Allow only one web app to call a web service - asp.net

How to configure that a web service only be called by one specific web application? Both ones are in the same IIS server.
Framework: 2.0
I think that setting web.config of web service would be enough.
On this example, I'm setting web.config of web service. Web service will be called only by one IP address (127.0.0.1 is IP of IIS Server):
<location path="resources">
<system.webServer>
<security>
<ipSecurity allowUnlisted="false">
<clear/>
<add ipAddress="127.0.0.1"/>
</ipSecurity>
</security>
</system.webServer>
</location>
Would it be ok?

If it's only being called by one specific application on the same server, a Web Service may not be the right choice. It would make more sense for the code to be within a class in the same app. Web services are best suited for situations where multiple apps need to access the same functions.
That said, with IPV6 coming, the option you thought of won't work. If you're really just trying to limit requests to apps that come from the same sever, in you can put the following in code to check to see if it's coming from the local server:
if(Request.IsLocal)
{
//code here
}
For simplicity's sake, you can put the following in Application_BeginRequest in the global.asax file for the web services:
if(!Request.IsLocal)
{
throw new Exception("Only local requests are allowed");
}
This will effectively fend off anything not coming from localhost.

Related

Working AngularJS & Web api 2 port different problom

I have developed AngularJS application along with ASP.NET WebAPI 2, application structure should be website layer, data access layer (entity FW) , WebApi layer
every think works fine.
The problem is my website is running on http://localhost:8080 and WebAPI runs on http://localhost:1696/api/album. Therefore I cannot access the data through angular service. I am looking for a permanent solution.
If I go for CORS is it a good solution ?
Normally you should do this with configuring CORS indeed by adding the configuration to either your WebAPI configuration or web.config.
For the WebAPI configuration you should specify the following:
config.EnableCors(new EnableCorsAttribute("*", "*", "*"));
In the web.config it should look like this:
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*"/>
</customHeaders>
</httpProtocol>
<system.webServer>
Of course, this allows all origins, so you have to change it to localhost:8080 in your situation. Keep in mind, different ports are different origins, so specifying only localhost isn't sufficient, the port should be added also!
When moving to production, you should configure the correct CORS locations via the build server of course, but that's a completely different topic.

IIS Dynamic IP restrictions in web.config location

I'm trying to use IIS Dynamic IP Restrictions to throttle requests from the same IP. I have the module running and the requests are nicely throttled if I edit the dynamic restrictions settings from the IIS UI. This is nice however I need to have different rates on different URLs. Login should be for example more strict than static resources. I'm trying to use locations in web.config to achieve this.
<configuration>
<location path="foo">
<system.webServer>
<security>
<dynamicIpSecurity enableLoggingOnlyMode="true">
<denyByRequestRate enabled="true" maxRequests="1"
requestIntervalInMilliseconds="5000" />
</dynamicIpSecurity>
</security>
</system.webServer>
</location>
</configuration>
Unfortunately, this doesn't apply. I'm quite sure it has nothing to do with my app because it doesn't work also on a static web with one HTML file. I'm also quite sure that the location path is correct, because the requests are blocked if I add ...<deny users="*" />.
This is not possible. From the module description:
This module can be configured such that the analysis and blocking
could be done at the Web Server or the Web Site level.
Internally this is implemented as HttpModule (native HttpModule that is). HttpModule runs for every single request - location doesn't affect them. For reference check out
Exclude certain pages from using a HTTPModule
So your only other option (if you need to support this exact module) is to organize your site to several mini-applications instead.
Like
/ -> root web application
/Content -> web application with static content
/Login -> web application with login functionality
And in every single mini-application create web.config with appropriate rules.

Aurelia does not load on azure, due to HttpPlatformHandler?

I'm using ASP.NET Core RC1 as server to host my Aurelia app. My app was working just fine but the last couple of weeks something changed so that the app does no longer load when hosted on Azure. I'm not sure if it is something I changed or if it's a change on the Azure side but I'm leaning towards the latter.
I've narrowed down the problem quite a bit. The app runs fine locally, with ASP.NET Core Kestrel server and also other servers (e.g. webpack-dev-server). I have continuous deployment setup from Visual Studio Team Services to an Azure Website. The app is published and a web.config is automatically created in my wwwroot:
<configuration>
<system.webServer>
<handlers>
<add name="httpplatformhandler" path="*" verb="*" modules="httpPlatformHandler" resourceType="Unspecified" />
</handlers>
<httpPlatform processPath="%home%\site\approot\web.cmd" arguments="" stdoutLogEnabled="true" stdoutLogFile="\\?\%home%\LogFiles\stdout.log"></httpPlatform>
</system.webServer>
</configuration>
Nothing happens when I navigate to my site, e.g. http://demo.azurewebsites.net/. When looking at the console I get a 404. Once I actually got this error but I can't seem to bring it back: 502 - Web server received an invalid response while acting as a gateway or proxy server
I have index.html set as default document but it is not loading. If I enter it explicitly, the app works: http://demo.azurewebsites.net/index.html
If I remove the httpplatformhandler from the web.config, then it works as expected (index.html is loaded automatically). The same happens when I remove the web.config entirely. In these cases the MVC 6 WebAPI behind the scenes does not work at all. I assume that's just logical since I remove the platform handler.
So, why is this httpplatformhandler added? Is it necessary? Why is it created? Is there some setting in the Azure portal that I can adjust to prevent this handler to be configured like this?
I also found this link that seems to suggest that things are changing and that this httpplatformhandler is about to be replaced: Closer Look: Hosting ASP.NET Core on Azure App Service
I'm out on deep water here and any and all help is appreciated.
To get default document support with the static file server middleware you need to use app.UseFileServer() instead of app.UseStaticFiles()

