Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can't change IIS response code with URL Rewrite outbound rule

I'm trying to set up an IIS URL Rewrite rule to match 403 responses as a result of someone attempting to browse to a directory when directory browsing is disabled. I want to then redirect them to the usual ASP.NET custom errors page I have defined for 404s.

Here's what I have at present:

<outboundRules>
  <!-- By default, browsing a directory with no default resource will return 403 -->
  <rule name="Directory browsing location">
    <match serverVariable="RESPONSE_LOCATION" pattern="(.*)" />
    <conditions>
      <add input="{RESPONSE_STATUS}" pattern="^403" />
    </conditions>
    <action type="Rewrite" value="/Error/PageNotFound?aspxerrorpath={PATH_INFO}"/>
  </rule>
  <rule name="Directory browsing status code" patternSyntax="ExactMatch">
    <match serverVariable="RESPONSE_STATUS" pattern="403" />
    <action type="Rewrite" value="302" />
  </rule>
</outboundRules>

My assumption is that it needs to be an outbound rule and that I need to rewrite both the status code and add the location response header, although the latter wouldn't exist anyway with the original 403 response.

Behaviour at the moment is... nothing. I'm still seeing 403s no matter how much tweaking I do. Any ideas out there?

Incidentally, no, there aren't any legit 403s on the site that would be swallowed as a result of this. I could also create inbound rules for each path that might result in the condition being met, but that's not very scalable.

like image 393
Troy Hunt Avatar asked Aug 30 '14 04:08

Troy Hunt


3 Answers

URL Rewrite has a handle on almost everything, but not the HTTP Status code since it's outside of the response header. So unfortunately URL Rewrite can't do anything with this, or at least not that I've ever been able to find. I've wanted to do similar things many times. Note, you can check the status with a condition using {RESPONSE_STATUS}, but you can't update it.

The response from @RyanCEI is what I would recommend. To add to that, you can use subStatusCode to scope the error to just 403.14, and for testing only, make sure to either test off-box or to set the errorMode to Custom since, by default, IIS won't show the custom error pages when testing on the local box.

Here's an example config that does both of those.

    <httpErrors errorMode="Custom">
        <error statusCode="403" subStatusCode="14" path="/errorpage.htm" responseMode="ExecuteURL" />
    </httpErrors>

After testing you can turn off the errorMode="Custom".

like image 138
Scott Forsyth - MVP Avatar answered Oct 22 '22 06:10

Scott Forsyth - MVP


Not sure if this helps, as it is not a rewrite rule, but this will force 403 to your error page using the httpErrors section of web.config:

<configuration>
    <system.web>
      <compilation debug="false" targetFramework="4.5" />
      <httpRuntime targetFramework="4.5" />
      <customErrors defaultRedirect="~/errorpage.html" mode="On">
      </customErrors>
    </system.web>
  <system.webServer>
    <httpErrors>
      <remove statusCode="404" subStatusCode="-1" />
      <error statusCode="404" prefixLanguageFilePath="" path="/errorpage.html" responseMode="ExecuteURL" />
      <remove statusCode="403" subStatusCode="-1" />
      <error statusCode="403" prefixLanguageFilePath="" path="/errorpage.html" responseMode="ExecuteURL" />
    </httpErrors>
    <defaultDocument>
      <files>
        <remove value="default.aspx" />
        <remove value="iisstart.htm" />
        <remove value="index.htm" />
        <remove value="Default.asp" />
        <remove value="Default.htm" />
      </files>
    </defaultDocument>
  </system.webServer>
</configuration>
like image 29
RyanCEI Avatar answered Oct 22 '22 05:10

RyanCEI


I remember with SharePoint when we had this issue we went into the domain registrar for our domain names and put DNS records to forward things (I think they were CNAME records). It was a mess keeping it all in sync but it was the only way we could get it to work. HTTP and URL Rewrites in IIS didn't work in some cases with SharePoint at least.

like image 1
Matthew J Bailey Avatar answered Oct 22 '22 06:10

Matthew J Bailey