills the site.
How do I search for whether system.webServer exists anywhere in the file and add my code there?
After searching for a LONG time, I finally found some code online that resolved this for me.
I am posting it here in case anyone will ever look for something similar.
First, Kevin.Wu's original code: http://git.crmclick.com:8888/kevin.wu/qa/blob/1c554bd0867de42ba360eb546d74e86ebf64af7b/packages/Microsoft.ApplicationInsights.Web.2.0.0/content/net45/web.config.install.xdt
The modified code that does what I need:
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<system.webServer xdt:Transform="InsertIfMissing">
</system.webServer>
<system.webServer xdt:Locator="XPath(//system.webServer[(count(parent::location) = 0) or (count(parent::location[#path != '.' and count(#path) != 0]) = 0)])">
<validation validateIntegratedModeConfiguration="false" xdt:Transform="InsertIfMissing" />
</system.webServer>
<system.webServer xdt:Locator="XPath(//system.webServer[(count(parent::location) = 0) or (count(parent::location[#path != '.' and count(#path) != 0]) = 0)])">
<modules xdt:Transform="InsertIfMissing">
<add name="MyModule" type="My.Module" preCondition="managedHandler" xdt:Transform="InsertIfMissing" xdt:Locator="Match(type)"/>
</modules>
</system.webServer>
</configuration>
I am converting my app from .net framework to .net core 2.1. Now I am facing two issues
1) In .net framework we could use HttpClientCertificate cert = Request.ClientCertificate; So how can we use Request.ClientCertificate in .net core.
2) In .net framework we could set location config like
<location path="MyPath">
<system.webServer>
<security>
<access sslFlags="Ssl.SslRequireCert,SslNegotiateCert,Ssl128" />
</security>
</system.webServer>
</location>
I want to use <access sslFlags="Ssl.SslRequireCert,SslNegotiateCert,Ssl128" /> in net core. How can I do these 2 things. Any help?
To access client certificate you can either:
use HttpContext.Connection.ClientCertificate property
get certificate using header: Request.Headers["X-ARR-ClientCert"]
To use sslFlags you have to add it in the web.config file (exactly like for the standard .NET Framework). webconfig file is auto-generated once you publish your app. Once you open it you can add
access sslFlags to it:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="." inheritInChildApplications="false">
<system.webServer>
<handlers>
<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModule" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="dotnet" arguments=".\IdentityServer4Demo.dll" stdoutLogEnabled="false" stdoutLogFile="\\?\%home%\LogFiles\stdout" />
</system.webServer>
</location>
<location path="account">
<system.webServer>
<security>
<access sslFlags="Ssl,SslNegotiateCert,SslRequireCert" />
</security>
</system.webServer>
</location>
<system.webServer>
<security>
<access sslFlags="SslNegotiateCert" />
</security>
</system.webServer>
</configuration>
We have a site built in EPiServer and is running on www.mysite.com
Now we have built a small .NET microsite that isn’t part of the EPiServer project that we would like to run as a IIS Virtual Directory www.mysite.com/microsite
At the moment we are seeing 404 being returned for all of the assets on the microsite so www.mysite.com/microsite/assets/js/myjs.js or www.mysite.com/microsite/assets/img/myimg.jpg
The home page of the microsite is served, but with missing assets.Is there a way I can configure the main EPiServer project to ignore all of the requests to my microsites folder structure.
After a while battling this issue we have now got a repeatable solution.
In the parent application (EPiServer solution) we need to add the following location element in the web.config
<location path="MY-IIS-APPLICATION-NAME">
<system.webServer>
<handlers>
<clear />
<add name="wildcard" path="*" verb="*" type="System.Web.StaticFileHandler" />
</handlers>
</system.webServer>
</location>
Then, in the same web.config we wrap the <system.web> and <system.webserver> sections with this element <location path="." inheritInChildApplications="false">
Finally we need to alter the web.config in our IIS-Application to unload the EPiServer handlers and libraries.
So, in the <system.web> section we added these elements
<httpModules>
<clear />
</httpModules>
<httpHandlers>
<clear />
</httpHandlers>
then within the <system.webserver> we make these changes/removals
<handlers>
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
</handlers>
<modules>
<remove name="InitializationModule" />
<remove name="FirstBeginRequestModule" />
<remove name="Initializer" />
<remove name="WorkflowRuntime" />
<remove name="UrlRewriteModule" />
<remove name="ShellRoutingModule" />
<remove name="ContainerDisposal" />
<remove name="PropertyInjection" />
<remove name="AttributedInjection" />
</modules>
There is every chance that this isn't the solution, but in the last few days we have rolled this out to 6 different projects and it has had the desired effect each time.
Hi I'm trying to run dotless on my local .net4 web site
My web config looks like this:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<configSections>
<section name="dotless" type="dotless.Core.configuration.DotlessConfigurationSectionHandler, dotless.Core" />
</configSections>
<system.web>
<compilation debug="true" targetFramework="4.0" />
<httpHandlers><add path="*.less" verb="GET" type="dotless.Core.LessCssHttpHandler, dotless.Core" /></httpHandlers></system.web>
<dotless minifyCss="false" cache="true" web="false" />
<system.webServer>
<handlers>
<add name="dotless" path="*.less" verb="GET" type="dotless.Core.LessCssHttpHandler,dotless.Core" resourceType="File" preCondition="" />
</handlers>
</system.webServer>
</configuration>
Here is the error I get
HTTP Error 500.23 - Internal Server Error
An ASP.NET setting has been detected that does not apply in Integrated managed pipeline mode.
Most likely causes:
This application defines configuration in the system.web/httpHandlers section.
Can you please help?
adding <validation validateIntegratedModeConfiguration="false"/> worked
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<configSections>
<section name="dotless" type="dotless.Core.configuration.DotlessConfigurationSectionHandler, dotless.Core" />
</configSections>
<system.web>
<compilation debug="true" targetFramework="4.0" />
<httpHandlers>
<add path="*.less" verb="GET" type="dotless.Core.LessCssHttpHandler, dotless.Core" />
</httpHandlers>
</system.web>
<dotless minifyCss="false" cache="true" web="false" />
<system.webServer>
<validation validateIntegratedModeConfiguration="false"/>
<handlers>
<add name="dotless" path="*.less" verb="GET" type="dotless.Core.LessCssHttpHandler,dotless.Core" resourceType="File" preCondition="" />
</handlers>
</system.webServer>
</configuration>
<validation validateIntegratedModeConfiguration="false"/> tells IIS to ignore configuration issues. One such issue seems to be the fact that dotless automatically adds a handler to system.web and system.webServer. The former section is used by the classic application pool mode, whereas the latter by the new integrated application pool mode. Since I am using the integrated mode, removing the handler in system.web helped just as well.
I had to add <validation validateIntegratedModeConfiguration="false"/> to my webserver section and I also had to move the configSections to be the first element in my Configuration.
<configuration>
<configSections>
<section name="dotless" type="dotless.Core.configuration.DotlessConfigurationSectionHandler, dotless.Core" />
We will add a small piece of code into web.config file. open web.config from your IIS root or change the setting in Visual Studio web.config and publish again.
<system.webServer>
<validation validateIntegratedModeConfiguration="false"/>
</system.webServer>