As title suggested, how can I achieve that in my webform project? Currently, if a url points towards a file, the server will send the response with that file without ever entering Application_BeginRequest. Even the MapPageRoute method does not change this behavior. Is there a simple solution?
You may wish to set this in your web.config:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
</system.webServer>
So that even static files are processed by ASP.NET.
Related
We have an application that acts as an API Gateway, taking calls and routing them through to other APIs and then relaying the responses.
In our set up, we make sure that developers making API calls don't try and flood us by uploading massive files or sending in excessive JSON payloads. We're now trying to figure out how we make sure that we don't flood them in return if they make an API call that returns too much data.
Is there a way to set up either IIS or an ASP.Net app to refuses API responses over a certain size in the same way that we would refuse an API Request over a certain size?
Just to add an example in clear terms:
If a developer makes an API request to get all of their customers, the API Gateway passes that request to our internal Customers API. If the Customers API responds with a 600MB response, we want to block the response at the API Gateway and then we'll send a response to the developer asking them to change their request to reduce the resultset.
The response has not limit the size. We can limit the response size by add more parameter Content-Length into the response header.
to set Request limit you could set in web.config file:
<system.web>
<httpRuntime maxRequestLength="2147483647" />
or
<system.webServer>
<security>
<requestFiltering>
<requestLimits maxAllowedContentLength="2147483648" />
</requestFiltering>
</security>
</system.webServer>
Or
You could also set below code in web.config:
<configuration>
<system.web.extensions>
<scripting>
<webServices>
<jsonSerialization maxJsonLength="50000000"/>
</webServices>
</scripting>
</system.web.extensions>
</configuration>
maxJsonLength Configures the maximum length of the JSON string.
For more detail, you could refer:
jsonSerialization Element (ASP.NET Settings Schema)
Regards,
jalpa
Thanks for looking.
Background
I have inherited a very old (12 years) .NET website project what uses web form architecture.
This is a very large codebase and, when running on the web server, depends on a very large local resource folder of images. I am working remotely and have been told that the image folder will not be added to the source control; however, I can access it via a network folder (if connected to VPN).
If I hard-code any of the images to use the network path they work fine, but this is obviously not a good solution since there are thousands of images.
Question
Is it possible to intercept any incoming request for an image file and, if the local image folder is not found (i.e. in development on my machine), use the network path URI instead to get the image? If so, what is the correct way to do this?
What I have Tried
I tried intercepting the requests in the Application_BeginRequest method of the global.asax (which I was surprised to find in such an old project) but this does not intercept image requests apparently. My thinking was that I could re-structure the URL there and then comment that code out in production, but this also seems like it wouldn't be a great solution.
Thanks in advance.
If it's WebForms then you can most certainly use a HTTP Handler to achieve this.
public class ImageHandler : IHttpHandler
{
public bool IsReusable
{
get
{
return false;
}
}
public void ProcessRequest(HttpContext context)
{
// Handle your request here, using
// context.Request and System.IO
// to serve the image from network
}
}
Then, you'll need to register & configure the Handler in Web.Config like so, for IIS6:
<system.web>
<httpHandlers>
<add verb="*" path="*.jpg,*.png" type="Namespace.ImageHandler, AssemblyName" validate="false" />
</httpHandlers>
</system.web>
Or IIS7:
<system.webServer>
<handlers>
<add name="JpgImage" verb="*" path="*.jpg" type="Namespace.ImageHandler, AssemblyName" resourceType="File" />
<add name="PngImage" verb="*" path="*.png" type="Namespace.ImageHandler, AssemblyName" resourceType="File" />
</handlers>
</system.webServer>
I'm trying to set up a stripped down web server that passes all URL requests through to a single IHttpHandler, instead of trying to match the URL to the file structure of the server.
I've got the IHttpHandler in there, along with some custom modules, and they're responding as expected when I go directly to my domain, but if I access the site via something like:
http://mysite/some/random/url
I get a 404 file not found error.
I'd assumed removing one of these modules would probably cover it:
<remove name="UrlRoutingModule-4.0" />
<remove name="UrlMappingsModule" />
<remove name="FileAuthorization" />
<remove name="UrlAuthorization" />
But IIS is still trying to match the URLs to the server file structure. I've since removed every module I'm not using and it's still returning 404's.
I have actually done this before, but I can't seem to quite remember or find online quite how I got it working.
I'm now basically out of ideas - anyone?
I added the runAllManagedModulesForAllRequests as per the suggestion from #Alexei Levenkov. While I remember definitely needing to do that, it didn't immediately solve it. After much fiddling about I found that IIS had set:
resourceType="Either"
on the handler. I tested changing it to File, and the problem was fixed for file type URLs, but of course not folder "style" ones. Changing it to:
resourceType="Unspecified"
Fixed the problem for all URLs.
I having a issue when i click to edit a user with this url in a ASP.NET MVC 3 project:
http://domain.com:8089/User/EditUser/username.surname?IDUser=e11a621p-df11-4687-9903-8bfc33c922cf
If i get another user without the '.' character, it works fine.
The error:
HTTP Error 404.0 - Not Found
The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.
I tried some tips that i find here, like:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
and:
<system.web>
<httpRuntime relaxedUrlToFileSystemMapping="true" />
and this attribute on the edituser action:
[ValidateInput(false)]
But nothing seems to work. This site is hosted on a IIS server, when it was on Windows Azure WebSite, it was working as expected.
Thanks.
If you know for a fact that the edit page is the only page where you use the firstname.lastname url part, you can use the method described in this SO answer:
Prevent static file handler from intercepting filename-like URL
Specifically, in your case, adding the following web.config section should route the request to MVC:
<system.webServer>
...
<handlers>
...
<add
name="userEditPage"
path="User/EditUser/*"
verb="GET"
type="System.Web.Handlers.TransferRequestHandler"
preCondition="integratedMode,runtimeVersionv4.0" />
This will not be sufficient if you use the firstname.lastname in urls outside of the User/EditUser/... path, and is not a general solution. That would be much more complicated because you would need to tell IIS something like the following:
1) if the file exists, serve it (so that your .js files still serve properly)
2) Before any of the other handlers execute for the file extension, run the MVC handler and see if there is a route matching the url. Because what if you have a user of last name html?
3) If the MVC handler does not match any routes for the url, let the other handlers. Because what if you also had an .aspx page in your project?
Lastly, for the general case, you may want to consider the edge case of someone malicious creating a user with first name ../../web and lastname config? Just a thought, but it seems like the best you can hope for is restricting the use of the . in the url to specific paths.
After some headache, i publish it to Azure WebSites again and it works normally, with same web.config file that i was using in local enviroment. So the solution must be on the IIS, then after no more tries, i change the Application Pool to Default App Pool and guess what, it worked.
Is it possible to add some kind of restriction to the web.config to limit URL parameter length? I want to prevent people at the earliest possible point from submitting too large URL parameters so the server doesn't get taxed more than necessary in the event that somebody tries to "attack" it with large invalid URL parameters.
See the following link:
http://learn.iis.net/page.aspx/143/use-request-filtering/
Here is an example of the IIS 7 config:
<configuration>
<system.webServer>
<security>
<requestFiltering>
<requestLimits
maxAllowedContentLength="30000000"
maxUrl="260"
maxQueryString="25"/>
</requestFiltering>
</security>
</system.webServer>
http://www.iis.net/ConfigReference/system.webServer/security/requestFiltering/requestLimits
just set maxQueryString.
urlscan can probably help for iis6 scenerios