Publishing .cs extensions and others in IIS 7.0 - html

I'm developing a Web application and running it using IIS. My application is a file server. I need to visualize files in the web browser and I have some troubles viewing some files or directories.
For example, I'm not able to view files with .cs extension or the content of directories called bin. The Web server returns a 404 for those URLs:
Server Error
HTTP Error 404 - File or directory not found.
Description: The resource you are looking for might have been removed,
had its name changed, or is temporarily unavailable.
Server Version Information: Internet Information Services 7.0.
I guess that this is a kind of protection that IIS has. My questions are:
Do you know why IIS is filtering those files?
Do you know how to configure IIS to allow retrieving those URLS?
And the most important question for me:
I need to deploy my Web application for many costumers, so I would like to configure it programatically. Do you know if it can be configured in the Web application, instead the IIS properly? In other case, how could I configure it with a script or similar?

Well,
Finally I had to change the IIS settings, allowing to override the requestFiltering:
In file %systemroot%\System32\inetsrv\config\applicationHost.config change:
<section name="requestFiltering" overrideModeDefault="Allow" />
And then I used the following configuration in my Web.config:
Note that now all the files in the Web server are unprotected. You need to setup your rules in order to protect your bin directory, and also your code files, or whatever you want.
<system.webServer>
<security>
<!-- Very important, the IIS configuration must have the
overrideModeDefault to allow in the file
%systemroot%\System32\inetsrv\config\applicationHost.config -->
<!-- section name="requestFiltering" overrideModeDefault="Allow" /> -->
<requestFiltering>
<fileExtensions allowUnlisted="true">
<remove fileExtension=".asa" />
<remove fileExtension=".asax" />
<remove fileExtension=".ascx" />
<remove fileExtension=".master" />
<remove fileExtension=".skin" />
<remove fileExtension=".browser" />
<remove fileExtension=".sitemap" />
<remove fileExtension=".config" />
<remove fileExtension=".cs" />
<remove fileExtension=".csproj" />
<remove fileExtension=".vb" />
<remove fileExtension=".vbproj" />
<remove fileExtension=".webinfo" />
<remove fileExtension=".licx" />
<remove fileExtension=".resx" />
<remove fileExtension=".resources" />
<remove fileExtension=".mdb" />
<remove fileExtension=".vjsproj" />
<remove fileExtension=".java" />
<remove fileExtension=".jsl" />
<remove fileExtension=".ldb" />
<remove fileExtension=".dsdgm" />
<remove fileExtension=".ssdgm" />
<remove fileExtension=".lsad" />
<remove fileExtension=".ssmap" />
<remove fileExtension=".cd" />
<remove fileExtension=".dsprototype" />
<remove fileExtension=".lsaprototype" />
<remove fileExtension=".sdm" />
<remove fileExtension=".sdmDocument" />
<remove fileExtension=".mdf" />
<remove fileExtension=".ldf" />
<remove fileExtension=".ad" />
<remove fileExtension=".dd" />
<remove fileExtension=".ldd" />
<remove fileExtension=".sd" />
<remove fileExtension=".adprototype" />
<remove fileExtension=".lddprototype" />
<remove fileExtension=".exclude" />
<remove fileExtension=".refresh" />
<remove fileExtension=".compiled" />
<remove fileExtension=".msgx" />
<remove fileExtension=".vsdisco" />
</fileExtensions>
<hiddenSegments>
<remove segment="web.config" />
<remove segment="bin" />
<remove segment="App_code" />
<remove segment="App_GlobalResources" />
<remove segment="App_LocalResources" />
<remove segment="App_WebReferences" />
<remove segment="App_Data" />
<remove segment="App_Browsers" />
</hiddenSegments>
</requestFiltering>
</security>
...
</system.webServer>

When you install the .NET Framework and register ASP.NET will will by default tell IIS to not serve these files. If you REALLY want around this you will need to modify the Request Filtering section in IIS.
The bellow example shows how you would enable .cs extensions:
<system.webServer>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=".cs" />
<add fileExtension=".cs" allowed="true" />
</fileExtensions>
</requestFiltering>
</security>
</system.webServer>

