fwest98 / hsts-iis-module Goto Github PK

Hi Floris,

1: Thank you for taking over this project - we've found it extremely useful

2: I'm running into an issue using the msi installer to get things installed and working. The msi runs perfectly. But when I go to IIS and attempt to configure things, the IIS Magager crashes.

My machine has IIS 8.5.9600.16384 on it.

Windows event log has the following (let me know if I can be more helpful):

IISMANAGER_CRASH

IIS Manager terminated unexpectedly.

Exception:System.InvalidCastException: Specified cast is not valid.
at HSTS_IIS_Module.Manager.ConfigSection.get_MaxAge()
at HSTS_IIS_Module.Manager.ConfigScreen.Initialise(String siteName)
at HSTS_IIS_Module.Manager.ConfigModulePage.OnActivated(Boolean initialActivation)
at Microsoft.Web.Management.Client.Win32.ModulePage.Microsoft.Web.Management.Client.IModulePage.OnActivated(Boolean initialActivation)
at Microsoft.Web.Management.Host.UserInterface.ManagementFrame.SetActivePage(ModulePage modulePage, Boolean showInHierarchyMode)
at Microsoft.Web.Management.Client.NavigationEventHandler.Invoke(Object sender, NavigationEventArgs e)
at Microsoft.Web.Management.Host.NavigationService.OnNavigationPerformed(NavigationEventArgs e)
at Microsoft.Web.Management.Host.NavigationService.NavigateToIndex(Int32 index, Boolean isNew)
at Microsoft.Web.Management.Host.NavigationService.NavigateToItem(NavigationItem newItem, Boolean isNew)
at Microsoft.Web.Management.Host.NavigationService.Microsoft.Web.Management.Client.INavigationService.Navigate(Connection connection, ManagementConfigurationPath configurationPath, Type pageType, Object navigationData)
at Microsoft.Web.Management.Client.Win32.ModulePage.Navigate(Type pageType, Object navigationData)
at Microsoft.Web.Management.Client.Win32.ModulePage.Navigate(Type pageType)
at Microsoft.Web.Management.Host.UserInterface.Homepage.OnListViewItemActivate(Object sender, EventArgs e)
at System.Windows.Forms.ListView.OnItemActivate(EventArgs e)
at System.Windows.Forms.ListView.WmReflectNotify(Message& m)
at System.Windows.Forms.ListView.WndProc(Message& m)
at Microsoft.Web.Management.Client.Win32.ListPageListView.WndProc(Message& m)
at System.Windows.Forms.NativeWindow.DebuggableCallback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)

Process:InetMgr

I installed this module into a fresh install of IIS 10 (Server 2016), but the HSTS header is never being sent. How can I troubleshoot this?

https://github.com/FWest98/hsts-iis-module/blob/develop/module/HSTSIisModule.cpp#L164 This is not a proper use of SysAllocStringLen. The length passed in should not be longer than the string passed in.

If strIn is not NULL, then the memory allocated to strIn must be at least ui characters long.
Source: https://docs.microsoft.com/en-us/windows/desktop/api/oleauto/nf-oleauto-sysallocstringlen

More Info: https://docs.microsoft.com/en-us/previous-versions/5c28xhds(v=vs.80)

I've tried to install HSTS IIS Module with latest release MSI, but i does'nt install because of the error shown in the attached picture. System is Windows 2012 R2.
Thanks for help/hints.

The installer tries to locate in the global <module> section but IIS defines it's modules in
<location path="" overrideMode="Allow"> <system.webServer>

I added a dummy <module> tag in the global section, ran the installer and moved the <add ... stuff to the <Location ...> <system.webServer> section.

I use IIS7.5 installed HSTS_IIS_Module_2.3.0.msi, restart the IIS website will be reported 503 "HTTP Error 503. The service is unavailable.", Uninstalled after the return to normal. After installing "HSTS_IIS_Module_2.3.0.msi" again, check the "HstsIisModule.dll" file in the% windir% \ System32 \ inetsrv \ directory does not exist, which step is my operation missed? Thank you!

When managing a remote machine via Remote Management in IIS Manager, opening the HSTS panel causes IIS to crash. Most likely because of the way of retrieving the settings from the config file, it tries to open a config file on the local machine, which is not the right way of doing it.

