We Keep Coding

Remove response Server header on Azure Web App from the first redirect request to HTTPS

I’m trying to remove the response Server header from an Azure Web App ( with an ASP Net core application )
After many tries of changing the web.config and removing the header in app code using a middleware, Microsoft doesn’t give up and set the response header to Server: Microsoft-IIS/10.0 :)
The problem appears only when I’m trying to access the server on http (not https). Response code from the server is 301, and this is the only response that has the Server header.
Checking the logs I was not able to find any request to http://, and perhaps this is why I’m not able to remove header, because the request is not process in my application code.
A solution that I’m thinking is to disable the azure HTTPS only and do the redirect to https in my code (I tested and is working - server header is removed)
Is there another workaround without disabling the HTTPS only option?
Here is what I tried
Startup.cs
public void Configure(IApplicationBuilder app)
{
app.Use(async (context, next) =>
{
context.Response.Headers.Add("server", string.Empty)
}
app.UseHttpsRedirection();
}
web.config
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<httpRuntime enableVersionHeader="false" />
<!-- Removes ASP.NET version header. -->
</system.web>
<system.webServer>
<httpProtocol>
<customHeaders>
<remove name="Server" />
<remove name="X-Powered-By" />
</customHeaders>
<redirectHeaders>
<clear />
</redirectHeaders>
</httpProtocol>
<security>
<requestFiltering removeServerHeader="true" />
<!-- Removes Server header in IIS10 or later and also in Azure Web Apps -->
</security>
<rewrite>
<outboundRules>
<rule name="Change Server Header"> <!-- if you're not removing it completely -->
<match serverVariable="RESPONSE_Server" pattern=".+" />
<action type="Rewrite" value="Unknown" />
</rule>
</outboundRules>
</rewrite>
</system.webServer>
</configuration>

UPDATE
When the URL of http:// is requested, IIS will process it, this time without code. So we can't control it by the code, we can only set it on the server, such as some scripts or tools. But on Azure, we have no way to directly operate as a physical server, so after exploration, I suggest that Front Door can be used to deal with this problem. Hiding server information through proxy should be a better way.
After my test, the server information is hidden, you can refer to this document . We can see from the picture that there is no 301 redirect request, and no server information in other requests.
PREVIOUS
You need to modify Global.asax.cs and Web.config file in your program.
In Global.asax.cs.
public class MvcApplication : System.Web.HttpApplication
{
protected void Application_Start()
{
AreaRegistration.RegisterAllAreas();
FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);
RouteConfig.RegisterRoutes(RouteTable.Routes);
BundleConfig.RegisterBundles(BundleTable.Bundles);
MvcHandler.DisableMvcResponseHeader = true;
PreSendRequestHeaders += Application_PreSendRequestHeaders;
}
protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
{
//HttpContext.Current.Response.Headers.Remove("Server");
HttpContext.Current.Response.Headers.Set("Server","N/A");
}
}
And In Web.config.
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" >
</modules>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
</system.webServer>
Then u can deploy your app. After the above code modification, access to the interface or static resources can see that the server information is modified, of course, it can also be deleted by Remove.
You also can handle special event by http status code.
protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
{
//HttpContext.Current.Response.Headers.Remove("Server");
int StatusCode= HttpContext.Current.Response.StatusCode;
// handle like http status code 301
HttpContext.Current.Response.Headers.Set("Server","N/A");
}

ASP.NET Core url rewrite only domain

I am trying to change my old domain to new one and I have huge data on my website. I need to change only my domain by url rewriting.
When I request:
www.myolddomain.net/article/seo-friendly-url-for-this-article
I need to have a permanent (301) redirect to:
www.mynewdomain.com/article/seo-friendly-url-for-this-article
How ca I do this in asp.net core?

Have you considered URL Rewriting Middleware?
It's pretty simple.
Drop a IISUrlRewrite.xml file in the root of your application folder. Mark it as "Content" and "Copy to output directory" set to true, looks like this in your csproj
<ItemGroup>
<Content Include="IISUrlRewrite.xml">
<CopyToOutputDirectory>Always</CopyToOutputDirectory>
</Content>
</ItemGroup>
Add following content in the file
<rewrite>
<rules>
<rule name="Host replace - Old to new" stopProcessing="true">
<match url=".*" />
<conditions>
<add input="{HTTP_HOST}" pattern="www\.myolddomain\.net" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://www.mynewdomain.com{REQUEST_URI}" redirectType="Permanent" appendQueryString="true" />
</rule>
</rules>
</rewrite>
Register the URL rewrite module in the Configure method of your Startup.cs file
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
// Irrelevant code omitted
using (var iisUrlRewriteStreamReader = File.OpenText(Path.Combine(env.ContentRootPath, "IISUrlRewrite.xml")))
{
var options = new RewriteOptions().AddIISUrlRewrite(iisUrlRewriteStreamReader);
app.UseRewriter(options);
}
// Irrelevant code omitted
}

Asp.net core identity external providers only

I want my Asp.net core application to be configured to use external providers only, let's say Facebook only. In other words I don't want my users to have the ability to create an account with a password etc.
How can I modify the default Asp.net core with individual accounts template that is generated by Visual Studio to safely remove such capability of creating local user accounts?
Thanks.

