【发布时间】:2021-12-21 10:08:09
【问题描述】:
我在 IIS 10.0 上使用 URL Rewrite 2.0 创建规则,例如 HSTS、XSS 保护...
在 IIS 10.0 上一切正常,但是当我将 web.config 发送到 IIS 8.5(安装了 URL Rewrite 2.0)时返回 403 无效凭据。
旧的 IIS 8.5 web.config 是:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<defaultDocument>
<files>
<remove value="index.html" />
<remove value="Default.asp" />
<remove value="Default.htm" />
<remove value="index.htm" />
<remove value="iisstart.htm" />
<add value="Attendance.htm" />
</files>
</defaultDocument>
<security>
<requestFiltering allowDoubleEscaping="true">
<verbs>
</verbs>
</requestFiltering>
</security>
<handlers>
<remove name="CGI-exe" />
<add name="CGI-exe" path="*.exe" verb="*" modules="CgiModule" resourceType="Either" requireAccess="Execute" allowPathInfo="true" />
</handlers>
</system.webServer>
</configuration>
“requireAccess=Execute”
在 IIS 8.5 上不起作用的 IIS 10.0 上的 web.config 是:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers accessPolicy="Read, Execute, Script" />
<security>
<requestFiltering allowDoubleEscaping="true">
<verbs>
</verbs>
</requestFiltering>
</security>
<rewrite>
<outboundRules>
<rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
<match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
<conditions>
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
</conditions>
<action type="Rewrite" value="max-age=31536000; includeSubDomains; preload" />
</rule>
<rule name="Remove Server Header">
<match serverVariable="RESPONSE_SERVER" pattern=".+" />
<action type="Rewrite" value="-" replace="true" />
</rule>
<rule name="Remove X-POWERED-BY Header">
<match serverVariable="RESPONSE_X-POWERED-BY" pattern=".+" />
<action type="Rewrite" value="-" replace="true"/>
</rule>
<rule name="RESPONSE_X-ASPNET-VERSION">
<match serverVariable="RESPONSE_X-ASPNET-VERSION" pattern=".+" />
<action type="Rewrite" value="-" replace="true" />
</rule>
<rule name="RESPONSE_X-ASPNETMVC-VERSION">
<match serverVariable="RESPONSE_X-ASPNETMVC-VERSION" pattern=".+" />
<action type="Rewrite" value="-" replace="true" />
</rule>
<rule name="Add HttpOnly" preCondition="No HttpOnly">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; HttpOnly" />
<conditions>
</conditions>
</rule>
<rule name="SameSiteCookie">
<match serverVariable="RESPONSE_Set-Cookie" pattern="^(.*)(CFID|CFTOKEN|JSESSIONID)(=.*)$" />
<action type="Rewrite" value="{R:0};SameSite=Strict" />
</rule>
<preConditions>
<preCondition name="No HttpOnly">
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
<httpProtocol>
<customHeaders>
<add name="X-XSS-Protection" value="1; mode=block" />
<add name="X-Content-Type-Options" value="nosniff" />
<add name="Expect-CT" value="max-age=0" />
<add name="X-Frame-Options" value="sameorigin" />
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>
“访问策略 = 读取、执行、脚本”
我在想这与 HSTS 策略有关,或者访问策略两者之间存在差异(一个是执行,另一个是读取、执行、脚本)。或者 URL 重写可能需要禁用所需的 SSL。 有人知道吗?
【问题讨论】:
-
让 FRT 告诉您有关 403 错误的更多信息,docs.microsoft.com/en-us/iis/extensions/url-rewrite-module/…