This is a security measure due to asp.net being installed on the system.
From Microsoft
All requests with /bin in the URL are
rejected and return a 404 error (IIS
6.0)
This occurs when IIS 6.0 and ASP.NET are both installed. In order
to take a more proactive stance
against malicious users and attackers,
the ASP.NET ISAPI filter,
aspnet_filter.dll, blocks incoming
request containing /bin in the URL.
This behavior occurs server-wide,
regardless whether the request is for
static or dynamic content.
The
preferred solution to this issue is to
modify the path to content on the
server so that /bin is not necessary
in any request.
If the content URL
cannot be modified, an alternative
solution is to set a registry key that
stops the ASP .NET ISAPI filter from
filtering requests containing /bin in
the URL. This is a server-wide
setting.
Better to avoid all /bin folders than enable that on your server
To enable serving .cs files try this Serverfault article
https://serverfault.com/questions/175499/serving-cs-csproj-files-on-iis7-5
As their suggestion is a webconfig fix, you can apply it on a per site basis as you wanted.

I would suggest that you're doing things wrong. You don't want IIS to serve your files directly from disk for a variety of reasons (for example, any .html or .xml file will get renedered then, rather than downloading its contents).
What you want to do is have your code send the files to the user, rather than letting IIS do it. This will bypass IIS's restrictions (beacuse it's you sending the code, not it) and it will still keep IIS's restrictions in place for your applications folder structure.

Those files are filtered for security, for example if I know your website has a page at http://example.com/default.aspx I might be able to just download the code for that page by entering http://example.com/default.aspx.cs in my browser. Same goes for the bin folder.
How are you trying to display these files is it through your own UI or enabling directory browsing?

Related

Error 404 on Angular 2 app when deployed to Azure

I have an angular 2 app with a simple server.js as a node.js BE.
I have deployed my application to Azure and I'm at the point that the application loads and shows me the welcoming page.
When I reach a component that tries to read a local JSON via an HTTP request I'm getting a 404 error (that I don't receive in my local environment).
The code to read the json is the following:
private ReadFromJson(path: string): Observable<string[]> {
return this._http.get(path)
.map((response: Response) => <string[]>response.json())
.do(data => console.log('All: ' + JSON.stringify(data)))
.catch(this.handleError);
}
where the actual path passed is the one showed in the console.
I have done two things: First I made sure that the file is actually there using the Azure CLI, and it is there as expected.
Secondly, after viewing many posts the only other solution I found was to add the MIME type as suggested here, but that didn't work for me as well.
I would really like some help in understanding and be troubleshooting the problem, any suggestion is welcomed!
Update:
If your app is just front-end (Angular) app, then you no longer need to serve these static files via Node.js. Because by default Azure App Service have installed IIS on it and IIS can serve any file type by doing some configuration. So, in this case, you can just keep web.config looking like below and put it to "site/wwwroot/dist".
<?xml version="1.0" encoding="UTF-8" ?>
<configuration>
<system.webServer>
<staticContent>
<remove fileExtension=".json" />
<mimeMap fileExtension=".json" mimeType="application/json" />
</staticContent>
</system.webServer>
</configuration>
As you deployed a Node.js on Azure App Service, which would host your app using iisnode, and you probably have a web.config file that looks like the content in this link.
By default, this configuration file assumes the static file in the /public folder.
<!-- First we consider whether the incoming URL matches a physical file in the /public folder -->
<rule name="StaticContent">
<action type="Rewrite" url="public{REQUEST_URI}" />
</rule>
So, after you add this to web.config,
<staticContent>
<remove fileExtension=".json" />
<mimeMap fileExtension=".json" mimeType="application/json" />
</staticContent>
please make sure the static files were put into /public file.
I ran into the same problem last week and thought maybe i should share my findings since i got it to work as desired.
I deployed the app developed using angular cli and built using the same. I copied over all files in the /dist folder over to azure and added a web.config (this was a lot of hit and trial) but i learned that a rewrite rule for angular was required which can process the webpack bundled assets and not return a 404.
Here is the web,config and i believe it should work for you as-is:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<httpRuntime maxQueryStringLength="32768" maxUrlLength="65536" />
</system.web>
<system.webServer>
<security>
<requestFiltering>
<requestLimits maxQueryString="32768" />
</requestFiltering>
</security>
<rewrite>
<rules>
<rule name="AngularJS" stopProcessing="true">
<match url="^(?!.*(.bundle.js|.bundle.map|.bundle.js.gz|.bundle.css|.bundle.css.gz|.png|.jpg|.ico|.svg|.eot|.woff|\​.woff2)).*$" />
<conditions logicalGrouping="MatchAll"></conditions>
<action type="Rewrite" url="/" appendQueryString="true" />
</rule>
</rules>
</rewrite>
<staticContent>
<remove fileExtension=".svg" />
<remove fileExtension=".eot" />
<remove fileExtension=".woff" />
<remove fileExtension=".woff2" />
<mimeMap fileExtension=".svg" mimeType="image/svg+xml" />
<mimeMap fileExtension=".eot" mimeType="application/vnd.ms-fontobject" />
<mimeMap fileExtension=".woff" mimeType="application/font-woff" />
<mimeMap fileExtension=".woff2" mimeType="application/font-woff" />
</staticContent>
</system.webServer>
</configuration>
<!--
This is required for the app to work in Azure or an ASP.NET hosting environment because the woff files
are not treated as static content on Azure as well as the routing breaks without the rewrite rule below
and app or rather the server returns a 404.
-->
Below suggestion worked wonders.
If your app is just front-end (Angular) app, then you no longer need to serve these static files via Node.js. Because by default Azure App Service have installed IIS on it and IIS can serve any file type by doing some configuration. So, in this case, you can just keep web.config looking like below and put it to "site/wwwroot/dist".
Adding web.config worked
Thanks for excellent solution.

