0

So I have this configuration block, and I'm particularly looking to block URLs.

<security>
  <requestFiltering allowDoubleEscaping="true">
            <filteringRules>
                <filteringRule name="testrule" scanUrl="false" scanQueryString="false">
                    <scanHeaders>
                        <clear />
                        <add requestHeader="User-agent" />
                    </scanHeaders>
                    <denyStrings>
                        <clear />
                        <!-- MY QUESTION IS ABOUT THIS BLOCK -->
                    </denyStrings>
                    <appliesTo>
                        <clear />
                    </appliesTo>
                </filteringRule>
            </filteringRules>
        </requestFiltering>
</security>

When I add this line to <denyStrings> section where I escape the . character:

<add string="yacy\.net" />

User-Agent: yacy.net still works.

With this line:

<add string="yacy.net" />

User-Agent: yacy.net is blocked, but so are yacy.net1 and 2yacy.net1.

My question: How can I block exact match strings only? Instead of partial matches, like it is doing now. I can't find anything on this in the Microsoft docs and apparently I'm not the only one.

Related to this: When looking at blocking through a .htaccess file I normally have to escape spaces, . and underscores, but apparently escaping is not needed under IIS?

Adam
  • 6,041
  • 36
  • 120
  • 208
  • Instead of that, create a URL Rewrite rule and abort the connection if hit. – Lex Li Apr 11 '19 at 18:47
  • Had a discussion here about that: https://stackoverflow.com/questions/55609110/iis-htaccess-rule-converter-only-importing-1-rule/55613470?noredirect=1#comment97962106_55613470. I rather want to block the request earlier than a rewrite rule would do. Can you help me with the requestfiltering question? – Adam Apr 11 '19 at 18:51
  • I rather comment it this way. All IIS features come with limitations, and you just wanted request filtering to do something it cannot. However, URL Rewrite rules have access to all parts of your incoming requests, so that they can work better with your requirements. – Lex Li Apr 11 '19 at 18:53
  • Ah I see, thanks! I went for the other option, but running into an issue, can you help? https://stackoverflow.com/questions/55639910/iis-url-rewrite-the-expression-contains-an-escape-sequence-that-is-not-valid – Adam Apr 11 '19 at 19:32

0 Answers0