Secure cookie not being set on AWS ASP.NET MVC website - asp.net-mvc

We had a security review that revealed that the cookies in our ASP.NET MVC application were not being set as secure, despite having the following setting in web.config:
<httpCookies requireSSL="true" httpOnlyCookies="true" />
The website is not using forms authentication so no need for <forms requireSSL="true"> setting.
The website is hosted on an AWS app server and is accessed via an ELB. Internally on the app server the website is HTTP but externally it is HTTPS.
I've tried to implement a solution found here:
http://www.jamescrowley.co.uk/2014/03/07/ssl-termination-and-secure-cookiesrequiressl-with-asp-net-forms-authentication/
Added the following rewrite rules to this to web.config:
<rewrite>
<rules>
<rule name="HTTPS_AlwaysOn" patternSyntax="Wildcard">
<match url="*" />
<serverVariables>
<set name="HTTPS" value="on" />
</serverVariables>
<action type="None" />
<conditions>
<add input="{HTTP_X_FORWARDED_PROTO}" pattern="https" />
</conditions>
</rule>
</rules>
</rewrite>
And added HTTPS variable to the applicationHost.config to contain:
<rewrite>
<allowedServerVariables>
<add name="HTTPS" />
</allowedServerVariables>
</rewrite>
Unfortunately this causes the ELB to fail. When speaking to our internal AWS support team they say this is because the ELB health check is failing. There is a health.html page in the root of the website. Is there a way of applying a condition to the above so that it ignores this for the health.html page which the ELB uses? I'm new to rewrite rules so not fully versed in the syntax and the way they work.

I can't test this yet, but in theory I think you would just need to change your conditions:
<conditions logicalGrouping="MatchAll" >
<add input="{HTTP_X_FORWARDED_PROTO}" pattern="https" />
<add input="{REQUEST_URI}" negate="true" pattern="^/health.html$" ignoreCase="true" />
</conditions>

Related

IIS - HTTPS and WWW Redirect

So i'm using iis 8 and trying to redirect all versions of my site to 1.
Say for example:
http://www.osrshub.com
www.osrshub.com
osrshub.com
http://osrshub.com
https://osrshub.com
https://www.osrshub.com
When a user hits any of these links i need it to redirect to 1 main link.
https://www.osrshub.com
Im using windows server 2012
This rule will redirect everything to https://www.osrshub.com:
<rule name="All in one rule" stopProcessing="true">
<match url=".*" />
<conditions logicalGrouping="MatchAny">
<add input="{HTTPS}" pattern="off" />
<add input="{HTTP_HOST}" pattern="^www\.osrshub\.com$" negate="true" />
</conditions>
<action type="Redirect" url="https://www.osrshub.com/{R:0}" />
</rule>
You need to add this rule in your web.config file

Enable Strict transport security mvc

I want to enable strict transport security.
MY website is a https enable.
Below is my code to enable hsts.
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
**<add name="Strict-Transport-Security" value="max-age=31536000"/>**
.....
</customHeaders>
</httpProtocol>
Is above setting is enough to make strict transport security enable or do i also need to add below setting ie.
<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}"
redirectType="Permanent" />
</rule>
</rules>
<outboundRules>
<rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
<match serverVariable="RESPONSE_Strict_Transport_Security"
pattern=".*" />
<conditions>
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
</conditions>
<action type="Rewrite" value="max-age=31536000" />
</rule>
</outboundRules>
</rewrite>
If both setting are mandatory then what is the need for rewrite
can we enable hsts by only
or by only
rewrite .
Why rewrite is required.
This site says to add rewrite alogn with
<add name="Strict-Transport-Security" value="max-age=31536000"/>
This header force the browser to use HTTPS. If the application has HTTP link given somewhere or if the user tries to enter URL with HTTP, the browser will redirect him to https. To use HSTS, the site need valid SSL certificate. The rewrite is not mandatory, but its good to have. Because, if the user first enter the site with https, then whenever he comes to the site, user will be automatically redirected until expiry, also the max age updates on each visit. But if user enters once in http mode, the STS may not work until he use the site in https once. Its better to use the rewrite.
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Strict-Transport-Security" value="max-age=xxxxxx"/>
</customHeaders>
</httpProtocol>
</system.webServer>
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security

Can I prevent remote access to Umbraco back office?

We are running Umbraco 7.4. Due to a corporate security requirement, we need to prevent people from reaching oursite.com/umbraco from anywhere except the server itself as localhost/umbraco. I have tried an IIS rewrite for /umbraco#/ to no avail. I tried an IIS deny rule for /umbraco, but that actually broke some other stuff around our site. Is there some other awesome way to prevent remote access to the Umbraco back office?
I have done a similar thing with IIS rewrite rules where you can only access the back office from a specific set of domains (hence the wildcard matching). You could use this to only allow access from localhost. NOTE, place the rule in the umbraco folder, not the main site web.config. the full web.config contents to place in the umbraco folder is:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Umbraco only from localhost" enabled="true" patternSyntax="Wildcard"
stopProcessing="false">
<match url="*" negate="false" />
<action type="Rewrite" url="/UmbrSubDir404" appendQueryString="false"
logRewrittenUrl="false" />
<conditions logicalGrouping="MatchAll">
<add input="{HTTP_HOST}" pattern="localhost" negate="true" />
<add input="{URL}" pattern="*RestServices/ScheduledPublish*"
negate="true" />
<add input="{URL}" pattern="*umbraco/Api/*" negate="true" />
</conditions>
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>