How to get ELMAH to log to MySQL?

I've been looking around with this question and there are barely any answers.
Previously, we have been using ELMAH to log to a table in Microsoft SQL Server, however we are changing the backend to use MySQL instead(MariaDB specifically).
So all was fine, the errors had been logging to SQL Server. I have installed the ELMAH MySql package and changed the connection strings to use the new MySQL table. However, when an error is thrown, no error gets logged. I'm confused to why this is happening.
It really doesn't help that there are virtually any documentation on this. For example, are you supposed to just install ELMAH.MySQL on its own? Or does it need to go with my previous ELMAH configurations?
ELMAH webconfig:
<connectionStrings>
<!-- TODO: Replace the ****'s with the correct entries -->
<add name="elmah-mysql" connectionString="server=web01;UserId=root;Password=Tr#nsf0rmers;database=elmah; CharSet=utf8;Persist Security Info=True" />
</connectionStrings>
<elmah>
<security allowRemoteAccess="0" />
<errorLog type="Elmah.MySqlErrorLog, Elmah.MySql" connectionStringName="elmah-mysql" />
</elmah>
<appSettings>
<add key="elmah.mvc.disableHandler" value="false" />
<add key="elmah.mvc.disableHandleErrorFilter" value="true" />
<add key="elmah.mvc.requiresAuthentication" value="false" />
<add key="elmah.mvc.IgnoreDefaultRoute" value="false" />
<add key="elmah.mvc.allowedRoles" value="*" />
<add key="elmah.mvc.allowedUsers" value="*" />
<add key="elmah.mvc.route" value="elmah" />
<add key="elmah.mvc.UserAuthCaseSensitive" value="true" />
</appSettings>
<httpModules>
<add name="ErrorLog" type="Elmah.ErrorLogModule, Elmah" />
<add name="ErrorMail" type="Elmah.ErrorMailModule, Elmah" />
<add name="ErrorFilter" type="Elmah.ErrorFilterModule, Elmah" />
</httpModules>
<modules>
<remove name="FormsAuthentication" />
<add name="ErrorLog" type="Elmah.ErrorLogModule, Elmah" preCondition="managedHandler" />
<add name="ErrorMail" type="Elmah.ErrorMailModule, Elmah" preCondition="managedHandler" />
<add name="ErrorFilter" type="Elmah.ErrorFilterModule, Elmah" preCondition="managedHandler" />
<add name="Glimpse" type="Glimpse.AspNet.HttpModule, Glimpse.AspNet" preCondition="integratedMode" />
</modules>
Exception handler:
public class ElmahHandledErrorLoggerFilter : IExceptionFilter {
public void OnException(ExceptionContext context) {
// Log only handled exceptions, because all other will be caught by ELMAH anyway.
if (context.ExceptionHandled)
ErrorSignal.FromCurrentContext().Raise(context.Exception);
}
}
It hits this code.
Seriously, what gives?
Right well I managed to get it to work by doing the following. I uninstalled all of my ELMAH references. Reinstalled them, installed the MySQL ELMAH package and then changed the connection strings and it worked. Just like that.
Follow this guide: https://dillieodigital.wordpress.com/2011/03/30/elmah-a-quick-start-tutorial-and-guide/
And convert to MySQL where he uses SQLite instead.

