Using the [RequireHttps] port in an ASP.NET MVC application causes a redirect to HTTPS on port 443 if the user attempts to access the application over HTTP.
However, in IIS Express, the application will probably not running on port 443. It will, instead, be running on something like port 44301.
I've found various tips for replacing RequireHttpsAttribute with an implementation that takes the alternative port number as a parameter, or reads it from Web.config.
This is clunky, because it requires configuration in more than one place.
Is there any way to do this -- programmatically -- in a generic fashion?
Without trying to pre-empt the answers, some options occur to me:
Is there any way to discover the bindings being used by the instance of IIS or IIS Express that's hosting my app?
Is there any way to read applicationHost.config for the current IIS / IIS Express host?
You can check currently used bindings (of IIS/IIS Express) by running following command
"netsh http show servicestate view=requestq"
You can find applicationhost.config file of IIS Express in %userprofile%\documents\iisexpress\config folder.
Related
Is there a way to deploy a containerized say .net core web app to IIS on a web server and use things like docker swarm and a virtual load balancer.
Am I looking at this all wrong? Would IIS even factor here?
If you want to go down this path, IIS does run in a (Windows) container, however most web apps I’ve seen uses Kestrel as the application web server (I.e. the default netcore images) and some kind of reverse proxy in front (Nginx, HAproxy) to handle things like load balancing, SSL termination and serving of static content.
I think the use case for IIS (though I haven’t used it so I may be wrong here) is to serve legacy ASP.net applications in a containerized environment.
See:
https://hub.docker.com/r/microsoft/iis/
I'm trying to enable https protcol for my application that I'm building on a localhost which has a port number like this:
https://localhost:19590/
I have went to the IIS xx express version and enabled https binding and have been able to access localhost (without any port number) via https like this:
https://localhost/
But now I need to enable HTTPS for the project solution I'm working on currently on port 19590, and when I try to access it, it says that the:
This site can’t provide a secure connection
What am I doing wrong here, how can I enable HTTPS for the localhost project on this port number exactly?
In your project properties, in the web section under Servers can you try choosing Local IIS instead of IIS Express and create virtual directory on https://localhost/
Let's say we have 2 separate applications, a Web Api application and a MVC application both written in .NET 4.5. If you were to host the MVC application in IIS under the host header "https://www.mymvcapp.com/" would it be possible to host the Web Api application separately in IIS under the host header "https://www.mymvcapp.com/api/"?
The processes running the 2 applications in IIS need to be separate. I know of the separate methods of hosting, self hosting and hosting using IIS. I would like to use IIS if at all possible.
Also, how would I host two applications (an API and a web application) if each were on a separate server so that I could serve the api from http://www.mymvcapp.com/api?
There are at least 4 ways of doing what you want to do. The first two methods are for if you have 1 web server, and both applications are served from that one web server running IIS. This method also works if you have multiple web servers running behind a load-balancer, so long as the API and the Web site are running on the same server.
The second two methods are using what's called a "Reverse Proxy", essentially a way to route traffic from one server (the proxy server) to multiple internal servers depending on what type of traffic you're receiving. This is for when you run your web servers on a set of servers and run your API on a different set of servers. You can use any reverse proxy software you want, I mention nginx and HAProxy because I've used both in the past.
Single Web Server running IIS
There are two ways to do it in IIS:
If your physical folder structure is as follows:
c:\sites\mymvcapp
c:\sites\mymvcapp\api
You can do the following:
Create a Child Application
Creating a child application will allow your "API" site to be reachable from www.mymvcapp.com/api, without any routing changes needed.
To do that:
Open IIS Manager
Click on the appropriate site in the "Sites" folder tree on the left side
Right Click on the API folder
click "Convert to Application"
The downside is that all Child Applications inherit the web config of their parent, and if you have conflicting settings in there, you'll see some runtime weirdness (if it works at all).
Create a directory Junction
The second way is a way to do it so that the applications maintain their separateness; and again you don't have to do any routing.
Assuming two folder structures:
c:\sites\api
c:\sites\mvcapp
You can set up Junctions in Windows. From the command line*:
cd c:\sites
mklink /D /J mymvcapp c:\sites\mvcapp
cd mymvcapp
mklink /D /J api c:\sites\api
Then go into IIS Manager, and convert both to applications. This way, the API will be available in \api\, but not actually share its web.config settings with the parent.
