Slow HTTP POST vulnerability on azure - asp.net-mvc

I have asp.Net MVC web application deployed on azure. And have some problems with Slow HTTP POST vulnerability. So I want to configure <\limits> to turn on connectionTimeout.
I can`t do this in Web.config (or mb just don`t know right place to write it).
In guides this thing configure on iis, but how to do this in azure?

The setting that you are talking about connectionTimeout needs to be set in the applicationhost.config file. This file is not found as part of your project, but is part of your azure website. If you want to view the configuration settings in this file you can go to the kudo service for your site which can be accessed by following the directions here:
https://github.com/projectkudu/kudu/wiki/Accessing-the-kudu-service
To get to the location of the file go to the cmd console, click on the globe icon and it should be in the the Configure folder. That is how you view the current settings. To actually change the settings you need to create an xdt transform file and drop it into your site root and restart the site. This can be done using ftp (the ftp host url can be found in the azure portal for you site).
You are also going to want to configure your <\webLimits> as well to help prevent a slow post attack.

Related

Windows Server 2019: IIS 10: HTTP Error 403.14 - Forbidden: The Web server is configured to not list the contents of this directory

All,
I am migrating a working .Net Framework Website from IIS 8.5 on a Microsoft Windows Server 2012 to IIS 10 on a Microsoft Windows Server 2019.
The new web site is showing the error
HTTP Error 403.14 - Forbidden
The Web server is configured to not list the contents of this directory.
As far as I can see the website on the new server is configured the same as on the existing.
Neither have directory Browsing enabled nor a default file set as is recommended by most of the posts which exist discussing this error.
I have run the following which is also recommended.
%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -ir
The problem still exists.
I came across a post saying there might be an issue if paths referenced in the web.config are not correct but they look fine.
Has anyone got any insight into what else might cause this issue?
Are there any differences between IIS 8.5 and IIS 10 or between windows servers 2012 and 2019 which might cause this issue?
Thanks
This problem occurs because the website doesn't have the Directory Browsing feature enabled. Also, the default document isn't configured. To resolve this problem, use one of the following methods:
Method 1: Enable the Directory Browsing feature in IIS
To resolve this problem, follow these steps:
Start IIS Manager. To do it, select Start, select Run, type inetmgr.exe, and then select OK.
In IIS Manager, expand server name, expand Web sites, and then select the website that you want to change.
In the Features view, double-click Directory Browsing.
In the Actions pane, select Enable.
Method 2: Add a default document
To resolve this problem, follow these steps:
Start IIS Manager. To do it, select Start, select Run, type inetmgr.exe, and then select OK.
In IIS Manager, expand server name, expand Web sites, and then select the website that you want to change.
In the Features view, double-click Default Document.
In the Actions pane, select Enable.
In the File Name box, type the name of the default document, and then select OK.
More information you can refer to this link: HTTP Error 403.14 - Forbidden when you open an IIS webpage.
All those clowns glibly posting that "HTTP Error 403.14 - Forbidden: The Web server is configured to not list the contents of this directory" can be fixed by configuring the web site by either enabling the Directory Browsing feature or adding a default document are really not understanding what they are talking about. Anyone can copy a solution from one post and paste to another.
I'm not going to pretend I know what I am talking about but I have fixed my issue and will share what I did here to see in the hope it helps others.
I created a project (of the same type as the application I was trying to deploy) using my IDE (MSVS) in the same .Net version of the application I was trying to deploy. In this case it was creation of an MVC project in .Net Framework 4.5.
I did nothing to it. All I wanted was a skeleton.
I replaced all the files in the home directory of the web site I had an issue with, with the files of this skeleton project.
I attempted to browse to the web site and it worked successfully. Note the directory browsing was not enabled nor was a default directory set.
This proved to me that those settings were irrelevant.
Having googled around, some sites point to paths in config files causing an issue if they do not exist, eg a logging path to d:\logs where that directory was missing. It didn't fix my issue but there's no harm checking.
I stumbled across a post which talked about the roles and features enabled on the server. In Web Server (IIS)/Web Server/Application Development they had selected "Application Initialisation" and "ASP".
The Windows Sever 2012 server I was moving the application from, where it work without a hitch, did not have those selected so had not selected them on the Windows Server 2019 I was moving them to when I set that server up.
It made no sense that this would be the solution but having tried everything else I activated those two options.
Stone me if the issue was resolved.
As a check I removed those two options and the problem came back and when I reselected them it went away again.
This struck me as pretty conclusive only having thought I'd found the cause of the problem I built the website from scratch and the problem came back again.
It took a number of iterations but eventually I got there, more by luck than judgement and whatever the cause was it was due to an issue in the application which wasn't being logged in event viewer so focus on permissions to files being written to: not only that the app pool account is set up on the directories it needs access to but also that it has modify or even full control.
All those muppets robotically posting advice on configuring the web site by either enabling the Directory Browsing feature or adding a default document will no doubt copy this and paste it into their posts to claim the credit but c'est la vie.
I hope this post is of use to someone, apart from those muppets.