I'm using the .UseRewriter() middleware to allow me to redirect to /Error for the Identity pages that don't apply to my application (I only allow Github authentication and no local registration)
public static class IisRewriterConfigurationExtensions
{
public static IApplicationBuilder UseIisRewriter(this IApplicationBuilder applicationBuilder)
{
using (var iisUrlRewriteStreamReader = File.OpenText("iis-application-route-rewrites.xml"))
{
var options = new RewriteOptions()
.AddIISUrlRewrite(iisUrlRewriteStreamReader);
applicationBuilder.UseRewriter(options);
}
return applicationBuilder;
}
}
Then I call app.UseIisRewriter(); in Startup.Configure().
My iis-application-route-rewrites.xml looks like this
<?xml version="1.0" encoding="utf-8" ?>
<rewrite>
<rules>
<rule name="Redirect from Identity Forgot Password">
<match url="^Identity/Account/ForgotPassword" />
<action type="Redirect" url="Error?id=404" redirectType="Permanent" />
</rule>
<rule name="Redirect from Identity Reset Password">
<match url="^Identity/Account/ResetPasswordConfirmation" />
<action type="Redirect" url="Error?id=404" redirectType="Permanent" />
</rule>
<!-- More rules -->
</rules>
</rewrites>
In my Login.cshtml.cs I removed all the request handlers that I no longer wanted users to have access to.

How to manage url routing in mvc4?

I’m working on url routing
I want to redirect page without change url.
When type url www.example.com/Default.aspx that time url show as same but return page Home/Index (Controller/Action)
I want to redirect page with actual url.
And second require is when type www.example.com/Default.aspx that time show url in address bar Home/Index and return this page
How to possible please describe in details.
Thank you in advance.

I think that the cleanest way of doing this is to use the URL Rewrite module in IIS. However, as you asked about doing it in MVC I'll cover that first:
To achieve 1 (when /default.aspx is requested return /home/index.
Add the following to your route table:
routes.MapRoute("HomepageDefault", "default.aspx", new { controller = "Home", action = "Index" });
To achieve 2, you need to redirect the request - easiest way to do this will be to set a route up to an actionresult, and then redirect it:
routes.MapRoute("RedirectRoute", "default.aspx", new { controller = "Home", action = "Redirect" });
And then in the ActionResult:
public ActionResult Redirect()
{
return RedirectToAction("Index", "Home");
}
The alternative is to do this with the URL Rewrite Module in IIS.
To achieve 1:
<rewrite>
<rules>
<rule name="Rewrite rule">
<match url="^default.aspx$" />
<action type="Rewrite" url="/home/index" />
</rule>
</rules>
</rewrite>
To achieve 2:
<rewrite>
<rules>
<rule name="redirect">
<match url="^default.aspx$" />
<action type="Redirect" url="/home/index" />
</rule>
</rules>
</rewrite>

NullReferenceException on Bootstraptoken (ACS authentication)

I've been following the steps to make a Windows 8 Store app get an ACS token as described here:
Does the WebAuthenticationBroker work in Windows 8 Metro App post Release Candidate
Authentication method of Windows 8 client
private async void Authenticate()
{
WebAuthenticationResult webAuthenticationResult = await WebAuthenticationBroker.AuthenticateAsync(
WebAuthenticationOptions.None,
new Uri("https://myACSnamespace.accesscontrol.windows.net:443/v2/wsfederation?wa=wsignin1.0&wtrealm=http://localhost:12714/"),
new Uri("http://mypublicIPaddress:80/WebAppMVCAPI/api/federation/end"));
My controller on the web application is programmed as follows:
public class FederationController : ApiController
{
protected virtual string ExtractBootstrapToken()
{
return HttpContext.Current.User.BootstrapToken();
}
[HttpGet]
public string Get()
{
return "Hello Get World";
}
[HttpPost]
public HttpResponseMessage Post()
{
var response = this.Request.CreateResponse(HttpStatusCode.Redirect);
response.Headers.Add("Location", "/WebAppMVCAPI/api/federation/end?acsToken=" + ExtractBootstrapToken());
return response;
}
}
}
The idea is to have the Windows 8 store app get a token from ACS with a Facebook login. When I launch the win8 client, the application shows a Facebook login page. However, the instruction return HttpContext.Current.User.Bootstraptoken() fails with the following exception:
NullReferenceException. Object reference not set to an instance of an object.
My web.config looks like this:
<microsoft.identityModel>
<service saveBootstrapTokens="true">
<audienceUris>
<add value="http://localhost:80" />
</audienceUris>
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="true" issuer="https://bondsapp.accesscontrol.windows.net/v2/wsfederation" realm="http://localhost:80/" reply="http://localhost:80/" requireHttps="false" />
<cookieHandler requireSsl="false" path="/" />
</federatedAuthentication>
<issuerNameRegistry type="Microsoft.IdentityModel.Swt.SwtIssuerNameRegistry, Wif.Swt">
<trustedIssuers>
<add name="https://bondsapp.accesscontrol.windows.net/" thumbprint="xxxxx" />
</trustedIssuers>
</issuerNameRegistry>
<securityTokenHandlers>
<add type="Microsoft.IdentityModel.Swt.SwtSecurityTokenHandler, Wif.Swt" />
</securityTokenHandlers>
<issuerTokenResolver type="Microsoft.IdentityModel.Swt.SwtIssuerTokenResolver, Wif.Swt" />
</service>
Can somebody shed some light on how to use the Bootstraptoken method to get an ACS token?
Thanks
Luis

I don't believe that federated authentication sets HttpContext.User by default. Try
(Thread.CurrentPrincipal as IClaimsPrincipal).Identities[0].BootstrapToken
Assuming that you've gone through the token handler pipeline (WS-FAM) at your site, this should be populated. This will be a SecurityToken object, which you can then serialize using the proper SecurityTokenHandler class.

Did you try this :
BootstrapContext bootstrapContext = ClaimsPrincipal.Current.Identities.First().BootstrapContext as BootstrapContext;
SecurityToken st = bootstrapContext.SecurityToken;
Take a look on Vittorio's post:
http://blogs.msdn.com/b/vbertocci/archive/2012/11/30/using-the-bootstrapcontext-property-in-net-4-5.aspx