Multiple Servers
If you use nginx or haproxy as a reverse proxy, you can set it up to route calls to each app depending.
nginx Reverse Proxy settings
In your nginx.conf (best practice is to create a sites-enabled conf that's a symlink to sites-available, and you can destroy that symlink whenever deploying) do the following:
location / {
proxy_pass http://mymvcapp.com:80
}
location /api {
proxy_pass http://mymvcapp.com:81
}
and then you'd set the correct IIS settings to have each site listen on ports 80 (mymvcapp) and ports 81 (api).
HAProxy
acl acl_WEB hdr_beg(host) -i mymvcapp.com
acl acl_API path_beg -i /api
use_backend API if acl_API
use_backend WEB if acl_WEB
backend API
server web mymvcapp.com:81
backend WEB
server web mymvcapp.com:80
*I'm issuing the Junction command from memory; I did this a few months ago, but not recently, so let me know if there are issues with the command
NB: the config files are not meant to be complete config files -- only to show the settings necessary for reverse proxying. Depending on your environment there may be other settings you need to set.
I'm trying to host a Web API self host application along with IIS.
My Web API project is running on subdomain1.domain.com. My IIS have a site configurered at subdomain2.domain.com.
As soon as my Web API application is started it takes over everything on port 80 and responds to it - no matter what the hostname is. Is it possible run these to sites side-by-side?
Thanks!
You can set the port in the HttpSelfHostConfiguration constructor. See the code here for an example: http://www.matlus.com/self-host-asp-net-web-api/
*Edit to specify further answer from comment: selfHostconfiguration.HostNameComparisonMode = HostNameComparisonMode.Exact; will allow running the sites on the same port.
We have just finished developing a new website for my company using the .NET MVC framework. The sql server supporting our application holds some critical data such as the profiles of other web users and we would like to make sure this data is never leaked due to a reputational risk to the company.
We have a number of ideas on things to do to secure our website but I would like to get the stackoverflow take on them. We will be using SSL for login screens and we prevent against basic attach methods such as sql injection, cross site scripting attacks.
However we are worried about the physical machine being taken over using some exploit. We will be running the webserver (Windows Server 2008 SP2 with IIS7) in a DMZ with only port 80 and 443 open to the internet. Currently the sql server sits on the webserver machine but we are considering if this is a security risk. Would hosting the sql server in a machine in a second DMZ help in security?
We also considered using an Ubuntu box running Apache with mod_proxy in one DMZ that will be "redirecting" the 80 or 443 requests to separate windows machine in a second DMZ that will do the web serving and sql server hosting.
Some other suggestions we are getting is to use a product such as WatchGuard that can apparently filter the http packets for standards compliance thus blocking dodgy packets from reaching the webserver.
What other things should we be looking to secure?
Thanks
Allowing only 80 and 443 is a very good idea. DMZ stands for Demilitarized Zone, this is to define a machine on a NAT that is accessible by all traffic and this should be avoided. Allowing SQL Server and port 445 will get you hacked, after all you are running windows and its only a matter of time before yet another RPC vulnerability comes out.
The most important thing you must do is TEST YOUR SECURITY. Its not enough to say that you are preventing xss and sql injection. All secuirty systems must be proven that they can stop attacks.
How do you test your system? I like Acunetix but it is over priced, however there is a free xss tester. For SQL Injection and other vulnerabilities i recommend using Wapiti which is free. I recommend using OpenVAS which is the new open source version of Nessus which is now a commercial product. OpenVAS will tell you if your server is misconfigured or if you are running old software. You should do a full port scan of the system to test your firewall, this command will work nmap -sT -p 1-65535 domain.com, this can also be done form OpenVas.
After testing your system. Then install a Web Application Firewall, mod_secuirty is a good choice for Apache, you can use a reverse proxy to get mod_security to work with IIS. Aqtronix is an open source WAF built for IIS, but i haven't used it.
1- Critical data must be encrypted in your tables.
2- Take care from all types of SQL Injections.
3- encrypt the connection string in web.config file