Can't load Rails application on IIS

I have spent the past few hours trying to deploy my Ruby on Rails app to my Windows Server 2008 R2 vps running IIS 7.5.
I thought it was going well up till the point I got this error when trying to access the site via my browser.
Error Helicon Zoo module has caught up an error.
Please see the details below.
Windows error The system cannot find the path specified. (ERROR CODE: 3)
Internal module error message:
Can't CreateDirectory '' file type: ZooException file: Common\WinApi.cpp
line: 253 version: 3.1.98.538
The log file it's self is even less helpfull:
[13.02.2016 02:47:48.751921] [v 3.1.98.538] [tid 0x000100d4] [sev 2] # 26373856 Application has been started
[13.02.2016 02:47:48.831925] [v 3.1.98.538] [tid 0x000100d4] [sev 2] # 26373856 Application has been terminated
The path of the CreateDirectory bit seems strange to me but can't figure out where it's coming from.
The site runs fine on my local machine, but my local machine is on Fedora so doesn't use web.config files. Unfortunately I'm stuck with my Windows server for the time being so Linux hosting isn't an option at the moment.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<heliconZoo>
<clear />
<application name="ruby.project">
<environmentVariables>
<add name="RAILS_RELATIVE_URL_ROOT" value="%APPL_VIRTUAL_PATH%" />
<add name="DEPLOY_FILE" value="deploy.rb" />
<add name="RACK_ENV" value="development" />
<add name="CONSOLE_URL" value="console" />
</environmentVariables>
</application>
</heliconZoo>
<handlers>
<remove name="ruby.project#x86" />
<remove name="ruby.project#x64" />
<add name="ruby.project#x64" path="*" verb="*" modules="HeliconZoo_x64" scriptProcessor="ruby.2.0.rack" resourceType="Unspecified" requireAccess="Script" preCondition="bitness64" />
<add name="ruby.project#x86" path="*" verb="*" modules="HeliconZoo_x86" scriptProcessor="ruby.2.0.rack" resourceType="Unspecified" requireAccess="Script" preCondition="bitness32" />
</handlers>
<!-- URL Rewrite rules to pass static files, limit console access, etc. -->
<rewrite>
<rules>
<!-- This rule rewrites '/' requests to /public/index.html -->
<rule name="index" stopProcessing="true">
<match url="^$" ignoreCase="false" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="true">
<add input="{APPL_PHYSICAL_PATH}" pattern="(.*)" ignoreCase="false" />
<add input="{C:1}public\index.html" matchType="IsFile" />
</conditions>
<action type="Rewrite" url="public/index.html" />
</rule>
<rule name="Static Files" stopProcessing="true">
<match url="^(?!public)(.*)$" ignoreCase="false" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="true">
<add input="{APPL_PHYSICAL_PATH}" pattern="(.*)" ignoreCase="false" />
<add input="{C:1}public\{R:1}" matchType="IsFile" />
</conditions>
<action type="Rewrite" url="public/{R:1}" />
</rule>
<rule name="Rails 3.1 assets" stopProcessing="true">
<match url="^assets/(.*)$" ignoreCase="true" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="true">
<add input="{APPL_PHYSICAL_PATH}" pattern="(.*)" ignoreCase="false" />
<add input="{C:1}app\assets\{R:1}" matchType="IsFile" />
</conditions>
<action type="Rewrite" url="app/assets/{R:1}" />
</rule>
<!-- This rule shows welcome page when no Rack application exist. -->
<rule name="Rewrite to Zoo index if that's an empty application" stopProcessing="true">
<match url="^/?$" ignoreCase="false" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="true">
<add input="{APPL_PHYSICAL_PATH}" pattern="(.*)" ignoreCase="false" />
<add input="{C:1}config.ru" matchType="IsFile" negate="true" />
</conditions>
<action type="Rewrite" url="public/zoo-index.html" />
</rule>
</rules>
</rewrite>
</system.webServer>
Up to this point
Reset website (Multiple times)
Ran deploy.rb (Multiple times)
Played with folder permissions. Even at one point allowing special access to everyone, don't worry I've retracted that now.
Refreshed App pool.
I've search through Google but can't seem to find anything. Does anyone here have any suggestions?
The error can actually be seen here at the moment. https://bonniechef.com/
Hopefully not for much longer...
Sorry Doug, I can no longer provide support for this Web Platform Installer-based version of Zoo as I am working on a new standalone version and these versions have completely different configuration and processing logic. This new version is almost finished and I am finalizing installations and deployment of the whole system, however, I work on this project alone now and support for older products and other issues eats up most of my time. Still considering making it open source, but arranging a good open source project will require even more time and commitment. I expect to make a release within a month. This new version will be supported and actually will be much easier to maintain and more transparent as we will control most aspects of the product.
Sorry for the inconvenience.

"Rewrite to HTTP" rule in web.config broke a Visual Studio local development site

When I added the following https redirect rule to my web.config in my local VS test environment, and then built the app for debug, it gave a 403 on the start page. (The rule itself worked fine in brief standalone test web.config up on Azure.)
After I commented the rule out of the local web.config, I still got the 403. I restored the previous web.config and still got the 403. I then changed the start page, and was able to enter the app, and navigate to the original start page. Then I tried to put the rule back in, and test it all over again, and I started getting config string errors. Finally I restored the entire site from backup, ran it around the whole cycle, and it seems to work.
What might have happened? Did the rule apply to local IIS, and confuse it? And so, should I not add the rule until I deploy the site?
<system.webServer>
<rewrite>
<rules>
<rule name="Force HTTPS" enabled="true">
<match url="(.*)" ignoreCase="false" />
<conditions>
<add input="{HTTPS}" pattern="off" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" appendQueryString="true" redirectType="Permanent" />
</rule>
</rules>
</rewrite>
<directoryBrowse enabled="false" />

Resources