I have already referred to this post. But my query is a little different since I want to know if I can achieve this from IIS?
Here is how the Remote Address looks like when I inspect element.
Now, the problem is the IP that is seen is of the server where all my files for the website are deployed and there are concerns from the security team as follows
The application discloses internal IP addresses which can aid
attackers in mapping out the internal infrastructure of the network.
This information can be used to craft other types of attacks.
Here is what I have tried so far..
So in the web.config I was able to remove some other details that were showing in the Response Headers like the asp.net version etc.
<httpProtocol>
<customHeaders>
<add name="X-UA-Compatible" value="IE=edge" />
<add name="X-Frame-Options" value="ALLOW-FROM https://dev.org.com"/>
<add name="Content-Security-Policy" value="frame-ancestors 'self' https://dev.org.com"/>
<add name="Strict-Transport-Security" value="max-age=31536000"/>
<remove name="ETag"/>
<remove name="X-AspNet-Version" />
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
My question..
I understand one solution here is to mask a Proxy IP, but if there is some sort of setting that I can apply from IIS or web.config to achieve this, then I'd prefer that.
I'm afraid IIS can't help in this case.
Because there is no server variable indicate the IP address of remote server. IIS can only help you rewrite server variable and it is obviously that Server's IP is not included in either request or response context.
I think chrome might get the value from either TCP connction or DNS response.
If you want to hide it, you may have to create a reverse proxy.
https://learn.microsoft.com/en-us/iis/extensions/url-rewrite-module/reverse-proxy-with-url-rewrite-v2-and-application-request-routing
Related
I inherited an older .NET 4.7 MVC application that is hosted in Azure and sat behind a reverse proxy (Application Gateway). Rewrite rules were setup to get it working using the right domain when requests are forwarded from the reverse proxy, this was the rewrite rule in place:
Web.Config
<rule name="Set HOST header based on X-Original-Host header">
<match url="(.*)"></match>
<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
<add input="{HTTP_X_ORIGINAL_HOST}" pattern="^$" negate="true" />
</conditions>
<serverVariables>
<set name="HTTP_HOST" value="{HTTP_X_ORIGINAL_HOST}"></set>
</serverVariables>
</rule>
I understand that Application Gateway (v1) used non-standard headers like X-Original-Host (instead of X-Forwarded-Host) which is why the rule above applied to set the IIS server variable.
Now, we have migrated to Front Door which sends the standard X-Forwarded headers. That now means the rule above doesn't work by default and I have resorted to workarounds by sending the "X-Original-Host" header manually for each request (using routing rules).
I want to do away with all that and use the standard X-Forwarded-Host header to set the HTTP_HOST server variable.
Questions:
Do I just easily replace HTTP_X_ORIGINAL_HOST with
HTTP_X_FORWARDED_HOST?
I've tried to find documentation related to
the values above but can't, can someone please point me to the right
direction?
Some people are saying to use <proxy enabled="true" preserveHostHeader="true" /> under system.webServer but I can't find official Microsoft documentation regarding this
Basically, I want to know how to set the HTTP_HOST variable with the X-Forwarded-Host header.
I have an asp.net Web API server running under IIS, that until now has used windows authentication as it has only had other services running on the same domain conencting to it.
So, in my web.config I have the following settings...
<system.web>
<compilation debug="true" targetFramework="4.5.1" />
<httpRuntime targetFramework="4.5.1" />
<authentication mode="Windows" />
</system.web>
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true" />
</authentication>
</security>
....
With this I can use a browser (or the services) on the same domain and reach my services.
Now we want to allow Mobile applications to also connect. We will be using a a token based scheme based on this, and so far to use this I need to turn off the Windows authentication in my web.config to use this. If I leave in the windows configuration as above, I don't even get any of the Owin middle where methods (or custom filters) called when I, for example, se Postman to call a route with no windows authentication set.
So my question is
How can I allow either authentication, so that even a Browser (on the same domain) can still call the routes and be authenticated (via the Negotiate), but also allow other clients to use the token based scheme? Also (very important) how do I configure this in web.config to allow both?
Thanks in advance for any help!
I'm looking to secure an ASP.NET MVC application with SSL and client certificate authentication. I'm using IIS 7.5, Windows Server 2008 R2.
I'd like to know whether it's possible to do the following through Web.config (it has to be through there!)
Require SSL communication for all requests
Map multiple client certificates to a single user
Require the user to be authenticated
Also, any pointers on how to go on about doing this, any tutorials or other relevant resources will be much appreciated as I'm new to pretty much all of these things.
So, to answer my own questions.. all of the above can be achieved through the Web.config. The following section of the Web.config requires SSL through the system/access section, and configures many-to-one client certificate mapping. These sections are locked in the applicationHost.config so anyone wishing to edit them in the Web.config will need to unlock them. There are many tutorials on that so I won't go into it.