As described on CodePlex, the module does not work with 32 bit application pools.

The end-users see an error:

HTTP Error 503. The service is unavailable.

Plus there are several event log entries:

• The Module DLL C:\Windows\System32\inetsrv\HstsIisModule.dll failed to load. The data is the error.
• Application pool 'wiki.blabla.com' is being automatically disabled due to a series of failures in the process(es) serving that application pool.
• A listener channel for protocol 'http' in worker process '7084' serving application pool 'wiki.blabla.com' reported a listener channel failure. The data field contains the error number.

Even explicitely removing the HstsIisModule from the 32 bit web application did not improve anything.

This is a show-stopper for me. I had to deinstall.

Please fix this issue.

A workaround might be to add "preCondition="bitness64"", although I have not tried this yet.

Update 1

I made it working with the above pre-condition fix:

This worked by adding "preCondition="bitness64"" to both module entries in applicationHost.config:

• <add name="HstsIisModule" preCondition="bitness64" /> in the <modules> section
• <add name="HstsIisModule" image="%windir%\System32\inetsrv\HstsIisModule.dll" preCondition="bitness64"/> in the <globalModues> section.

Please note that this will only work if your SSL websites are 64 bit websites since my workaround turns off this module for 32 bit websites.

Hi Shane -

I don't know if you're interested in this or not, so I'll submit an issue and get your feedback. Is there a reason why you've chosen to leave the documentation for this repository over at CodePlex? I would love to make a contribution by migrating it over to GitHub if you'd be interested in that. But I don't want to spend the time if you've chosen to leave it over there for a reason, if that makes sense.

Following the manual instructions for installing the module and the manager, I found a few typo mistakes that I would be willing to help correct during the migration.

Please let me know if this is something you're interested in receiving a PR on. Thanks!

Andrew

I am getting a crash using the latest version (2.2.0) on both a 2012R2 server as well as a 2016 server.
It seems identical to #3 however it is crashing 64bit application pools for me. Swapping the pools to 32 bit does nothing to alleviate the issue.

Anything I can offer to help troubleshoot this issue?

Hi I have installed hsts-iis-module using the MSI but it's not appearing in IIS is there some prerequisite that I'm missing?
thanks

Please include the preload option so that I can request submission into the following Chrome & IE HSTS list:

https://hstspreload.appspot.com/

Windows Core servers have no GUI. Remote administration seems to be broken per #9, but would never be the preferred way to administer an IIS on Windows Core.

How can we enable the module / change settings with Powershell (or cmd.exe)?

Well, I've used this extension for less than one day.

After 4 hours running my web server runs out of memory ;)

You allocated memory and never freed it later.

In two places here:
https://github.com/AllTheDucks/hsts-iis-module/blob/d18839e99474478bf63666109e6255099092b959/module/src/module/cpp/HstsIisModule.cpp#L120
https://github.com/AllTheDucks/hsts-iis-module/blob/d18839e99474478bf63666109e6255099092b959/module/src/module/cpp/HstsIisModule.cpp#L125

TBH, I'm not sure why you alloc and free this strings on every request since they are constants.
Can't you just move it to some kind of initialization and alloc and free it once?

Besides that, I think you may have another leak here:
https://github.com/AllTheDucks/hsts-iis-module/blob/d18839e99474478bf63666109e6255099092b959/module/src/module/cpp/HstsIisModule.cpp#L277

You may need to add a call to cleanup before return.

Something like this:

pHttpResponse->Redirect(url, true, false);
cleanup();
return RQ_NOTIFICATION_FINISH_REQUEST;

I did not analyze all the source, I just gave a quick peek.

This module needs a major overhaul to the configuration loading procedure. The module loads from the configuration system every time a request comes in which is a very expensive operation. Module should be updated to take advantage of ModuleContexts to act as a cache for configuration settings. See the following blogpost for discussion of this: http://www.ksingla.net/2008/12/using-imetadatainfogetmodulecontextcontainer-to-store-configuration-data/

To give an idea of the performance impact the attached file shows two very simple load tests which runs against the File->New Sample of an ASP.NET MVC application. The load test has 50 users hitting the pages for 2 minutes. The module isn't even enabled, so its purely the check for the enabled flag which is consuming the time. In the image, the 1st circle represents with the module, the 2nd circle represents removing the module from the section of the site.