ASP.NET Razor Site: "This type of page is not served"

I've created an empty ASP.NET website (i.e. razor web pages) but I'm unable to reach the index.cshtml page.
This is true whether I have 'index.cshtml' in the URL or not.
The error pages says:
Server Error in '/' Application.
This type of page is not served.
Description: The type of page you have requested is not served because
it has been explicitly forbidden. The extension '.cshtml' may be
incorrect. Please review the URL below and make sure that it is
spelled correctly.
Requested URL: /index.cshtml
Here is the entire contents of the web.config
<?xml version="1.0"?>
<configuration>
<appSettings>
<add key="webpages:Enabled" value="true"/>
<add key="webpages:Version" value="3.0.0.0"/>
</appSettings>
<system.web>
<compilation debug="true" targetFramework="4.5"/>
<httpRuntime targetFramework="4.5" enableVersionHeader="false" requestValidationMode="2.0"/>
<pages validateRequest="false"/>
</system.web>
<system.webServer>
<security>
<requestFiltering allowDoubleEscaping="true">
<fileExtensions>
<remove fileExtension=".cshtml"/>
<add fileExtension=".cshtml" allowed="true"/>
</fileExtensions>
</requestFiltering>
</security>
<defaultDocument>
<files>
<remove value="index.cshtml"/>
<add value="index.cshtml"/>
</files>
</defaultDocument>
</system.webServer>
</configuration>
Can anyone tell me what I'm missing (or what I've added and which shouldn't be there)?

Azure deployment with .json file extension

We are deploying an azure package where we have a static .json file. We have this working through the azure emulator and locally. but our application just spins when we run it in azure. We are getting a 404 on the app.json file. We have added the mime type to our local iis with the appropriate handler, below is what we have in our web.config. We have set the mime type of application/x-javascript but that didnt work either.
<system.webServer>
<staticContent>
<mimeMap fileExtension=".json"
mimeType="text/html" />
</staticContent>
<handlers>
<add name="JSON"
path="*.json"
verb="*"
modules="IsapiModule"
scriptProcessor="%path%\asp.dll"
resourceType="Unspecified"
preCondition="bitness64" />
</handlers>
</system.webServer>
Adding
<configuration>
<system.webServer>
<staticContent>
<mimeMap fileExtension=".json" mimeType="text/html" />
</staticContent>
</system.webServer>
</configuration>
to my web.config in an Azure instance worked just fine. Most likely, your deployed web.config isn't configured properly. To check it out, enable RDP, connect to your Azure instance and browse to your web.config. Then you can fiddle with your web.config until you get things working.
Because you're serving up a static .json file, you don't need to add a .json HTTP handler. Also, the offical mime type for .json is application/json.

Allow MDB Downloads in IIS7

Currently if I am hosting an Access .MDB file to allow users to download, IIS7 is throwing a 404 error. I know the file is there and the permissions are fine. It appears to be a Handler issue, but I cannot figure out how to change the handler to allow downloading of MDB file. I assume I need to add something to the Handlers section of the web.config, but I am unsure of the syntax.
Thanks.
Or, if you don't want to modify a system-wide configuration file, you could add the following lines to that section in your web.config:
<remove fileExtension=".mdb" />
<add fileExtension=".mdb" allowed="true"/>
For example your Web.config should be similar to this:
<configuration>
<system.webServer>
<security>
<requestFiltering>
<fileExtensions allowUnlisted="true" >
<remove fileExtension=".mdb" />
<add fileExtension=".mdb" allowed="true"/>
</fileExtensions>
</requestFiltering>
</security>
</system.webServer>
</configuration>
Also see http://www.adamwlewis.com/articles/iis-7-not-serving-files-4047-error.
OK, found it.
Just need to remove the following line:
<add fileExtension=".mdb" allowed="false" />
in the "requestFiltering" section from the \Windows\System32\inetserv\config\applicationHost.config file.