My hosting is messing up my urls - asp.net

Usually when I get the url of a request i use Request.RawUrl.
This gives /default.aspx for example.
However recently my host changed something and now the name of the application directory is displayed as well so i get /appdirname/default.aspx.
Now why does it give me the directory of the application? It looks as if my website is a subapplication of another website. So when you go to mydomain.com the rawurl will be:
/appdirname/default.aspx
I believe each domain has it's own website defined in iis or am i mistaken.
I am not asking for a workaround, which should be pretty straightforward, I am asking why this is happening and how, what kind of IIS setup causes this to happen?
PS.
And the worst part is i had this issue with godaddy and i was happy my host didnt have it but now both hosts have the same problem.

The Request.RawUrl method returns everything after the domain declaration, so if your full url is:
http://www.yourdomain.com:8080/directory/Page.aspx
then the method will return
/directory/Page.aspx
That's all it does. That's all it claims to do. As you say, your hosting provider must have changed something, which is very naughty, and the workaround should be easy. There is a good chance that they have introduced some kind of url redirection, but the best way to find out is to get in touch with their helpdesk and ask them what is happening. I find that most successful hosting companies tend to respond in good time to this kind of question. Otherwise they tend to become formerly-successful hosting companies.
Ric Strahl has this to say about it: http://www.west-wind.com/weblog/posts/132081.aspx

Related

How to redirect page from HTTP to HTTPS(IIS and Code methods)?

I was searching on web for this solutions and found so many solutions. Some of you might merge this with other question as duplicate(i dont mind), but there are some general questions i have as newbee which help me to understand this process and also other can use this. So my website works on both http(80) and https(443). I want my login and edit profile page to always redirect to HTTPS. I dont care about other pages.i binded the SSL and works fine with http and HTTPS.My application is in ASP.net and server is Windows server 2008 with IIS7
So there are two ways i found through which you can do this. 1) Through IIS and 2) Through Code (Other methods are welcome)
My first question is which option is more feasible or optimal? I saw some of the comments with IIS and MS URL redirect module says they have problem redirection in some IE. And for code based solutions i am wondering is this the best method you can use.
I saw some commets which says if you have dynamic URL then IIS method might give you error for some URL with data.
Second is pros and cons of these two methods? So other can use one of those method according their needs
here are some of the answer i got from web
http://raoulpop.com/2007/08/07/automatic-redirect-from-http-to-https/
This is IIS method
http://www.sslshopper.com/iis7-redirect-http-to-https.html
and i can go on with these solutions. But what i am asking is which is better way, ISS or code? You are welcome to post your ideas and your solutions which help me and other to understand this problem better.
Thanks in advance.
Arpan.

How to restrict external access to a specific sub-URL IIS7

I've currently got a reasonably large site up that i've been asked to make changes to.
Currently To login to this site you need to go to:
www.example.com/folder/loginpage.html
This site is only accessible internally at this time and it is unlikely to ever be accessible externally.
We would like to, however, be able to direct external users to a sub-directory on the site (a 'survey' form) which is located in
www.example.com/folder/subfolder/survey.html
This survey writes its results back to the main application and i believe they are integrated tightly.
We initially tried the idea of using an additional IIS7 box as a reverse proxy however it is quite confusing to me, i'm not very familiar with IIS/ARR and the other features required (i'm mostly familiar with networking). I did try and follow a number of tutorials but didn't get very far. I'd like to avoid it if possible.
How can I, using IIS7 (this site is in ASP.NET) restrict external users from accessing anything other than the survey pages (there are a few included files necessary as well)?
Is it possible to make www.example.com/folder/subfolder/survey.html a 'website' in-itself so that i can publish a URL like survey.example.com externally?
I've come across other examples where access is restricted from specific pages but the root of the site is still accessible
ie
www.eg.com/ is allowed but www.eg.com/admin.aspx is denied. I'd like to the the reverse in effect, and if possible, hide the 'true' url.
Hope someone can help! If using a reverse proxy is possible i'm happy to do it but i'd need detailed instructions.
Thanks for reading,
Much appreciated!
Edit: Sorry all, I'm new to stackoverflow, indeed I've just realised that there are several other sub-communities. Is it more appropriate to ask this in a different community? If so, which one?
Thanks!

