fwest98 / hsts-iis-module Goto Github PK
View Code? Open in Web Editor NEWIIS module for configuring and injecting the HSTS into IIS sites.
IIS module for configuring and injecting the HSTS into IIS sites.
Hi Floris,
1: Thank you for taking over this project - we've found it extremely useful
2: I'm running into an issue using the msi installer to get things installed and working. The msi runs perfectly. But when I go to IIS and attempt to configure things, the IIS Magager crashes.
My machine has IIS 8.5.9600.16384 on it.
Windows event log has the following (let me know if I can be more helpful):
IISMANAGER_CRASH
IIS Manager terminated unexpectedly.
Exception:System.InvalidCastException: Specified cast is not valid.
at HSTS_IIS_Module.Manager.ConfigSection.get_MaxAge()
at HSTS_IIS_Module.Manager.ConfigScreen.Initialise(String siteName)
at HSTS_IIS_Module.Manager.ConfigModulePage.OnActivated(Boolean initialActivation)
at Microsoft.Web.Management.Client.Win32.ModulePage.Microsoft.Web.Management.Client.IModulePage.OnActivated(Boolean initialActivation)
at Microsoft.Web.Management.Host.UserInterface.ManagementFrame.SetActivePage(ModulePage modulePage, Boolean showInHierarchyMode)
at Microsoft.Web.Management.Client.NavigationEventHandler.Invoke(Object sender, NavigationEventArgs e)
at Microsoft.Web.Management.Host.NavigationService.OnNavigationPerformed(NavigationEventArgs e)
at Microsoft.Web.Management.Host.NavigationService.NavigateToIndex(Int32 index, Boolean isNew)
at Microsoft.Web.Management.Host.NavigationService.NavigateToItem(NavigationItem newItem, Boolean isNew)
at Microsoft.Web.Management.Host.NavigationService.Microsoft.Web.Management.Client.INavigationService.Navigate(Connection connection, ManagementConfigurationPath configurationPath, Type pageType, Object navigationData)
at Microsoft.Web.Management.Client.Win32.ModulePage.Navigate(Type pageType, Object navigationData)
at Microsoft.Web.Management.Client.Win32.ModulePage.Navigate(Type pageType)
at Microsoft.Web.Management.Host.UserInterface.Homepage.OnListViewItemActivate(Object sender, EventArgs e)
at System.Windows.Forms.ListView.OnItemActivate(EventArgs e)
at System.Windows.Forms.ListView.WmReflectNotify(Message& m)
at System.Windows.Forms.ListView.WndProc(Message& m)
at Microsoft.Web.Management.Client.Win32.ListPageListView.WndProc(Message& m)
at System.Windows.Forms.NativeWindow.DebuggableCallback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
Process:InetMgr
I installed this module into a fresh install of IIS 10 (Server 2016), but the HSTS header is never being sent. How can I troubleshoot this?
https://github.com/FWest98/hsts-iis-module/blob/develop/module/HSTSIisModule.cpp#L164 This is not a proper use of SysAllocStringLen. The length passed in should not be longer than the string passed in.
If strIn is not NULL, then the memory allocated to strIn must be at least ui characters long.
Source: https://docs.microsoft.com/en-us/windows/desktop/api/oleauto/nf-oleauto-sysallocstringlen
More Info: https://docs.microsoft.com/en-us/previous-versions/5c28xhds(v=vs.80)
The installer tries to locate in the global <module>
section but IIS defines it's modules in
<location path="" overrideMode="Allow"> <system.webServer>
I added a dummy <module>
tag in the global section, ran the installer and moved the <add ...
stuff to the <Location ...> <system.webServer>
section.
I use IIS7.5 installed HSTS_IIS_Module_2.3.0.msi, restart the IIS website will be reported 503 "HTTP Error 503. The service is unavailable.", Uninstalled after the return to normal. After installing "HSTS_IIS_Module_2.3.0.msi" again, check the "HstsIisModule.dll" file in the% windir% \ System32 \ inetsrv \ directory does not exist, which step is my operation missed? Thank you!
