I have a application developed in asp net mvc 4 (IIS 7 and windows server 2008) and it has a upload system.
The problem is that with large files I get an 413 http error.
I am trying to set uploadaheadsize but canĀ“t find it anywhere.
Tried Roles and features and also in application pool. Could someone guide me through this config setting?
Thanks.
I found the solution.
Just added:
<security>
<requestFiltering>
<requestLimits maxAllowedContentLength="524288000"/>
</requestFiltering>
</security>
in my web.config!
Edit 1:
In addition, I found this useful information on www.iis.net:
The requestLimits element specifies limits on HTTP requests that are
processed by the Web server. These limits include the maximum size of
a request, the maximum URL length, and the maximum length for a query
string. In addition, the element can contain a
collection of user-defined HTTP header limits in the
element, which allows you to define custom settings on HTTP headers.
reference: http://www.iis.net/configreference/system.webserver/security/requestfiltering/requestlimits
Related
I'm trying to appease a PCI scan failure we recently had done, in which it states:
Microsoft ASP.NET MS-DOS Device Name DoS
Synopsis :
A framework used by the remote web server has a denial of service vulnerability.
Impact:
The web server running on the remote host appears to be using Microsoft
ASP.NET, and may be affected by a denial of service vulnerability. Requesting a URL
containing an MS-DOS device name can cause the web server to become
temporarily unresponsive.
In a nutshell, we visit a URL on our app such as /AUX/.aspx we get a 500 error.
I'm using RequestFiltering to filter these requests out, and return 404's instead, without the server trying to process the request.
An excerpt of my web.config is below:
<system.webServer>
<security>
<requestFiltering>
<denyUrlSequences>
<add sequence="/AUX/.aspx" />
</denyUrlSequences>
</requestFiltering>
</security>
</system.webServer>
However, this isn't working, it's still returning a 500.
I would expect it to return a 404.
If I add the following catch-all url to the denyUrlSequences then the whole site produces the expected 404.
<add sequence="/" />
It's worth mentioning the application in question is an MVC app running on IIS 7.5 (Windows 2008 R2)
Just had to solve this problem.
My solution was to disable .Net Error Pages and enable IIS Error Pages.
When you move the custom error handling from the higher .Net level to the lower IIS level the HTTP response code changes from 500 to 404.
PCI Test Passed :-)
I struggled with this for quite some time myself. I think the 500 response code is correct for MS-DOS names in the URL, and you do not need to add anything to request filtering.
You'll notice that you will get a 500 error if you use any of the MS-DOS names (https://support.microsoft.com/en-us/kb/74496) without doing anything to your configuration. However, if you add a RequestFiltering denySequence for something else, like "foo", then you will see the 404.5 error when browsing to /foo.
If you add relaxedUrlToFileSystemMapping="true" to the httpRuntime element along with your request filtering denySequence entries, then you will get the 404.5 for MS-DOS names.
But disabling the default asp.net configuration just so you can get something other then a 500 response for a URL with MS-DOS name is a rediculous request from a PCI compliance check.
I have a web.config with the following lines:
<requestFiltering>
<requestLimits maxUrl="25000" maxQueryString="25000"></requestLimits>
</requestFiltering>
This lets me access urls up to 25k characters including query string. However, when I publish to an Azure website it completely disregards this specific part of my web.config, but I can't find any kind of limits published by Microsoft.
Anyone know what's going on?
You can find the detailed overview of Request Limits in this Azure doc
This can be happening either due to ASP.NET Runtime or IIS Requests Filtering module. By default, the maximum allowed length for a query string is 2048 ref: link and Internet Explorer You should set the appropriate values in your Web.config, under the requestLimits subnodes.
Even if you set a big value for maximum query string, there is a limit for each browser which is handling the url and the query string. This not available in IIS 6 or in IIS 7 app pools running in classic mode.
Couldn't find any documentation, but Azure App Services seems to have query string limitation set at 2048, which is the recommended default.
The reason your web.config configuration is not working is because it is applied at the worker level and this limit is probably being enforced (also) at the Front-End level, which is the reverse proxy component receiving requests and distributing them to the appropriate backend workers.
afaik there is no way to configure this setting at the front-end level. If you wish to send more data to your application consider using a POST request.
For older servers you had to set the value higher up in the config, it may be worth experimenting with also setting this.
<configuration>
<system.web>
<httpRuntime maxQueryStringLength="25000" />
</system.web>
</configuration>
We have to send a large packet to an ASP.Net web service through the URL. We cannot use POST for certain reasons, so we are URL encoding an XML package and we make a GET request to the service.
http://service.example.com/collect?content=AAAAAAAA...(+5000 characters)
The service responds with
Error 404 - File or directory not found.