How can I detect if an ISAPI rewrite has occurred

I've inherited an old system after starting a new job, none of the previous developers work here any more and none of them documented all that much. Fun times.
The system uses an old, defunct CMS and I've just finished a large ordeal whereby I could not for the life of me figure out how routing worked (the client wanted a URL changing). It later turned out that the previous developers had been using a completely separate program called "Helicon ISAPI rewrite" and had been doing all of the site's URL management from there.
My question is: How could I have figured this out more quickly (e.g. are there external tools I could have used or logs I don't know about that would have revealed how this routing was working)?
I spent a whole afternoon picking through 10 years worth of code when the answer wasn't even in there! Right now I'm feeling that I had no chance of figuring that out quickly but I'm wondering if I'm missing something.
I think I understand what you're asking, to discover the rewriting in the first place. Tony's answer is right if you knew about ISAPI_Rewrite up front, but hindsight is 20-20. I'm a big fan of ISAPI_Rewrite and Helicon Ape, so I might have suspected it. However, if the rewriting was being done by IIS7's .NET web.config, I wouldn't have looked there (although I guess web.config should be a place to start for anything IIS-screwy). With a legacy CMS or something like WordPress, I wouldn't know where to start, so I would probably start with the code like you did.
I suppose the real starting point is the top of IIS, before the request even gets to the web code.
Looking around in IIS7, I see Handler Mappings, with a whole bunch of stuff in there, intercepting various requests. These could all "do things" to the request before it hits the website. e.g., I see Microsoft's ExtensionlessUrlHandler... which gave us troubles as a breaking changing when upgrading to .NET 4.0. We had to dig around for this, wondering what was putting eurl.axd into our urls.
IIS6 has an ISAPI Filters tab on the website properties. Mine has ISAPI_Rewrite and ASP.NET_2.0.... in it. There's also an HTTP Headers tabl with MIME types, that can be a culprit for diverting requests.
Knowing this now, perhaps a list of all rewriting software would be handy. Just search the system for any of them installed - might be the fastest way to a get the first clue.
And actually, if you spent an afternoon in 10 years of code, that's not too bad! So you may not have had a chance of figuring this out quickly - any legacy system is going to have buried secrets.
If it's ISAPI_Rewrite v3, you can enable logging in httpd.conf in ISAPI_Rewrite installation folder by putting the following lines:
RewriteLogLevel 9
LogLevel debug
Then after you make some test request, the rewrite.log and error.log file will appear in ISAPI_Rewrite installation folder. error.log shows general issues, while rewrite.log shows how and if the rules are applied and what the resulting URL is.

app_offline alternative

I usually place an app_offline.htm in my root directory when I am releasing a website to a production environment. However sometimes if there has been a few big changes to the site, I would like to click around first to make sure it's stable without allowing access to anyone other than me.
As far as I am aware this isn't possible, but I'm hoping someone has a neat solution...
The solution has to include if someone has a deeplink into the site, so using a default.htm/asp page in the root won't do the trick unfortunately.
I agree with the staging environment answer above, but otherwise here's one possible approach: Temporarily block all IP addresses besides your own. This can be achieved through IIS Directory Security configuration, or programmatically in any number of ways
You can redirect all the non-authorized users to an Under Construction page of some sort. Meanwhile, you can happily browse the site from your IP. When the site is vetted, you remove that IP restriction and the site becomes available to the world at large.
It's a difficult thing to achieve. That's why you should have a staging environment where everything should be validated before shipping into production. Then during the deployment process (if it takes long, but it shouldn't) you could use an App_Offline file. This staging environment should be as close as possible to your production environment (in terms of software, patches and configurations installed, not in terms of hardware power of course).
Another quick suggestion that would allow you to control things from the web.config might include a custom module that redirected all requests to a static page except those defined by a filter (i.e. hostname, url sniffing) that could be configured via the web.config.

How to prevent Iframe hack

my site is hosted in lunarpage and it geting hacked in from few month.
i have done all things some of site saying (changing password like).
finally 2 weeks ago i have blocked all ranges of Chinese ips.
but today it again hacked.
is there is any way to prevent Iframe hack?
If you're changing your passwords and the site still gets hacked, you might have a virus on your machine. I am not joking, I saw this once.
Just to make sure, request the FTP logs from the hosting (you may see some other machines connecting to your account)
Given your comment
Iframe hack is famos sql injection
attack. mainly from .cn domains
Identify SQL injection vulnerabilities in your system
Close them (switching to parametrised queries is a good idea if you haven't already)
You could also use mod_security or similar to try to stop attacks before they get to your web application. I've experienced false positives though (as a user, and only with ASP.NET systems (note this is a tiny sample size)).
The question isn't so much about the iframe as how it got there and how to get rid of it. I believe what has happened is that you have stored your passwords in your FTP client. You have a trojan on your computer and it mines the passwords from the FTP client and then uploads the iframe to your index file. Also check your 404 file, if you have one. It will likely be there, too.
Here's what you need to do. First, get rid of the trojan on your computer. I suggest looking for this, "PWS:Win32/Daurso.gen!A" and delete it. Then go to your site(s) and remove the iframe from all pages. Next, change all of your passwords. Lastly, do not store the new passwords in your FTP client or anywhere else on your computer.
By the way, don't visit the URL listed in the iframe. It loads a ton of spyware. To get rid of spyware, I suggest using Malwarebytes (free). Use the full scan when you have time. It takes a long time (hours), if you have a lot of files.
Good luck.

Resources