When managing a remote machine via Remote Management in IIS Manager, opening the HSTS panel causes IIS to crash. Most likely because of the way of retrieving the settings from the config file, it tries to open a config file on the local machine, which is not the right way of doing it.
As described on CodePlex, the module does not work with 32 bit application pools.
The end-users see an error:
HTTP Error 503. The service is unavailable.
Plus there are several event log entries:
Even explicitely removing the HstsIisModule from the 32 bit web application did not improve anything.
This is a show-stopper for me. I had to deinstall.
Please fix this issue.
A workaround might be to add "preCondition="bitness64"
", although I have not tried this yet.
Update 1
I made it working with the above pre-condition fix:
This worked by adding "preCondition="bitness64"
" to both module entries in applicationHost.config:
<add name="HstsIisModule" preCondition="bitness64" />
in the <modules>
section<add name="HstsIisModule" image="%windir%\System32\inetsrv\HstsIisModule.dll" preCondition="bitness64"/>
in the <globalModues>
section.Please note that this will only work if your SSL websites are 64 bit websites since my workaround turns off this module for 32 bit websites.
Hi Shane -
I don't know if you're interested in this or not, so I'll submit an issue and get your feedback. Is there a reason why you've chosen to leave the documentation for this repository over at CodePlex? I would love to make a contribution by migrating it over to GitHub if you'd be interested in that. But I don't want to spend the time if you've chosen to leave it over there for a reason, if that makes sense.
Following the manual instructions for installing the module and the manager, I found a few typo mistakes that I would be willing to help correct during the migration.
Please let me know if this is something you're interested in receiving a PR on. Thanks!
Andrew
I am getting a crash using the latest version (2.2.0) on both a 2012R2 server as well as a 2016 server.
It seems identical to #3 however it is crashing 64bit application pools for me. Swapping the pools to 32 bit does nothing to alleviate the issue.
Anything I can offer to help troubleshoot this issue?
Hi I have installed hsts-iis-module using the MSI but it's not appearing in IIS is there some prerequisite that I'm missing?
thanks
Please include the preload option so that I can request submission into the following Chrome & IE HSTS list:
Windows Core servers have no GUI. Remote administration seems to be broken per #9, but would never be the preferred way to administer an IIS on Windows Core.
How can we enable the module / change settings with Powershell (or cmd.exe)?
Well, I've used this extension for less than one day.
After 4 hours running my web server runs out of memory ;)
You allocated memory and never freed it later.
In two places here:
https://github.com/AllTheDucks/hsts-iis-module/blob/d18839e99474478bf63666109e6255099092b959/module/src/module/cpp/HstsIisModule.cpp#L120
https://github.com/AllTheDucks/hsts-iis-module/blob/d18839e99474478bf63666109e6255099092b959/module/src/module/cpp/HstsIisModule.cpp#L125
TBH, I'm not sure why you alloc and free this strings on every request since they are constants.
Can't you just move it to some kind of initialization and alloc and free it once?
Besides that, I think you may have another leak here:
https://github.com/AllTheDucks/hsts-iis-module/blob/d18839e99474478bf63666109e6255099092b959/module/src/module/cpp/HstsIisModule.cpp#L277
You may need to add a call to cleanup before return.
Something like this:
pHttpResponse->Redirect(url, true, false);
cleanup();
return RQ_NOTIFICATION_FINISH_REQUEST;
I did not analyze all the source, I just gave a quick peek.
This module needs a major overhaul to the configuration loading procedure. The module loads from the configuration system every time a request comes in which is a very expensive operation. Module should be updated to take advantage of ModuleContexts to act as a cache for configuration settings. See the following blogpost for discussion of this: http://www.ksingla.net/2008/12/using-imetadatainfogetmodulecontextcontainer-to-store-configuration-data/
To give an idea of the performance impact the attached file shows two very simple load tests which runs against the File->New Sample of an ASP.NET MVC application. The load test has 50 users hitting the pages for 2 minutes. The module isn't even enabled, so its purely the check for the enabled flag which is consuming the time. In the image, the 1st circle represents with the module, the 2nd circle represents removing the module from the section of the site.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.