Setup an Application Pool so that it is always running and preloaded with Application Initialization

This works in IIS version 7/7.5 and is a native install (through features) for IIS 8+. Once setup your Application Pool will automatically restart after recycling and compile your .NET website so the first visitor does not have to sit through compilation.

Configure the IIS Application Initialization module

NOTE: Configuration Editor is found by clicking on the Server node in IIS under the Management in the Features View.

Configuration Editor Location

Read More

Auto redirect to HTTPS and add the Strict-Transport-Security header

A simple piece of code that can be added to your web.config that in IIS 7+ with URL Rewrite installed will redirect any HTTP request to HTTPS and when HTTPS add the Strict-Transport-Security header to keep future requests HTTPS.

<system.webServer>
       <rewrite>
            <rules>
                <clear />
                <rule name="Redirect to https" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions>
                        <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" appendQueryString="false" />
                </rule>
            </rules>
            <outboundRules>
                <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
                    <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
                    <conditions>
                        <add input="{HTTPS}" pattern="on" ignoreCase="true" />
                    </conditions>
                    <action type="Rewrite" value="max-age=31536000" />
                </rule>
            </outboundRules>
        </rewrite>
</system.webServer>

Read More

Enable “PUT” and “DELETE” verbs in IIS 7+

Is your newly created RESTful Service returning a 405 on your PUT and DELETE actions when running in IIS 7? If so you may need to disable WebDAV.

A quick way to check is to pop the following lines into a Web.config in the root of your application and try again.

<system.webServer>
 <modules>
  <remove name="WebDAVModule" />
 </modules>
 <handlers>
  <remove name="WebDAV" />
 </handlers>
</system.webServer>

UPDATE 2016-04-22: For those .NET users, if your server is still not responding to DELETE or PUT check to ensure that the ExtensionlessUrl-Integrated-4.0 handler is setup to handle the verbs by dropping these additional settings in your web.config

<system.webServer>
    <modules>
      <remove name="WebDAVModule" />
    </modules>
    <handlers>
      <remove name="ExtensionlessUrl-Integrated-4.0" />
      <remove name="WebDAV" />
      <add name="ExtensionlessUrl-Integrated-4.0" path="*." 
      		verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" 
      		type="System.Web.Handlers.TransferRequestHandler" 
      		resourceType="Unspecified" requireAccess="Script" 
      		preCondition="integratedMode,runtimeVersionv4.0" />
    </handlers>
  </system.webServer>

Read More

Fixing ASP.NET web.config inheritance issues for child applications

Recently while adding a WordPress powered blog as a child application to a ASP.NET 4.5 application in IIS 7.5 I ran into this error:

Unrecognized attribute ‘targetFramework’. Note that attribute names are case-sensitive

Since /blog is setup as a PHP application and I didn’t want to turn on ASP.NET support just so I could stop inheritance through a web.config file I looked for another solution. A quick Google search pulled up this result (Changing ASP.NET web.config inheritance when mixing versions of child applications). According to the article modifying the parent applications web.config taking it from this

<system.web>
 ...your system.web stuff goes here
</system.web>

to this

<location path="." inheritInChildApplications="false">
   <system.web>
    ...your system.web stuff goes here
   </system.web>
</location>

fixes my problem. Great stuff!

Read More

Force PDFs to download in IIS 7+

Recently I received a request from a client where they wished to have all PDFs download directly as attachments instead of opening up on an installed viewer on the visitors machine. I instantly started racking my brain as to a quick and simple way to accomplish this.

I remembered reading there was a way to specify how a file downloads directly in an anchor tag in HTML5 (here) but being HTML5 isn’t 100% yet I decided that wasn’t the best way. Being the site was built on the ASP.NET MVC Framework I instantly started going through the quick exercise of creating a controller action that would receive a file name and serve it out through a file result. Knowing this method is wrought with security concerns I locked down the directory where files were pulled from so no matter what was requested the code would only ever look in a single folder on the server.

This method wasn’t ideal but it was quick and it was done. I then start the task of updating all links to point to my newly created action instead of the direct linking to a PDF. After the second change I was already in pain and knew that there must be a better way.

Then I remembered we had the URL Rewriting Module installed for IIS which I had previously used for redirecting all HTTP requests to HTTPS, maybe I could use that for outbound requests as well. A quick Google search later returned this beauty:

<rewrite>
<outboundRules>
<rule name="Forcing Download for PDFs" preCondition="IsPDF">
<match serverVariable="RESPONSE_Content-Disposition" pattern=".*" />
<conditions>
<add input="{REQUEST_FILENAME}" pattern="(.*)\([^/]+).pdf$" />
</conditions>
<action type="Rewrite" value="attachment; filename={C:2}.pdf" />
</rule>
<preConditions>
<preCondition name="IsPDF">
<add input="{REQUEST_FILENAME}" pattern=".pdf$" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>

When added to the sites web.config file in between the <system.webServer> tags, IIS 7 (requires URL Rewriter Module) will modify all outbound requests that have: a Content-Disposition header and match a requested file of (.*)\([^/]+).pdf$ and append the appropriate header tag attachment; filename={C:2}.pdf to get the file to download instead of opening up directly in an installed viewer.

Read More