When doing an http to https redirection in Application Gateway v1 by using redirection in a rule to another listener, the redirect response to the browser travels with the Server header set.
Is there a way to prevent this from happening? I'm not returning that header from the application and this is exposing that.
Please check if below workaround:
Also to remove all unnecessary headers from the ASP.NET response ,try to modify web.config .
<system.web>
<!-- Removes version headers from response -->
<httpRuntime enableVersionHeader="false" />
</system.web>
<system.webServer>
<httpProtocol>
<customHeaders>
<!--Removes following header from response -->
<remove name="X-AspNet-Version" />
<remove name="X-AspNetMvc-Version" />
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
<security>
<!--Removes Server header from response-->
<requestFiltering removeServerHeader ="true" />
</security>
</system.webServer>
or
Try to use the application gateway to remove these headers: delete-unwanted-header (used in v2 )
References:
Removing standard server headers on Windows Azure Web Sites | Azure Blog and Updates | Microsoft Azure
security - Remove Server Response Header IIS7 - Stack Overflow
Rewrite HTTP headers with Azure Application Gateway | Azure Blog and Updates | Microsoft Azure
Related
[Error] Origin http://localhost:8100 is not allowed by Access-Control-Allow-Origin.
this error can be get on ionic applications when your trying to call web services (Http requests)
to sort out this issue easily place below codes to your api web.config file
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
<add name="Access-Control-Allow-Headers" value="Content-Type" />
<add name="Access-Control-Allow-Methods" value="GET, POST, PUT, DELETE, OPTIONS" />
</customHeaders>
</httpProtocol>
you have to give access from server side then only app can use post or get apis
Background:
My team is moving to asp.net mvc 5 but we still have many applications we need to support written in ColdFusion. We have implemented an Asp.net MVC 5 application that will serve as the main point of entry to access all our ColdFusion applications and we have dropped each ColdFusion application inside a folder inside our MVC application like this
MVCApp
-- InternalApps
-----ColdfusionApp1
-----ColdfusionApp2
We are trying to control access to the Coldfusion applications by means of roles. In other words, if you have ColfusionApp1 role then you can access files inside MVCApp/InternalApps/ColdfusionApp1, all other users will be denied access to the ColdfusionApp1 directory and its containing files.
We implemented access control to the coldfusion directories and files inside directories by specifying rules in our MVC’s web.config like in this post ( Url Authorization with MVC and ASP.NET Identity ), and we made a slight modification to the previous solution because we want to control access by roles as in https://weblogs.asp.net/gurusarkar/setting-authorization-rules-for-a-particular-page-or-folder-in-web-config
In IIS the MVCApp is a Website and under the MVCApp Website the directory MVCApp/InternalApps/ColdfusionApp1 contains the Coldfusion code which becomes accessible once you run the Adobe ColdFusion Webserver Configuration Application that configures IIS to server ColdFusion files.
Problem:
The solution seems to work just fine if instead of Coldfusion files we put a static html file inside the ColdFusion directories, but the moment we drop the ColdFusion files and configure these files to be served by IIS using the wsconfig.exe (Adobe ColdFusion Webserver Configuration Application) then even if you specify authorization rules for ColdFusion files .cfm these files are still served to unauthorized users. Below is the navigation url patterns that work as expected and the one that fail to work as expected.
https://localhost/InternalApps/ColdfusionApp1 (block access to unauthorized users and redirects to login page)
https://localhost/InternalApps/ColdfusionApp1/index.cfm (lets any unauthorized user access this file)
We think that the problem we are having has to do with the order in which modules and handlers are configured. It seems that for .cfm files there is a handler or module that processes this request before the authorization rules can be applied.
Conclusion:
Role based authorization rules using the location tag in web.config work fine to prevent users from accessing a directory, but it does not work to prevent access to the ColdFusion files inside that directory.
Environment:
MS Server 2012 R2 with IIS 8.5
Visual Studio 2015 (Asp.net MVC 5, Asp.net Identity 2)
Oracle 12c Database
ColdFusion 2016
Snippet from web.config:
<system.web>
<authentication mode="None" />
<compilation debug="true" targetFramework="4.5.2" />
<httpRuntime targetFramework="4.5.2" />
</system.web>
<location path="InternalApps/ColdfusionApp1">
<system.web>
<authorization>
<allow roles="ColdfusionApp1"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<system.webServer>
<modules>
<remove name="FormsAuthentication" />
<remove name="UrlAuthorization" />
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
</modules>
<handlers>
<add name="HtmlScriptHandler" path="*.html" verb="*" preCondition="integratedMode" type="System.Web.StaticFileHandler" />
<add name="CfmScriptHandler" path="*.cfm" verb="*" preCondition="integratedMode" type="System.Web.StaticFileHandler" />
</handlers>
</system.webServer>
My Web application is using a few backend APIs. I want to use proxy configured in web.config for 2 APIs but for 3rd API I want to bypass this proxy. The best solution for me is via web.config.
How to do it?
Best solution is via web.config.
I already found solution:
<system.net>
<defaultProxy enabled="true" >
<proxy proxyaddress="http://proxy.ccc.com:911" bypassonlocal="true" />
<bypasslist >
<add address="aaa.bbb.com" /> <!-- url not using proxy -->
</bypasslist>
</defaultProxy>
</system.net>
I have a Web API that has been deployed to a test and staging server. It is the only application running on that server. The API works fine when I access directly from the server it is deployed to but it doesn't work from any remote machine. I'm not getting a lot of information from Chrome or IE dev tools. Below is all I see in IE.
http://myapi.com/api/get/related (Aborted)
In Fiddler I am seeing a 502 - in Chrome I see this
[Fiddler] The socket connection to myapi.com failed.
ErrorCode: 10061.
No connection could be made because the target machine actively refused it [ip address]
The things I can tell you about the setup.
1) The App pool is v4.0 Integrated
2) Web.config contains
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
<validation validateIntegratedModeConfiguration="false" />
<handlers>
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" resourceType="Unspecified" requireAccess="Script" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>
3) We are using web.config transforms for each environment. (This may be a potential cause of the issue if something is missing?)
i am working on asp.net mvc application. Recently i have integrated wordpress in my website in seprate directory
www.mysite.com/blog
blog is working fine but i am getting 500 - Internal server error. when i am trying to login.
www.mysite.com/blog/wp-login.php
If i removed web.config file and try to login then its working.I think there is missing some thing in my web.config file or any other issue.
Any suggestion to figure out this issue ?
I am going to update my question.
when i put on show iis error option.now this error is showing
HTTP Error 500.0 - Internal Server Error
C:\Php5\php-cgi.exe - The FastCGI process exceeded configured request timeout
I have no idea why this error is generating?
I have to changed my web.config setting.Now it is working fine
Previous setting is this
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<modules runAllManagedModulesForAllRequests="true" />
</system.webServer>
After Changing setting
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<modules runAllManagedModulesForAllRequests="false" />
</system.webServer>