I have a folder called "Template" in my project and want to make it inaccessible via HTTP. I added a web.config file. It makes the folder inaccessible but users can access any content in the folder.
They cannot access "Template" folder, but they can access "Template\index.html"
here is my web.config.
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
how can I make the contents inaccessible?
This can be achieved by IIS Request filters. The same way the bin content is inaccessible for browsing.
Under the system.webserver section add the following. There I have enabled directory browsing just to check that even though the directory browsing is enabled users can't browse files in "Template" folder.
Set <directoryBrowse enabled="false" /> if directory browsing is not required.
<?xml version="1.0"?>
<configuration>
<system.webServer>
<directoryBrowse enabled="true" />
<security>
<requestFiltering>
<hiddenSegments>
<add segment="Template" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webserver>
</configuration>
For more information refer this post.
Related
I am trying to upload files using my .NET application. I cannot upload large files and it responds with 413 - Request Entity Too Large.
I tried solutions that suggested changing maxRequestLength and maxAllowedContentLength in web.config. Also changed the uploadReadAhead setting in IIS. I still am unable to upload the files.
The project has two web configs. Parent directory web config has the following settings:
<system.web>
...other lines
<compilation targetFramework="4.6.1" />
<httpRuntime targetFramework="4.6.1" maxRequestLength="2147483647" executionTimeout="999999" />
<customErrors mode="Off" />
</system.web>
The web config in the inner Portal directory has:
<system.web>
...other lines
<httpRuntime targetFramework="4.6.1" requestValidationMode="2.0" executionTimeout="999999" useFullyQualifiedRedirectUrl="true" maxRequestLength="2147483647" />
</system.web>
<system.webServer>
...other lines
<httpRuntime targetFramework="4.6.1" requestValidationMode="2.0" executionTimeout="999999" useFullyQualifiedRedirectUrl="true" maxRequestLength="2147483647" />
</system.webServer>
How do I fix this ?
Thanks.
Hum, that should be fine. On the other hand, seems to me that adopting some kind of nice up-loading library that up-loads in chunks would be better. This tends to "less freeze up" the user interface and also tends to not freeze up the web server either.
I mean, for a user to up-load a big file, then they are going to be stuck watching the screen - nothing occuring. With a nice up-loader library, then only small chunks are sent up, you get a progess bar, and you have un-limited up-load file sizes.
However, you could try in the main web.config,
<system.webServer>
<security>
<requestFiltering>
<requestLimits maxAllowedContentLength="2048000000"/>
</requestFiltering>
</security>
</system.webServer>
So, you could try adding above under system.webServer
I am trying to upload a file to an application i have built using the AsyncFileUpload part of the AjaxToolKit. The file is a 50mb ZIP file, when uploading i receive the following popup:
When i click OK i get the following box
If i then go into Developer tools i get the following error message in the console tab of chrome
The value for Content Security Policy directive 'object-src' contains an invalid character
Any help would be appreciated
It looks like you need to modify your Web.config like in this answer:
<configuration>
<system.web>
<httpRuntime maxRequestLength="1048576" />
</system.web>
</configuration>
or for IIS 7 or later:
<system.webServer>
<security>
<requestFiltering>
<requestLimits maxAllowedContentLength="1073741824" />
</requestFiltering>
</security>
</system.webServer>
I am trying to restrict users(except admin) to access my folder images. For example the path is:
~/content/images/coverBeg.jpg
If the user navigates to domain/content/images/coverBeg.jpg, he can see the file.
I've tryied different sort of things but none of them worked for me. In web config file i've added :
<location path="~/content/images">
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users ="*" />
</authorization>
</system.web>
</location>
With no success. After that i've added a web config file to images folder and add those lines of code :
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users ="*" />
</authorization>
</system.web>
</configuration>
Neither this worked for me. Still everyone can access coverBeg.jpg file
It's because static content, like images, are served directly by IIS, not involving MVC pipeline.
To change that, you can do the following:
add
<modules runAllManagedModulesForAllRequests="true">
to <system.webServer> section of site's web.config. It will run MVC pipeline for every request, including static files - like css, js and images.
Then your config from above will work (I mean your 2nd approach).
I have an IIS8 site which runs ASP.NET 4.0 using Windows Authentication.
In my IIS Authentication Settings, all are disabled except Windows Authentication. Users are able to authenticate properly and use the site as intended.
However, I now have an Uploads folder which contains images which I want to expose to non-authenticated users from other applications.
In my web.config files I have the following lines that relate to Authentication/Authorization:
<system.web>
<authentication mode="Windows"/>
</system.web>
<location path="Uploads">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
How do I allow anonymous access to the uploads folder, while keeping Windows Authentication for everything else? Currently they have to login to the other application, and then when accessing images from the site in question, they have to authenticate in order to gain access to them.
Also, the location path is relative to the web.config file correct?
Edit: Not sure if this matters, but our site is both internally and externally available. If access from computers on our domain, it logs in automatically, if it's a computer that is not on the domain, they are redirected to a login page.
I found the answer on another question: Allow anonymous authentication for a single folder in web.config?
First, I had to go into C:\Windows\System32\inetsrv\config\applicationHost.config
Search for this line , and change to "Allow" instead of "Deny"
Then put the code below into web.config file
Code:
<location path="Path/To/Public/Folder">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
What you need to do is remove the "Deny" rule for anonymous since it gets inherited it will still block users, something like:
<system.webServer>
<security>
<authorization>
<remove users="?" roles="" verbs="" />
<allow users="*" />
</authorization>
</security>
</system.webServer>
Indeed the location path is relative to the folder where the web.config is located.
I also just noticed that you are using system.web instead of system.webServer which is the one you should be using.
I am doing a web service in .NET containing a server file (.asmx) and a client interface (.aspx). The visitors should be able to visit only the client aspx site ( urlXXX:portYY/Client.aspx)
However, when I remove the "/Client.aspx" part from the URL, I get into the project directory and this should not be possible. (So far, I am running the project just on localhost.)
Is there any way, how restrict getting into other parts of the solution? The only possibility I could think of is creating a separate project for the client aspx site, however, even then the visitor is able to get into the directory containing that site.
You should be able to control explicit access using your web.config. Have a look at this example (exclaimer: I've copied this straight from this MS page):
<configuration>
<system.web>
<authentication mode="Forms" >
<forms loginUrl="login.aspx" name=".ASPNETAUTH" protection="None" path="/" timeout="20" >
</forms>
</authentication>
<!-- This section denies access to all files in this application except for those that you have not explicitly specified by using another setting. -->
<authorization>
<deny users="?" />
</authorization>
</system.web>
<!-- This section gives the unauthenticated user access to the Default1.aspx page only. It is located in the same folder as this configuration file. -->
<location path="default1.aspx">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
<!-- This section gives the unauthenticated user access to all of the files that are stored in the Subdir1 folder. -->
<location path="subdir1">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
</configuration>
EDIT: Take a look at this question for more info on denying access to explicit folders as well.
So, basically I have managed to find a workaround, by adding the following code into the Web.config:
<system.webServer>
<defaultDocument>
<files>
<add value="Client.aspx" />
</files>
</defaultDocument>
</system.webServer>
...which makes the Client a default web-page, thus preventing to see the directory. However, I will leave this topic open in case someone comes with a more elaborate and sophisticated solution.