<security>
<access sslFlags="Ssl, SslNegotiateCert" />
<authentication>
<anonymousAuthentication enabled="false" />
<iisClientCertificateMappingAuthentication enabled="true" manyToOneCertificateMappingsEnabled="true">
<manyToOneMappings>
<add name="Authentication Certificate"
enabled="true"
permissionMode="Allow"
userName="foo"
password="bar">
<rules>
<add certificateField="Issuer" certificateSubField="CN" matchCriteria="*.stackoverflow.com" compareCaseSensitive="false" />
</rules>
</add>
</manyToOneMappings>
</iisClientCertificateMappingAuthentication>
</authentication>
</security>
Going in order:
Require SSL communication for all requests - Yes. In IIS, set the site with only an https binding, and delete the http binding. The site will not respond to http requests. If you do this, you should create a script to redirect 403.4 errors from http://mysite.com to https://mysite.com. You can find many examples of how to do this using various tools.
Map multiple client certificates to a single user - I dunno. I will pass on this one.
Require the user to be authenticated - Yes. In the web.config file, in the <system.web> element, add the following:
<authorization>
<deny users="?"/>
</authorization>
We're using Elmah as our error logging system for an app that will be going into production soon. It's extremely useful, but if it goes into production like this anyone in the world access the error log because all they have to do is visit ourdomain.com/elmah.axd.
This is obviously not ideal. I originally intended to restrict access to that page only to IP addresses within our company, but now our SysAdmins are saying that's not possible. So I'm asking here how can I prevent access to this resource?
We running an ASP.NET MVC app on IIS 6.
The typical scenario for securing elmah.axd is allowing only some authenticated user to be able to access it. But if your site doesn't use any authentication at all this might not be applicable.
Here's what I would recommend you:
Disable completely the elmah.axd handler on your main site
Configure elmah to write the logs to some shared data source (like a shared file, SQLite database or even SQL Server)
Configure a second site in IIS, probably on another network or server, which has only elmah installed and which points to this same shared data source. Now you would always use the second site to read the logs. Obviously the second site would only be accessible to you.
If you decide to use SQL Server you could even read the logs of multiple applications running on multiple web servers in a farm from within a single internal application accessible only to you.
I found this is most acceptable for MVC applications:
http://www.beletsky.net/2011/03/integrating-elmah-to-aspnet-mvc-in.html
You can point the elmah http handler to another url (for example "Secure/elmah.axd") in web.config. You can secure the url as any other asp.net page in the web config.
<httpHandlers>
...
<add verb="POST,GET,HEAD" path="/Secure/elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" />
</httpHandlers>
<location path="Secure" > <!-- secure the host.com/Secure path -->
<system.web>
<authorization>
<deny users="?" />
<!-- Or anything else... -->
</authorization>
</system.web>
</location>
We are successfully using this approach on IIS7 using active directory membership providers, and it works great. I am not sure if it works on IIS6 though.
If you're using ASP.NET Membership, it's pretty easy to restrict access to the elmah.axd HttpHandler for anonymous users and only allow logged in users in an "Administrators" group. I've done it like this:
<configuration>
...
<location path="elmah.axd">
<system.web>
<authorization>
<allow roles="Administrators"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
</configuration>
Anybody who's logged in AND member of the "Administrators" role can access the page now.
Here are some useful links:
Securely Implement ELMAH For Plug And Play Error Logging
Securing Error Log Pages
If your intention is to disable remote users from accessing it, simply change the value of <security allowRemoteAccess="yes" /> to <security allowRemoteAccess="no" />
I used IP Restrictions from the IIS 7 configuration. By default, you can't simply apply it in <location path="elmah.axd"> because it's locked on the parent configuration level. As such, I created an empty folder "logs" and applied restrictions in IIS to this folder, then modified the location path for the elmah.axd file. That's it! You have remote access to yourdomain.com/logs/elmah.axd, but only from specific IPs.
I have plugged in the HttpCompress module to enable compression for my MVC web application.
If I run my site through the development web server (Cassini) I have no troubles with the execution of compression.
However when I deploy the site to IIS6 the compression is not executing. I have checked the source code of the compression library and the CompressContent handler returns without acting becuase a null value exists for
app.Request.Headers["Accept-Encoding"]
My best guess is that this has something to do with the handling of extensionless urls in IIS6. What do I need to do to fix this problem in production?
[ below is the config for the module, if that is of any assistance ]
<blowery.web>
<httpCompress preferredAlgorithm="deflate" compressionLevel="high">
<excludedMimeTypes>
<add type="image/jpeg" />
<add type="image/png" />
<add type="image/gif" />
<add type="application/pdf" />
</excludedMimeTypes>
<excludedPaths></excludedPaths>
</httpCompress>
</blowery.web>
Some further investigation discovered that I was accessing the server via a proxy, and it appears that the proxy was not forwarding the compression headers to IIS.
It seems the easiest way to identify a proxy meddling with the request is to check the response headers for a via entry.
See the complete list of http headers as a homework task.