英文:
How to disable direct access to web resources for ASP.NET MVC projectcs
问题
我有一个运行在ASP.NET MVC上的网站。当然,我已经禁用了目录浏览。我还在我的 RouteConfig.cs
文件中添加了条件,只接受我想要的页面。
例如:
example.com/
example.com/account/login
example.com/account/register
我也测试过我的配置不能直接访问:
example.com/web.config
---> 错误404
然而,我仍然可以直接访问内容文件夹下的文件,它们甚至没有被缩小或其他处理:
example.com/Content/css/style.css
-----> 200:Okexample.com/Content/scripts/myscript.js
----> 200:ok
现在我在一些文章中看到他们建议在 web.config
文件中添加以下内容:
<authorization>
<deny users="?" />
</authorization>
但这样会阻止整个网站。
我确信应该有一种简单的方法来解决这个问题。我使用Visual Studio将其发布到运行IIS的机器上。
是否有人有任何想法如何解决这个问题?谢谢。
英文:
I have a web site that runs on ASP.NET MVC. I have of course disabled the directory browsing. I have also added conditions to my RouteConfig.cs
file to accept only pages that I want to.
For example:
example.com/
example.com/account/login
example.com/account/register
I also tested that my configs are not accessible directly:
example.com/web.config
---> error 404
However, I still can directly access files under content folder and they are not even minified or anything:
example.com/Content/css/style.css
-----> 200:Okexample.com/Content/scripts/myscript.js
----> 200:ok
Now I see in some articles they recommend adding the following to the web.config
file:
<authorization>
<deny users="?" />
</authorization>
But then it blocks the whole site.
I am sure there should be an easy way to handle this. I use Visual Studio to publish it to a machine running IIS.
Does anyone have any ideas how this can be fixed? Thank you.
答案1
得分: 1
你还可以尝试使用URL重写来阻止访问:
答案2
得分: 0
根据@samwu的上述回复,我构建了以下规则,以阻止直接访问文件夹,如Content、Scripts和logs,但仍然允许站点正常运行:
<system.webServer>
.......
<rewrite>
<rules>
<!-- 阻止直接访问文件夹及其文件的规则(例如:https://mysite/Content/CSS/Common.css) -->
<rule name="阻止访问Content文件夹" stopProcessing="true">
<match url="^Content/(.*)$"/>
<conditions>
<add input="{HTTP_REFERER}" pattern="^$"/>
</conditions>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="禁止访问此资源。"/>
</rule>
<rule name="阻止访问Scripts文件夹" stopProcessing="true">
<match url="^Scripts/(.*)$"/>
<conditions>
<add input="{HTTP_REFERER}" pattern="^$"/>
</conditions>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="禁止访问此资源。"/>
</rule>
<rule name="阻止访问App_Data文件夹" stopProcessing="true">
<match url="^App_Data/(.*)$"/>
<conditions>
<add input="{HTTP_REFERER}" pattern="^$"/>
</conditions>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="禁止访问此资源。"/>
</rule>
<rule name="阻止访问Logs文件夹" stopProcessing="true">
<match url="^logs/(.*)$"/>
<conditions>
<add input="{HTTP_REFERER}" pattern="^$"/>
</conditions>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="禁止访问此资源。"/>
</rule>
</rules>
</rewrite>
.......
</system.webServer>
请注意,这些规则将阻止直接访问这些文件夹及其文件,并返回"禁止访问此资源"的错误状态码(403 Forbidden)以及相应的描述。
英文:
As per @samwu's response above, I constructed the below rules to block folders such as Content, Scripts and logs from direct access but still let the site be functional:
<system.webServer>
.......
<rewrite>
<rules>
<!--Rules to block direct access to folders and their files. (e.g: https://mysite/Content/CSS/Common.css)-->
<rule name="Block Content Folder" stopProcessing="true">
<match url="^Content/(.*)$"/>
<conditions>
<add input="{HTTP_REFERER}" pattern="^$"/>
</conditions>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Access to this resource is forbidden."/>
</rule>
<rule name="Block Scripts Folder" stopProcessing="true">
<match url="^Scripts/(.*)$"/>
<conditions>
<add input="{HTTP_REFERER}" pattern="^$"/>
</conditions>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Access to this resource is forbidden."/>
</rule>
<rule name="Block App_Data Folder" stopProcessing="true">
<match url="^App_Data/(.*)$"/>
<conditions>
<add input="{HTTP_REFERER}" pattern="^$"/>
</conditions>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Access to this resource is forbidden."/>
</rule>
<rule name="Block Logs Folder" stopProcessing="true">
<match url="^logs/(.*)$"/>
<conditions>
<add input="{HTTP_REFERER}" pattern="^$"/>
</conditions>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Access to this resource is forbidden."/>
</rule>
</rules>
</rewrite>
.......
</system.webServer>
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论