I have read that there is no error code for max-content-length-exceeded so IIS sends back this 404 error. Knowing that, I have changed the configuration in the following way to allow large requests:
Changed query string length, max URL length, max request length and deactivated validation
<httpRuntime
requestValidationMode="2.0"
maxQueryStringLength="262144000"
maxUrlLength="262144000"
maxRequestLength="262144000" />
...
<pages validateRequest="false" />
...
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<security>
<requestFiltering>
<requestLimits maxAllowedContentLength="262144000" />
</requestFiltering>
</security>
</system.webServer>
I still receive the same error. How do I make a request to my web service with an extremely large/long URL?
Update 1
I am not sending images. The content is something like:
<packet date="1243235246436">
<param type="1" id="45">
5
</param>
</packet>
without the new line characters and URL encoded.
Update 2
After setting the limits to a larger number in the IIS Request Filtering the 404 is now transformed to
HTTP Error 400. The size of the request headers is too long.
This is because the size of the headers is too large now. Tried to follow the instructions from this article by adding the MaxFieldLength and MaxRequestBytes registry entries, but I am still capped at 16k URL length.
What can I do to be able to send 1,000,000 long URLs? Is this even possible? What can I do to send at least 65k long URLs? This is the max length a header can have, but my settings are not taken into consideration.
The MSDN documentation of maxQueryStringLength also talks about IIS filtering in case of very long URLs. Have you checked this ?
The property names mentioned there are a bit different: maxQueryString, maxUrl.
A GET request is only limited by a browser's limit on the length of the URL string.
In IE it is 2,083 characters, minus the number of characters in the actual path. Other browsers do not have a clearly defined limit on the length of the URL string. These articles might be helpful to you.
http://www.boutell.com/newfaq/misc/urllength.html
http://support.microsoft.com/kb/q208427
RFC 2616, "Hypertext Transfer Protocol -- HTTP/1.1," does not specify any requirement for URL length, so browsers are free to stipulate what they deem fit.
I am using .net 4.5. I set maximum request length and maxAllowedContentLength in config file as 100 mb. When I try to upload larger than 100 mb file (like 200mb to 1000mb) I am getting an error
The request filtering module is configured to deny a request that exceeds the request content length
This is normal and expected error but when I try to larger than 1 gb, I am getting error "internet explorer cannot display page".
I think it is due to a timeout issue but I really can't figure out actual reason of this error.
Thank u.
This has been asked about on StackOverflow many times. I'll continue the tradition :) For large uploads you need to set two parameters:
maxAllowedContentLength is measured in bytes, so make sure you've actually set it correctly. To allow 1GB uploads, it should be 134217728.
You also need to configure maxRequestLength as well as maxAllowedContentLength. Note though that it is measured in kilobytes, so it will be different.
For example:
<configuration>
<system.web>
<httpRuntime maxRequestLength="1048576" />
</system.web>
</configuration>
<system.webServer>
<security>
<requestFiltering>
<requestLimits maxAllowedContentLength="1073741824" />
</requestFiltering>
</security>
</system.webServer>
It's a little unclear, but what I think you're running into is IIS's normal behavior reguarding exceptions: any issue with the request returns a 500 server error response.
In oder to view exceptions you can either disable this behavior in the configuration file (MSDN Link), or transfer the file while logged into the server (connections from localhost bypass this behavior by default).
What are the best practices that I can follow to increase the max length of the URL in IIS7/ASP.NET?
Please advise.
From this site: http://technet.microsoft.com/en-us/library/cc754791(v=ws.10).aspx
Use command line : appcmd set config /section:requestfiltering/requestlimits.maxurl: unit
Here is explained how to use appcmd:
http://www.windowsnetworking.com/articles_tutorials/Configuring-IIS-7-command-line-Appcmdexe-Part1.html
You need to know where the AppCmd.exe command is located as it is not
in the default PATH. In order to run AppCmd.exe, you will either need
to change directory into %windir%\system32\inetsrv\ or add that
directory to your PATH variable. On my Windows 2008 server with a
default installation, AppCmd.exe was located in
C:\Windows\System32\inetsrv.
But be careful. If your request url became realy realy large, use post message to pass parameters
Although the specification of the HTTP protocol does not specify any maximum length, the practical limit is 2,083 characters, with no more than 2,048 characters in the path portion of the URL. These are the restrictions currently enforced by Microsoft Interet Explorer, which is still used by a sizeable majority of all users. A reasonable upper limit on the length of URLs has always been imposed by major web browsers. When you wish to submit a form containing many fields, which would otherwise produce a very long URL, the standard solution is to use the POST method rather than the GET method:
<form action="myscript.php" method="POST">
...
</form>
The form fields are then transmitted as part of the HTTP transaction header, not as part of the URL.
You may be limited by the following setting in web.config:
<configuration>
<system.webServer>
<security>
<requestFiltering>
<requestLimits>
</requestLimits>
</requestFiltering>
</security>
</system.webServer>
</configuration>
Refer to:
http://www.iis.net/configreference/system.webserver/security/requestfiltering/requestlimits#005