this is my web.config file
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<directoryBrowse enabled="false" />
<defaultDocument>
<files>
<clear />
<add value="index.php" />
<add value="index.asp" />
<add value="index.htm" />
<add value="index.html" />
<add value="Default.asp" />
<add value="Default.htm" />
<add value="Home.htm" />
<add value="Home.html" />
<add value="Default.aspx" />
</files>
</defaultDocument>
</system.webServer>
</configuration>
when I run run the website www.blah.co.za I get the following error
Runtime Error
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.
Details: To enable the details of this specific error message to be viewable on remote machines, please create a tag within a "web.config" configuration file located in the root directory of the current web application. This tag should then have its "mode" attribute set to "Off".
<!-- Web.Config Configuration File -->
<configuration>
<system.web>
<customErrors mode="Off"/>
</system.web>
</configuration>
Notes: The current error page you are seeing can be replaced by a custom error page by modifying the "defaultRedirect" attribute of the application's configuration tag to point to a custom error page URL.
<configuration>
<system.web>
<customErrors mode="RemoteOnly" defaultRedirect="mycustompage.htm"/>
</system.web>
</configuration>
Where can I get a list of what all of the default IIS HTTP handlers do? I need documentation!! I have read a few blogs which recommend removing dozens of unused HTTP handlers for performance and security reasons.
E.g. Removing the TraceHandler-Integrated and TraceHandler-Integrated-4.0 is recommended because otherwise navigating to /trace.axd causes a 500 Internal Server Error instead of a 404 Not Found and you should not have tracing on, in a production environment.
Some of the HTTP handlers that a GitHub project (Now Deleted) recommends removing a huge list manually:
<system.webServer>
<handlers>
<remove name="TraceHandler-Integrated-4.0" />
<remove name="TraceHandler-Integrated" />
<remove name="AssemblyResourceLoader-Integrated-4.0" />
<remove name="AssemblyResourceLoader-Integrated" />
<remove name="WebAdminHandler-Integrated-4.0" />
<remove name="WebAdminHandler-Integrated" />
<remove name="HttpRemotingHandlerFactory-soap-ISAPI-2.0-64" />
<remove name="svc-ISAPI-4.0_32bit" />
<remove name="ScriptHandlerFactoryAppServices-Integrated-4.0" />
<remove name="ScriptResourceIntegrated-4.0" />
<remove name="svc-ISAPI-4.0_64bit" />
<remove name="svc-Integrated-4.0" />
<remove name="vbhtm-ISAPI-4.0_32bit" />
<remove name="vbhtm-ISAPI-4.0_64bit" />
<remove name="vbhtm-Integrated-4.0" />
<remove name="vbhtml-ISAPI-4.0_32bit" />
<remove name="vbhtml-ISAPI-4.0_64bit" />
<remove name="vbhtml-Integrated-4.0" />
<remove name="xamlx-ISAPI-4.0_32bit" />
<remove name="xamlx-ISAPI-4.0_64bit" />
<remove name="xamlx-Integrated-4.0" />
<remove name="xoml-ISAPI-4.0_32bit" />
<remove name="xoml-ISAPI-4.0_64bit" />
<remove name="xoml-Integrated-4.0" />
<remove name="HttpRemotingHandlerFactory-rem-Integrated-4.0" />
<remove name="HttpRemotingHandlerFactory-rem-ISAPI-2.0" />
<remove name="rules-ISAPI-4.0_32bit" />
<remove name="rules-Integrated-4.0" />
<remove name="HttpRemotingHandlerFactory-soap-Integrated" />
<remove name="HttpRemotingHandlerFactory-soap-ISAPI-2.0" />
<remove name="HttpRemotingHandlerFactory-soap-ISAPI-4.0_64bit" />
<remove name="HttpRemotingHandlerFactory-soap-Integrated-4.0" />
<remove name="HttpRemotingHandlerFactory-soap-ISAPI-4.0_32bit" />
