发表新帖
发表新帖

Removing Unused HTTP Handlers for Better Performance & Security

前端 未结
关注
2 1036
走了就别回头了
走了就别回头了 2021-02-03 11:08

Where can I get a list of what all of the default IIS HTTP handlers do? I need documentation!! I have read a few blogs which recommend removing dozens of unused HTTP handlers fo

相关标签:
2条回答
  • 遇见更好的自我
    2021-02-03 11:35

    If you really want a minimal set of handler mappings, I suggest you start clean, in your web.config remove all handlers and just use the StaticFile one:

    <system.webServer>
    <handlers>
        <clear />
         <add name="StaticFile" path="*" verb="*" modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule" resourceType="Either" requireAccess="Read" />
    </handlers>
</system.webServer>

    Now add all the handlers you need back in, just for the bitness and mode you're running in.

    For a basic MVC project it may be enough to add

      <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" responseBufferLimit="0" />

    What do all the handlers do?

    I couldn't find any documentation either, so here's my attempt:

    The handler mappings are defined in %SystemRoot%\System32\inetsrv\config\applicationHost.config - system.webServer/handlers

    In my case there were 87 mappings.

    50 of them are modules="IsapiModule" scriptProcessor="...aspnet_isapi.dll" for ASP.NET. These cover all the various asp.net extentions and may exist for CLR versions 2.0 and 4.0 and for 32bit and 64bit. Most of them are for Classic Mode.

    They usually handle the following extensions: 

     *.       = ExtensionlessUrlHandler-ISAPI
 *.ashx   = SimpleHandlerFactory-ISAPI
 *.asmx   = WebServiceHandlerFactory-ISAPI
 *.aspq   = aspq-ISAPI
 *.aspx   = PageHandlerFactory
 *.axd    = AXD-ISAPI
 *.cshtm  = cshtm-ISAPI
 *.cshtml = cshtml-ISAPI
 *.rem    = HttpRemotingHandlerFactory-rem-ISAPI
 *.rules  = rules-ISAPI
 *.soap   = HttpRemotingHandlerFactory-soap
 *.svc    = svc-ISAPI
 *.vbhtm  = vbhtm-ISAPI
 *.vbhtml = vbhtml-ISAPI
 *.xamlx  = xamlx-ISAPI
 *.xoml   = xoml-ISAPI

    If your project doesn't use certain extensions, you may remove these handlers.

    Most handler mappings have a preCondition like apply in 32bit ApplicationPools, or when in Classic Mode. If you only ever run 64Big integrated mode, you can remove all classic mode and 32bit handler mappings.

    If we look at *.cshtml for a Razor view file, you will find three mappings, two for ClassicMode in 32/64 bit which point to the ASP.NET ISAPI modules, but the third applies only in integrated mode and maps to HttpForbiddenHandler, because the MVC routing works differently in Integrated Mode and you never want to allow access to view files directly.

    There may be IsapiModules for classic asp or CGI, like the ASP.NET mapping there are there to handle the requests for files with certain extensions.

    The second biggest group are the type="System. handlers, lets look at them:

    System.Runtime.Remoting.Channels.Http.HttpRemotingHandlerFactory

    Handles *.rem and *.soap files in integrated mode. Can be removed if you are not using remoting.

    System.ServiceModel.Activation.HttpHandler, System.ServiceModel.Activation

    Handles certain WCF requests with *.rules,*.xoml,*.svc extensions.

    System.Web.Handlers.AssemblyResourceLoader

    Handles WebResource.axd requests, these may be used in WebForms, but usually not in MVC projects.

    System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions

    For handling ScriptResource.axd which provides JavaScript and CSS resources in WebForms.

    System.Web.Handlers.TraceHandler

    Handler for trace.axd to display ASP.NET trace information. On a production site, you want to remove this handler.

    System.Web.Handlers.TransferRequestHandler

    Used to handle extensionless requests in integrated mode. This forwards the request to the routing engine to decide how to handle these requests. More Info

    System.Web.Handlers.WebAdminHandler

    Handles WebAdmin.axd to display the ASP.NET Website Administration Toolkit, you can remove this if you don't use that builtin feature.

    System.Web.HttpForbiddenHandler

    Allows us to prevent access to any files with certain extensions. However it returns a 500 HTTP status and actually throws a System.Web.HttpException exception on the server. In my opinion there are better ways to blog certain extensions such as IIS Request Filtering.

    System.Web.HttpMethodNotAllowedHandler

    I think this one is no longer used in modern IIS, it returns a 405 HTTP status and also throws and HttpException

    System.Web.HttpNotFoundHandler

    Also, not longer in my current configuration. It throws a 404 HTTP exception.

    System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions

    Handles *.asmx and *_AppService.axd to support Web service calls via Ajax.

    System.Web.Services.Protocols.WebServiceHandlerFactory, System.Web.Services

    Also handles *.asmx web service requests in integrated mode for DOT.NET 2

    System.Web.StaticFileHandler

    Returns a static file, no longer used?

    System.Web.UI.PageHandlerFactory

    Handles ASP.NET WebForm pages .aspx in integrated mode.

    System.Web.UI.SimpleHandlerFactory

    Handles ASP.NET custom handlers .ashx in integrated mode.

    System.Xaml.Hosting.XamlHttpHandlerFactory, System.Xaml.Hosting

    Handles Windows Workflow Foundation services .xamlx in integrated mode.

    more handlers:

    modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule"

    This is usually the very last mapping to handle any requests that has not been handled by any of the previous handles path="*" verb="*". It actually uses three different modules. The StaticFileMode one looks for a physical file matching the requested URL, if not found, the DefaultDocumentModule looks for a default document in the same folder as the requested URL and if that is also not found, the DirectoryListingModule may display the content of the directory if enabled.

    modules="ProtocolSupportModule"

    This handles all requests for the HTTP verbs TRACE and OPTIONS, if you remove this mapping, all trace and options request will return a "405 Method not allowed"

    0 讨论(0)
  • 自闭症患者
    2021-02-03 11:39

    Answer to this:

    Where can I get a list of that all of the default IIS HTTP handlers do?

    Open IIS, CMD-->inetmgr, then click handler mappings, see below screenshot.

    enter image description here

    Click that, it will show you all default enabled HTTP handlers for that web server.

    enter image description here

    Note: When you select a virtual directory and then do this process, i.e. click handler mappings, and remove one of mapping, it will add that line in web.config.

    E.g. I have removed aspq-ISAPI-4.0_64bit, so it has changed web.config for that virtual directory, i.e. it has added following line to web.config.

    <remove name="aspq-ISAPI-4.0_64bit" /> under system.webServer\handlers.

    Update : This handlers are invoked when particular file type request come, until then it sits idle. So there won't be any performance issue for these handlers.

    Example, that you have removing handler for *.axd will improve security, my answer to this, some DLL might need those files for rendering js and css, and if you remove that, it will not work. E.g. - HTTP Handler cannot find axd file in nested web application folder: Telerik RadScriptManager cannot find WebResource.axd in ~/admin/ folder

    0 讨论(0)
 看不清?
提交回复
热议问题