HTTP Handler doesn't hitted, while it run over cloud, when request needs to be redirected to another Server from IIS?

My Asp.net application is hosted over Azure Cloud,
In that application I do have a Java Chat control, which has its server on Linux,
now I have created a HTTPHandler to redirect that chat request to the Linux server, but some how it doesn't work over the Cloud environment (though it works very well on web environment)
it shows the below error
Microsoft Visual Studio
Windows Azure Tools for Microsoft Visual Studio
There was an error attaching the debugger to the IIS worker process for URL 'http://127.255.0.0:82/' for role instance 'deployment16(315).Cloud.AnotherHttpHandler_IN_0'. Unable to start debugging on the web server. See help for common configuration errors. Running the web page outside of the debugger may provide further information.
Make sure the server is operating correctly. Verify there are no syntax errors in web.config by doing a Debug.Start Without Debugging. You may also want to refer to the ASP.NET and ATL Server debugging topic in the online documentation.
I have even put the Handler under System.webServer as well in the web.config file, see below code
<system.web>
<httpHandlers>
<add verb="*" path="http-bind/*"
type="HelloWorldHandler"/>
</httpHandlers>
</system.web>
<system.webServer>
<handlers>
<add verb="*" path="http-bind/*" name="HelloWorldHandler" type="HelloWorldHandler"/>
</handlers>
<modules runAllManagedModulesForAllRequests="true" />
</system.webServer>
I don't know what restricts it over the cloud environment.
Please take a look at this question to see how to configure httpHandlers for running in Azure.
Most importantly - remove the httpHandlers section under the system.web and leave only handlers under system.webServer. Then add also the resourceType="Unspecified" attribute to the handler declaration. This should solve your issue.
I too had same problem.
I fixed it in following way .
The Problem was my machine is 32 bit and the azure server is 64 bit.
In Order to solve the problem i only changed Enable 32 bit option in
the advance setting of application pool. And the Original code worked
out fine.
i got this help from this Link

Setting variables in web config for web service consumption

I did a couple google searches about this and am not finding anything, so I thought I'd ask here.
I'm working on our internal CMS and I noticed that we're getting live data back when doing debugging because of our web services instead of the dev data that I wanted. It doesn't do this on our dev CMS website, but we're trying to do all our development on localhost. Is there any way to set up an environment variable in our web config for the URL so that the CMS points to the dev database instead of live database that is referenced in the wsdl files?
You can use the appSettings portion of the web config to for configuration information.
In the configuration section of the Web.config you will find the appSettings section:
<appSettings>
<add key="Key" value="Some Value"/>
</appSettings>
In code you can read in the value like this:
var someValue = ConfigurationManager.AppSettings["Key"];
+1 for Dan's method of storing the URL. To use this URL at runtime just update the URL property of your web service proxy object with the value from your web.config.
MyClientClass o = new MyClientClass();
o.Url = varFromWebConfig;
o.MyWebMethod();
Actually, one of my coworkers suggested an alternate way of solving this issue which seems even better to me: fixing it server-side, rather than client side like I've been trying and has been suggested here. His suggestion was to create a subdomain in IIS on all of our servers that points to the web service folder and then put host files for the appropriate web server on my local machine. This seems like the ideal solution to me since it wouldn't require changing all the current web service proxy objects like the client side solution would, just the web service consumption within App_WebReferences.
YES!!! USE Web.config transforms
Web.config contains the configuration that will run in your IDE while debugging:
<configuration>
<appSettings>
<add key="Service.Name" value="http://debugserverURI/Service.asmx"/>
</appSettings>
</configuration>
On publish in "Release" mode, transforms in Web.Release.config will be applied:
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<appSettings>
<!--point to production server -->
<add key="Service.Name" value="http://PRODUCTIONserverURI/Service.asmx"
xdt:Transform="SetAttributes" xdt:Locator="Match(key)"/>
</appSettings>
</configuration>
You can do the same for Web.[whatever_build_you_want].config, if you support both test and prod servers.

Resources