<remove name="rules-ISAPI-4.0_64bit" />
<remove name="HttpRemotingHandlerFactory-rem-ISAPI-2.0-64" />
<remove name="HttpRemotingHandlerFactory-rem-Integrated" />
<remove name="HttpRemotingHandlerFactory-rem-ISAPI-4.0_32bit" />
<remove name="HttpRemotingHandlerFactory-rem-ISAPI-4.0_64bit" />
<remove name="AXD-ISAPI-2.0-64" />
<remove name="cshtml-ISAPI-4.0_64bit" />
<remove name="cshtml-Integrated-4.0" />
<remove name="cshtm-Integrated-4.0" />
<remove name="cshtml-ISAPI-4.0_32bit" />
<remove name="cshtm-ISAPI-4.0_64bit" />
<remove name="cshtm-ISAPI-4.0_32bit" />
<remove name="AXD-ISAPI-4.0_64bit" />
<remove name="AXD-ISAPI-2.0" />
<remove name="AXD-ISAPI-4.0_32bit" />
<remove name="PageHandlerFactory-ISAPI-2.0-64" />
<remove name="PageHandlerFactory-ISAPI-2.0" />
<remove name="PageHandlerFactory-ISAPI-4.0_64bit" />
<remove name="PageHandlerFactory-ISAPI-4.0_32bit" />
<remove name="aspq-ISAPI-4.0_64bit" />
<remove name="aspq-Integrated-4.0" />
<remove name="WebServiceHandlerFactory-ISAPI-2.0" />
<remove name="aspq-ISAPI-4.0_32bit" />
<remove name="WebServiceHandlerFactory-Integrated-4.0" />
<remove name="WebServiceHandlerFactory-Integrated" />
<remove name="SimpleHandlerFactory-ISAPI-4.0_64bit" />
<remove name="SimpleHandlerFactory-Integrated-4.0" />
<remove name="SimpleHandlerFactory-Integrated" />
<remove name="SimpleHandlerFactory-ISAPI-2.0" />
<remove name="SimpleHandlerFactory-ISAPI-2.0-64" />
<remove name="WebServiceHandlerFactory-ISAPI-4.0_32bit" />
<remove name="WebServiceHandlerFactory-ISAPI-4.0_64bit" />
<remove name="WebServiceHandlerFactory-ISAPI-2.0-64" />
<remove name="SimpleHandlerFactory-ISAPI-4.0_32bit" />
<remove name="ISAPI-dll" />
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" />
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" />
<remove name="OPTIONSVerbHandler" />
<remove name="TRACEVerbHandler" />
</handlers>
</system.webServer>
If you really want a minimal set of handler mappings, I suggest you start clean, in your web.config remove all handlers and just use the StaticFile one:
<system.webServer>
<handlers>
<clear />
<add name="StaticFile" path="*" verb="*" modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule" resourceType="Either" requireAccess="Read" />
</handlers>
</system.webServer>
Now add all the handlers you need back in, just for the bitness and mode you're running in.
For a basic MVC project it may be enough to add
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" responseBufferLimit="0" />
What do all the handlers do?
I couldn't find any documentation either, so here's my attempt:
The handler mappings are defined in %SystemRoot%\System32\inetsrv\config\applicationHost.config - system.webServer/handlers
In my case there were 87 mappings.
50 of them are modules="IsapiModule" scriptProcessor="...aspnet_isapi.dll" for ASP.NET. These cover all the various asp.net extentions and may exist for CLR versions 2.0 and 4.0 and for 32bit and 64bit. Most of them are for Classic Mode.
They usually handle the following extensions:
*. = ExtensionlessUrlHandler-ISAPI
*.ashx = SimpleHandlerFactory-ISAPI
*.asmx = WebServiceHandlerFactory-ISAPI
*.aspq = aspq-ISAPI
*.aspx = PageHandlerFactory
*.axd = AXD-ISAPI
*.cshtm = cshtm-ISAPI
*.cshtml = cshtml-ISAPI
*.rem = HttpRemotingHandlerFactory-rem-ISAPI
*.rules = rules-ISAPI
*.soap = HttpRemotingHandlerFactory-soap
*.svc = svc-ISAPI
*.vbhtm = vbhtm-ISAPI
*.vbhtml = vbhtml-ISAPI
*.xamlx = xamlx-ISAPI
*.xoml = xoml-ISAPI
If your project doesn't use certain extensions, you may remove these handlers.
