如何禁用 ASP.NET MVC 项目的直接访问 Web 资源。

huangapple
go评论53阅读模式
英文:

How to disable direct access to web resources for ASP.NET MVC projectcs

问题

我有一个运行在ASP.NET MVC上的网站。当然,我已经禁用了目录浏览。我还在我的 RouteConfig.cs 文件中添加了条件,只接受我想要的页面。

例如:

  • example.com/
  • example.com/account/login
  • example.com/account/register

我也测试过我的配置不能直接访问:

  • example.com/web.config ---> 错误404

然而,我仍然可以直接访问内容文件夹下的文件,它们甚至没有被缩小或其他处理:

  • example.com/Content/css/style.css -----> 200:Ok
  • example.com/Content/scripts/myscript.js ----> 200:ok

现在我在一些文章中看到他们建议在 web.config 文件中添加以下内容:

<authorization>
    <deny users="?" />
</authorization>

但这样会阻止整个网站。

我确信应该有一种简单的方法来解决这个问题。我使用Visual Studio将其发布到运行IIS的机器上。

是否有人有任何想法如何解决这个问题?谢谢。

英文:

I have a web site that runs on ASP.NET MVC. I have of course disabled the directory browsing. I have also added conditions to my RouteConfig.cs file to accept only pages that I want to.

For example:

  • example.com/
  • example.com/account/login
  • example.com/account/register

I also tested that my configs are not accessible directly:

  • example.com/web.config ---> error 404

However, I still can directly access files under content folder and they are not even minified or anything:

  • example.com/Content/css/style.css -----> 200:Ok
  • example.com/Content/scripts/myscript.js ----> 200:ok

Now I see in some articles they recommend adding the following to the web.config file:

&lt;authorization&gt;
    &lt;deny users=&quot;?&quot; /&gt;
&lt;/authorization&gt;

But then it blocks the whole site.

I am sure there should be an easy way to handle this. I use Visual Studio to publish it to a machine running IIS.

Does anyone have any ideas how this can be fixed? Thank you.

答案1

得分: 1

你还可以尝试使用URL重写来阻止访问:

如何禁用 ASP.NET MVC 项目的直接访问 Web 资源。

英文:

You can also try to use url rewrite to block access:

如何禁用 ASP.NET MVC 项目的直接访问 Web 资源。

答案2

得分: 0

根据@samwu的上述回复,我构建了以下规则,以阻止直接访问文件夹,如Content、Scripts和logs,但仍然允许站点正常运行:

<system.webServer>
    .......
    <rewrite>
        <rules>
            <!-- 阻止直接访问文件夹及其文件的规则(例如:https://mysite/Content/CSS/Common.css) -->
            <rule name="阻止访问Content文件夹" stopProcessing="true">
                <match url="^Content/(.*)$"/>
                <conditions>
                    <add input="{HTTP_REFERER}" pattern="^$"/>
                </conditions>
                <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="禁止访问此资源。"/>
            </rule>

            <rule name="阻止访问Scripts文件夹" stopProcessing="true">
                <match url="^Scripts/(.*)$"/>
                <conditions>
                    <add input="{HTTP_REFERER}" pattern="^$"/>
                </conditions>
                <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="禁止访问此资源。"/>
            </rule>

            <rule name="阻止访问App_Data文件夹" stopProcessing="true">
                <match url="^App_Data/(.*)$"/>
                <conditions>
                    <add input="{HTTP_REFERER}" pattern="^$"/>
                </conditions>
                <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="禁止访问此资源。"/>
            </rule>

            <rule name="阻止访问Logs文件夹" stopProcessing="true">
                <match url="^logs/(.*)$"/>
                <conditions>
                    <add input="{HTTP_REFERER}" pattern="^$"/>
                </conditions>
                <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="禁止访问此资源。"/>
            </rule>
        </rules>
    </rewrite>
    .......
</system.webServer>

请注意,这些规则将阻止直接访问这些文件夹及其文件,并返回"禁止访问此资源"的错误状态码(403 Forbidden)以及相应的描述。

英文:

As per @samwu's response above, I constructed the below rules to block folders such as Content, Scripts and logs from direct access but still let the site be functional:

	&lt;system.webServer&gt;
.......
&lt;rewrite&gt;
&lt;rules&gt;
&lt;!--Rules to block direct access to folders and their files. (e.g: https://mysite/Content/CSS/Common.css)--&gt;
&lt;rule name=&quot;Block Content Folder&quot; stopProcessing=&quot;true&quot;&gt;
&lt;match url=&quot;^Content/(.*)$&quot;/&gt;
&lt;conditions&gt;
&lt;add input=&quot;{HTTP_REFERER}&quot; pattern=&quot;^$&quot;/&gt;
&lt;/conditions&gt;
&lt;action type=&quot;CustomResponse&quot; statusCode=&quot;403&quot; statusReason=&quot;Forbidden&quot; statusDescription=&quot;Access to this resource is forbidden.&quot;/&gt;
&lt;/rule&gt;
&lt;rule name=&quot;Block Scripts Folder&quot; stopProcessing=&quot;true&quot;&gt;
&lt;match url=&quot;^Scripts/(.*)$&quot;/&gt;
&lt;conditions&gt;
&lt;add input=&quot;{HTTP_REFERER}&quot; pattern=&quot;^$&quot;/&gt;
&lt;/conditions&gt;
&lt;action type=&quot;CustomResponse&quot; statusCode=&quot;403&quot; statusReason=&quot;Forbidden&quot; statusDescription=&quot;Access to this resource is forbidden.&quot;/&gt;
&lt;/rule&gt;
&lt;rule name=&quot;Block App_Data Folder&quot; stopProcessing=&quot;true&quot;&gt;
&lt;match url=&quot;^App_Data/(.*)$&quot;/&gt;
&lt;conditions&gt;
&lt;add input=&quot;{HTTP_REFERER}&quot; pattern=&quot;^$&quot;/&gt;
&lt;/conditions&gt;
&lt;action type=&quot;CustomResponse&quot; statusCode=&quot;403&quot; statusReason=&quot;Forbidden&quot; statusDescription=&quot;Access to this resource is forbidden.&quot;/&gt;
&lt;/rule&gt;
&lt;rule name=&quot;Block Logs Folder&quot; stopProcessing=&quot;true&quot;&gt;
&lt;match url=&quot;^logs/(.*)$&quot;/&gt;
&lt;conditions&gt;
&lt;add input=&quot;{HTTP_REFERER}&quot; pattern=&quot;^$&quot;/&gt;
&lt;/conditions&gt;
&lt;action type=&quot;CustomResponse&quot; statusCode=&quot;403&quot; statusReason=&quot;Forbidden&quot; statusDescription=&quot;Access to this resource is forbidden.&quot;/&gt;
&lt;/rule&gt;
&lt;/rules&gt;
&lt;/rewrite&gt;
.......
&lt;/system.webServer&gt;

huangapple
  • 本文由 发表于 2023年7月13日 12:53:18
  • 转载请务必保留本文链接:https://go.coder-hub.com/76676039.html
  • asp.net-mvc
  • iis-7
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定