How can I publish/upload ASP.NET MVC 5 Website

I have never published an ASP.NET MVC website to a hosted server. I have read and followed instructions and failed with publishing from Visual Studio directly to the hosted server. I used FTP publish method, provided required credentials, then published the website successfully. When I do this, I get the error when I try to access the website:
500 - Internal server error. There is a problem with the resource you are looking for, and it cannot be displayed.
I thus followed another instruction to publish to a local folder, using File System method, then uploaded the contents of that local folder using ftp to the hosted server. This gives me this error when I try to access the website:
Server Error
403 Forbidden
You do not have permission to access this document.
I would have loved the second method to work, but looking at the folder content, I can see some folders like App_Start missing, which I know is where start up pages are managed from, so I am not sure whether this is a proper procedure.
I would love some advice on how to publish this website. It would also be great to find a way that will allow updating changes, instead of publishing the entire website whenever changes are made.
I am using VS2019, and a .net hosting provider, not Azure.
Thank you!
In most case you can't see App_Start but all can working fine, you should find httpdocs it's the destination folder that you need to use to copy your files.
You can also try web deploy in your visual studio.
To make it work correctly you need to get the setup file from your hosting provider, with this you don't need to update always all files by ftp, and if you are lucky (if you have Database rights) you can also auto-update your database.
Don't forget also to check your web.config if you use a database connection.
Please try this two methods then if you need more help I will edit.

How to publish ASP.NET MVC on IIS server

I am struggling with trying to publish a site.
I have made a basic web site with ASP.NET MVC and I now want to host it on a pc.
I have opened ISI manager and added a new site. I set the default directly to the directly where the files for the site are stored but when i navigate to the pc I don't get my site. I get an IIS server error in application error.
What steps do i need to do to get the a basic site to run on the server.
First, you need to have installed iis, this is done you have to register the asp.net framework, for this you need to run a command line.
Go to cmd and type:
aspnet_regiis -i
Done so please enter
http:// localhost/AplicationName
If you get an error, then you should really post that error with your question. However, since the most common problem in the scenario you describe is permissions, I'm going to assume that that is your problem.
Unless you're going to put your code in a directory owned by IIS (such as "inetpub"), then you need to give the IIS user or group rights to the directory your code is in. You can do this by right-clicking the directory in Windows Explorer, and choosing "Properties". Then click the "Security" tab. Use the "Edit..." button to add the IIS user or group. It should be named something along the lines of "IIS_*". You'll need to grant full control, so just like any other publicly available directory (including "inetpub"), you should ensure that there's nothing secure or compromising in that directory.

What is the proper way to deploy Orchard CMS to shared hosting?

I've created a basic website using the Orchard CMS, and attempted to deploy it to my shared host, Softsys, using Web Matrix (via FTP). Currently, the site technically "works", however it looks like all styling has been removed (even from the dashboard).
Is there a step or files that I missed while deploying the site? I know "Web Deploy" is probably the preferred method of deploying, but I'm pretty new to this, and was not sure what the login specifics were, or how to obtain them for web deploy.
Here is a screenshot of what the site currently looks like deployed:
Edit: it turns out that the problem was on my host's side, for some reason the virtual directory was not being created properly - I still am curious what the proper/best practice method to deploying is however.
It looks like you have no theme applied. Check whether you have your theme existing in ~/Themes folder and properly enabled in the admin Dashboard. Maybe the /Themes folder content hasn't been copied?
UPDATE
If your hosting provider allows the option to deploy sites via WebDeploy - that would be the best one.
The easiest and most straightforward way to deploy Orchard site is to:
Have the ASP.NET application properly configured in IIS and accessible. If you use hosting - provider does that for you. If you'd have a dedicated server - you have to set up an application yourself.
Grab the deployment package from Codeplex, or build one from the sources.
Copy the whole package to your site's root (via FTP or WebDeploy).
Run it and proceed with the setup.
Basically - these are the same steps as for every "ordinary" ASP.NET application.
You probably need to set IIS user to have write access to some of the folders: Themes, Media and App_Data.

Best practices for deploying an MVC application on IIS7

I'm not a web admin, and I'm new to IIS. So, I'm looking for advice.
My MVC application (e.g. fooapp) is the default application for my site (e.g. foo.bar). I used IIS Manager to add the site to IIS7. When I import the application, IIS Manager wants to put it in it's own directory (/foo), and tells me I shouldn't put it in the base (site) directory. This means that to get to my default MVC view, I have to enter the URL http://foo.bar/fooapp/. Needless to say, I want to get there via http://foo.bar/
I see 2 possible solutions:
Add a default page to the site directory that redirects to the MVC app.
Ignore the IIS admonition and load the app into the site directory.
My IIS7 knowledge is limited. I have played around with some options (such as HTTP Redirect). Since nothing changed, I obviously don't understand what I'm doing.
Anyway, if there are some considered "best practices" and/or other suggestions, please let me know.
Tbh, I'm not sure why the IIS manager is trying to convince you to add it as a sub app.. Maybe you just didn't do it right >_>
I've got a couple servers running with IIS7/7.5 and they have apps running in the root of the website.. No problem there :)
You might want to create a new website in IIS (right click on websites, choose "Add Web Site"), point the "Physical Path" directly to the folder your website's stored in, and set the Host name to whatever host you use (foo.bar ? :) )
This should work just fine )
In terms of deployment, if you use VS2010 I'd really recomment looking at Web Deploy.. It's a new addon written for IIS7, and allows one-click publish to IIS directly from VS2010. I'm using it on my site and it works flawlessly :)
Check out Scott Hansellman's talk about it, or check it out in the IIS website

Resources