Most handler mappings have a preCondition like apply in 32bit ApplicationPools, or when in Classic Mode. If you only ever run 64Big integrated mode, you can remove all classic mode and 32bit handler mappings.
If we look at *.cshtml for a Razor view file, you will find three mappings, two for ClassicMode in 32/64 bit which point to the ASP.NET ISAPI modules, but the third applies only in integrated mode and maps to HttpForbiddenHandler, because the MVC routing works differently in Integrated Mode and you never want to allow access to view files directly.
There may be IsapiModules for classic asp or CGI, like the ASP.NET mapping there are there to handle the requests for files with certain extensions.
The second biggest group are the type="System. handlers, lets look at them:
System.Runtime.Remoting.Channels.Http.HttpRemotingHandlerFactory
Handles *.rem and *.soap files in integrated mode. Can be removed if you are not using remoting.
System.ServiceModel.Activation.HttpHandler, System.ServiceModel.Activation
Handles certain WCF requests with *.rules,*.xoml,*.svc extensions.
System.Web.Handlers.AssemblyResourceLoader
Handles WebResource.axd requests, these may be used in WebForms, but usually not in MVC projects.
System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions
For handling ScriptResource.axd which provides JavaScript and CSS resources in WebForms.
System.Web.Handlers.TraceHandler
Handler for trace.axd to display ASP.NET trace information. On a production site, you want to remove this handler.
System.Web.Handlers.TransferRequestHandler
Used to handle extensionless requests in integrated mode. This forwards the request to the routing engine to decide how to handle these requests. More Info
System.Web.Handlers.WebAdminHandler
Handles WebAdmin.axd to display the ASP.NET Website Administration Toolkit, you can remove this if you don't use that builtin feature.
System.Web.HttpForbiddenHandler
Allows us to prevent access to any files with certain extensions. However it returns a 500 HTTP status and actually throws a System.Web.HttpException exception on the server.
In my opinion there are better ways to blog certain extensions such as IIS Request Filtering.
System.Web.HttpMethodNotAllowedHandler
I think this one is no longer used in modern IIS, it returns a 405 HTTP status and also throws and HttpException
System.Web.HttpNotFoundHandler
Also, not longer in my current configuration. It throws a 404 HTTP exception.
System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions
Handles *.asmx and *_AppService.axd to support Web service calls via Ajax.
System.Web.Services.Protocols.WebServiceHandlerFactory, System.Web.Services
Also handles *.asmx web service requests in integrated mode for DOT.NET 2
System.Web.StaticFileHandler
Returns a static file, no longer used?
System.Web.UI.PageHandlerFactory
Handles ASP.NET WebForm pages .aspx in integrated mode.
System.Web.UI.SimpleHandlerFactory
Handles ASP.NET custom handlers .ashx in integrated mode.
System.Xaml.Hosting.XamlHttpHandlerFactory, System.Xaml.Hosting
Handles Windows Workflow Foundation services .xamlx in integrated mode.
more handlers:
modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule"
This is usually the very last mapping to handle any requests that has not been handled by any of the previous handles path="*" verb="*". It actually uses three different modules. The StaticFileMode one looks for a physical file matching the requested URL, if not found, the DefaultDocumentModule looks for a default document in the same folder as the requested URL and if that is also not found, the DirectoryListingModule may display the content of the directory if enabled.
modules="ProtocolSupportModule"
This handles all requests for the HTTP verbs TRACE and OPTIONS, if you remove this mapping, all trace and options request will return a "405 Method not allowed"
Answer to this:
Where can I get a list of that all of the default IIS HTTP handlers do?
Open IIS, CMD-->inetmgr, then click handler mappings, see below screenshot.
Click that, it will show you all default enabled HTTP handlers for that web server.
Note: When you select a virtual directory and then do this process, i.e. click handler mappings, and remove one of mapping, it will add that line in web.config.
E.g. I have removed aspq-ISAPI-4.0_64bit, so it has changed web.config for that virtual directory, i.e. it has added following line to web.config.
<remove name="aspq-ISAPI-4.0_64bit" /> under system.webServer\handlers.
