9

I have a subdirectory in my ASP.NET project that contains utility files. They're needed by the code at run time, but I don't want them to be visible over the web.

What is the syntax in a Web.config file to block access to all users to a single subdirectory and all its contents?

Joel Spolsky
  • 3,686
  • 4
  • 22
  • 19

4 Answers4

16

IIS 7 has a new "request filtering" feature. You probably want to use the hidden segments configuration:

<configuration>
 <system.webServer>
  <security>
   <requestFiltering>
    <hiddenSegments>
     <add segment="BIN"/>
    </hiddenSegments>
   </requestFiltering>
  </security>
 </system.webServer>
</configuration>

This causes http://yoursite/bin to not be servable (but http://yoursite/binary still works)

Check out: http://learn.iis.net/page.aspx/143/how-to-use-request-filtering

MattB
  • 11,194
  • 1
  • 30
  • 36
  • 2
    But this will also block http://yoursite/bla/bin/test .... :-( – Carsten Schütte Jul 07 '13 at 12:19
  • Not an answer to the question but also useful for the topic at hand. You can use HttpHandlers to block specific file extensions you want as well. This is good practice to do as well, eg block any source/database files etc. – rollsch Mar 12 '17 at 05:41
1

Your problem is that if IIS simply returns the files ASP.Net will never get a chance to interfere. I believe it can be done by enabling forms based authentication and considerable messing around, but I would simply move the files outside the wwwroot folder.

JR

John Rennie
  • 7,776
  • 1
  • 23
  • 35
0

MattB's solution will work, but if you have the same folder name in other sub directories, those sub directories will not work.
You could try the following.

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <!-- Make sure this directory cannot be served. -->
  <location path="Plugins"> <!-- Change this to your path -->
    <system.webServer>
      <handlers>
        <add name="DisallowServe" path="*.*" verb="*" type="System.Web.HttpNotFoundHandler" /> <!-- Return 404 instead of 403 -->
      </handlers>
    </system.webServer>
  </location>
</configuration>
Ryan Teh
  • 101
  • 1
0

This should work:

<configuration>
  <location path="FolderName">
    <system.web>
      <authorization>
        <deny users="*"/>
      </authorization>
    </system.web>
  </location>
</configuration>
John Rasch
  • 163
  • 4
  • 10
  • 2
    That doesn't work because the files are .txt files... I think John Rennie is right that ASP.NET doesn't get a chance to interfere with .txt files. – Joel Spolsky Jul 08 '09 at 17:08
  • That's good to know, I've always exclusively kept files served through ASP.NET's handlers in my directories accessible via the web so I never ran into this problem – John Rasch Jul 08 '09 at 19:31