4

Is there a way to ignore HTTP 1.0 requests in IIS (7.0)? I don't see any reason to accept requests that are not HTTP 1.1.

Mark Richman
  • 286
  • 1
  • 5
  • 15
  • 1
    I see even less reason to *reject* HTTP/1.0. It hasn't been marked "obsolete" yet, it's still in use by simpler (non-browser) HTTP clients, and is probably even handled by the same code as HTTP/1.1 (which was explicitly designed to remain compatible with 1.0). It would be just additional work with absolutely no gain. – user1686 May 11 '12 at 16:46
  • 3
    Additionally, see [Is HTTP/1.0 still in use?](http://stackoverflow.com/questions/2073392/is-http-1-0-still-in-use) from stackoverflow – Sašo May 22 '12 at 09:27
  • @mikemaccana: No, that's a reason to reject clients which don't send the `Host` header. That's _not_ a reason to reject HTTP 1.0 clients, most of which _do_ send `Host`. – user1686 Jan 14 '15 at 10:53
  • @grawity: You're right, I misread the RFC. It says to reject **clients that identify as HTTP 1.1** but that don't send `Host`. – mikemaccana Jan 14 '15 at 11:15

1 Answers1

3

Step 1: download and install URL Rewrite.
Step 2: add the following to your web.config file, to the <system.webServer> section:

<rewrite>
    <rules>
        <rule name="RequestBlockingRule1" patternSyntax="Wildcard" stopProcessing="true">
            <match url="*" />
            <conditions>
                <add input="{SERVER_PROTOCOL}" pattern="HTTP/1.0" />
            </conditions>
            <action type="AbortRequest" />
        </rule>
    </rules>
</rewrite>

This will refuse all HTTP 1.0 requests with a HTTP 504 error code.

Edit: after installing URL Rewrite, you can also configure rewrite rules in IIS Manager:

enter image description here

Indrek
  • 180
  • 7
  • This works perfectly! I tested using `curl -v -0 http://localhost` and it does indeed respond with an abort. – Mark Richman May 11 '12 at 21:03
  • 3
    I have tried the above re-write rule but it did not give us the desired result. HTTP 1.0 request is still getting processed and internal IP address of the server is disclosed. – HadidAli May 07 '18 at 09:02
  • The internal IP address is disclosed lower down in the stack, before it gets to URL Rewrite and Customer Error page. – JD Brennan Oct 20 '20 at 19:48
  • URL Rewrite module is very late in the HTTP request processing due to IIS architecture, so if a response is generated (usually by Windows HTTP API/http.sys) before reaching URL Rewrite module this rule won't be able to block the leak. You don't have much control on HTTP API, so the common workaround is to block HTTP 1.0 requests long before they reach Windows/IIS, such as setting up a reverse proxy of nginx in front, https://serverfault.com/questions/389132/block-http-1-0-with-nginx – Lex Li Jun 19 '22 at 04:28