Update : This handlers are invoked when particular file type request come, until then it sits idle. So there won't be any performance issue for these handlers.
Example, that you have removing handler for *.axd will improve security, my answer to this, some DLL might need those files for rendering js and css, and if you remove that, it will not work. E.g. - HTTP Handler cannot find axd file in nested web application folder: Telerik RadScriptManager cannot find WebResource.axd in ~/admin/ folder
I'm running in the same question last week and after a lot of research, I think that I found something similar in GitHub:
List of "insecure handlers": https://gist.github.com/marcbarry/47644b4a43fbfb63ef54
I am trying to trace a Rewrite rule in IIS. Failed Request Tracing is enabled and the errors are logged but I cannot have the information I would like (I have only the orginal url and not the final url when it is rewrited).
I think I should add something like this in my web.config :
<add provider="WWW Server" areas="Rewrite,RequestRouting" verbosity="Verbose" />
but Rewrite and RequestRouting are not recognized.
What IIS propose me to add is those kind of values:
<add provider="WWW Server" areas="Security,Filter,StaticFile,CGI,Compression,Cache,RequestNotifications,Module,FastCGI,WebSocket" verbosity="Verbose" />
Here is a sample of my web.config
<tracing>
<traceFailedRequests>
<add path="*">
<traceAreas>
<add provider="WWW Server" areas="Rewrite,RequestRouting" verbosity="Verbose" />
</traceAreas>
<failureDefinitions timeTaken="00:00:00" statusCodes="404" />
</add>
</traceFailedRequests>
</tracing>
to add these items must download https://www.iis.net/downloads/microsoft/url-rewrite and reinstall rewrite_en-US.msi module
But so far this installation has managed to add only Rewrite
I have a url like : 120.xxx.xxx.xxx/myfile.pdf ,but it doesn't exist
and it not direct to my error.aspx
Can someone to tell me whats happened
and My web.config code
<customErrors mode="On" defaultRedirect="~/error.aspx">
<error statusCode="404" redirect="~/error404.aspx"/>
</customErrors>
It is happening because this is a static file and by default will bypass ASP.Net and just get served up by IIS. Try adding this to your <system.webServer> section of the web.config:
<handlers>
<add name="PDFHandler-Integrated" path="*.pdf" verb="GET"
type="System.Web.StaticFileHandler" modules="ManagedPipelineHandler"
requireAccess="Script" preCondition="integratedMode" />
</handlers>
Doing this will make it go through the ASP.Net pipeline so you can apply other functionality like Authentication/Role restrictions.
I'm in the process of creating a new web application using classic ASP. I've done this before and have 2 similar websites that have been running for over 2 years. My problem is that the ISP I'm using has me hosted on a system running Server 2008, IIS7, and I cannot rely on session state remaining constant. I use a session variable to pass validated usernames from page to page. I know I can re-write the application to use db storage as an alternative, but I hate to have to modify a working application.
In talking with the ISP they suggested adding a sessionState variable to my web.config file and use stateserver to pass the data to a file on their system (they provided the connection string, etc.). This seems fine, but whenever I add the sessionState line to the web.config the website gets a error 500.19 with an error code of 0x8007000d.
I've tried to add a line on my local PC to simply change the session timeout as a testing methodology, but I get the same error. I'm sure it's something obvious, but I've researched the general topic and it looks like it should work? The simple web.config code is below and any suggestions would be greatfully appreciated (I'm developing a flat spot on my forehead from hitting the desk).
Thanks,
Contents of web.config
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<sessionState timeout="40" />
<defaultDocument enabled="true">
<files>
<clear />
<add value="index.aspx" />
<add value="index.asp" />
<add value="default.htm" />
<add value="default.html" />
</files>
</defaultDocument>
<security>
<authentication>
<basicAuthentication enabled="true" />
</authentication>
</security>
<httpErrors errorMode="Custom">
<remove statusCode="404" subStatusCode="-1" />
<error statusCode="404" prefixLanguageFilePath="" path="/OaOInternal/DefaultWebs/sedoCurrent/Error404.aspx" responseMode="ExecuteURL" />
</httpErrors>
</system.webServer>
</configuration>
classic ASP sites don't use web.config files