ASP.Net, CORS, and HTTPS - asp.net

I want to access some things in local and session storage located on the same domain, but using a different protocol. The data is cached on HTTP and needs to be retrieved under HTTPS.
How can I configure ASP.Net to allow this without hard-coding the web site name in my web.config? This is what I have now
<add name="Access-Control-Allow-Origin" value="https://my-web-site" />
<add name="Access-Control-Allow-Headers" value="Content-Type" />

Do you also need Access-Control-All-Methods?
<add name="Access-Control-Allow-Methods" value="GET,PUT,POST,DELETE" />

I suggest you follow the methods suggest here:
http://brockallen.com/2012/06/28/cors-support-in-webapi-mvc-and-iis-with-thinktecture-identitymodel/

Related

Parsing request header for security using web.config

We have a web service which is denys access to all except a single IP address. This is configured like so
<location path="ASMX/Service.asmx">
<system.webServer>
<security>
<ipSecurity allowUnlisted="false">
<clear />
<add ipAddress="[Our IP address]" allowed="true" />
</ipSecurity>
</security>
</system.webServer>
We recently installed a Web Application Firewall, so now all traffic now comes from a single source. The firewall however collects the origin IP and puts it into a request header called 'X-Origin-IP'.
Is it possible to use the web.config to read this new header and only allow where certain value exists, or is it better to drop into the code and perform the analysis there?

Sending JSON between localhost ports

I had an ASP.NET MVC app running on port 8799 that posted JSON data via an XMLHttpRequest to an MVC controller handler. This pipeline was working perfectly fine.
I recently spun up a second app, this time an Express app running on port 8080, that again posts JSON in the same way (same exact code, using again an XMLHttpRequest), to the same MVC controller running on port 8799. This time, however, it appears as though while the request is received by the controller, there is no data on it.
I'm wondering if this is because I am making a cross-origin request between these two ports. Going off of this hypothesis, I added the following custom headers to my web.config file:
<customHeaders>
<add name="Access-Control-Allow-Origin" value="http://localhost" />
<add name="Access-Control-Allow-Headers" value="X-AspNet-Version,X-Powered-By,Date,Server,Accept,Accept-Encoding,Accept-Language,Cache-Control,Connection,Content-Length,Content-Type,Host,Origin,Pragma,Referer,User-Agent" />
<add name="Access-Control-Allow-Methods" value="GET, PUT, POST, DELETE, OPTIONS" />
<add name="Access-Control-Max-Age" value="1000" />
</customHeaders>
This does not seem to solve the issue. How can I debug this problem, I don't seem to be throwing any particularly useful exceptions?
The issue did turn out to be CORS. For whatever reason the web.config file was not being used by my .NET application. Thus, I setup CORS setting in my Startup.cs file instead, using services.AddCors() in my Configure() call.

alternate ways of restricting asp.net website (other than by IP & password)

I am currently IP restricting several asp.net websites using rewrite rules in my web.config that match our office IP range.
<system.webServer>
<rewrite>
<rules>
<rule name="Block IP" stopProcessing="true">
<match url="^403.html$" negate="true"/>
<conditions>
<add input="{HTTP_X_CLUSTER_CLIENT_IP}"
pattern="{MY OFFICE IP RANGE}"
negate="true"/>
</conditions>
<action type="Redirect" url="403.html" redirectType="SeeOther"/>
</rule>
</rules>
</rewrite>
The sites also require a username and password in order to view anything. But I'd like to have a second layer of protection like an ip block that prevents malicious activity. Since I often have people outside of our office that need to access the site, I can't always keep the IP block in place. What are some alternate ways of restricting access to asp.net websites that will work in a standard shared hosting environment? (something like VPN isn't an option since my webhost doesn't provide anything like that).
Edit: It has been brought to my attention that you can also configure the ip filtering using the native features of IIS rather than rewrite rules. Here is an example:
<security>
<ipSecurity allowUnlisted="true"> <!-- this line allows everybody, except those listed below -->
<clear/> <!-- removes all upstream restrictions -->
<add ipAddress="83.116.19.53"/> <!-- blocks the specific IP of 83.116.19.53 -->
<add ipAddress="83.116.119.0" subnetMask="255.255.255.0"/> <!--blocks network 83.116.119.0 to 83.116.119.255-->
<add ipAddress="83.116.0.0" subnetMask="255.255.0.0"/> <!--blocks network 83.116.0.0 to 83.116.255.255-->
<add ipAddress="83.0.0.0" subnetMask="255.0.0.0"/> <!--blocks entire /8 network of 83.0.0.0 to 83.255.255.255-->
</ipSecurity>
</security>
Edit: To clarify what I'm asking for - I'm looking for OTHER ways to restrict access to a site. My ip filtering works fine. However it isn't ideal since my users sometimes access from ip addresses not on the list.
You can restrict/grant access to the IIS website or server in the IIS 7.5 MMC. In IIS-> Authorization Rules you can granullarly add/deny access to the server by user account or group(s).

Web.Config authentication

I'm trying to create a web.config file for security on an intranet.
I want it to have the following rules:
If someone browses to the site on a specific IP range, they get
straight in.
If someone doesn't fall into that IP range, they are presented with
a log in box that authenticates against an LDAP query.
I have gone down the route so far of the following method for IP access and it works fine.
<security>
<ipSecurity allowUnlisted="false">
<add ipAddress="x.x.x.0" subnetMask="255.255.255.0" allowed="true"/>
</ipSecurity>
</security>
<modules runAllManagedModulesForAllRequests="true"/>
How could I then combine this with LDAP authentication (if that's even possible)? Or should I take a different approach? My only concern so far is that the ipsecurity method is too specific and you are either allowed in or you're not with no room for another form of authentication.
Any tips would be much appreciated!
Thanks in advance,
Tom

Cache-Control Header & Browser Caching IIS7

I am using Google Page Speed on my website in IIS7 and I was wondering how to set
Leverage browser caching - The following resources are missing a cache expiration
Leverage proxy caching - Consider adding a "Cache-Control: public" header to the following resources.
I am using doDynamicCompression in my web.config and little confused how to set these ? Hoping for some help
Note: Reference being used http://www.iis.net/ConfigReference/system.webServer/httpCompression
Under system.webServer in web.config set for example
<caching>
<profiles>
<add extension=".png" policy="CacheUntilChange" kernelCachePolicy="CacheUntilChange" location="Any" />
<add extension=".jpg" policy="CacheUntilChange" kernelCachePolicy="CacheUntilChange" location="Any" />
<add extension=".gif" policy="CacheUntilChange" kernelCachePolicy="CacheUntilChange" location="Any" />
</profiles>
</caching>
This can also be configured from IIS Manager under Output Caching but what the GUI doesn't do is set the 'location' attribute. Setting it to 'Any' will set Cache-Control:public.
You can read more about it here.
I imagine you already figured this out, but read up on setting content expiration in IIS here.
Note that this only applies to static content served by IIS. If you are looking to set caching headers for dynamic content (ASPX, PHP, ISAPI, whatever), you need to generate your own Expires and Cache-Control headers in your application. IIS will (quite correctly) not attempt to apply cache-control headers to dynamic pages that may include Set-Cookie headers or private data. ASP and ASP.net automatically set "Cache-Control: private" by default for all pages, but you can override that behavior on a per-response basis.

Resources