Skip to main content

Install and verify IIS HttpModules with custom config sections

A week ago I started to learn about HttpModules and HttpHandlers watching a pluralsight course by Robert Boedigheimer. First of all I want to really recommend this course, I learned a lot of stuff which I could not find in any other course, book or blog post.

As I already did in the past with another course, I want to add some comments and extend the HttpModule part. I refer to the course example with the serverMaskModuleGAC.

I walked into some trap doors and thereby I found another approach to simplify the installation process of the module to GAC a little bit. With this approach I am able to verify my custom config sections and module registration is correct.

Here is my approach:

1. When you have finished your implementation for serverMaskModule, install it in the GAC as usual by using the gacutil tool. By the way, there are some traps when you need to install it on Windows Server 2012. Here I am using Windows 8.1 64 Bit. I created my HttpModule with .NET 2.0 because it seems to be more compatible with different IIS and Windows versions. On Windows Server 2012 I was not able to install it with .NET version 4.5.

2. Copy your custom config section schema into the folder C:\Windows\System32\inetsrv\config\schema

3. Add the custom config section in applicationHost.config

4. Register your module by using IIS Manager. Click on the server node, and choose Modules:

5. Click "Add Managed Module"

6. Click again on the server node and choose Configuration Editor

7. Choose the serverMaskedModule section

8. For testing purposes choose another value for header filter (In my implementation I have changed the parameter name from "name="serverMaskModuleGACHeaders" to "headerFilter"):

As long as the value is shown in normal print, it is the default value coming from the custom config section. When you change the value it will be bold printed, IIS Manager will add the config section in the applicationHost.config file.

9. If you did not get any error messages so far you can start sending your first test requests to verify the module is working and filtering the headers you have chosen in the in the serverMaskModule section.

The advantage of this approach is you can test and verify, that module registration and your custom config is validated. E.g. when you have a spelling mistake in your config section you will get an error messages like this:


Popular posts from this blog

How to delete Azure Active-Directories

When I was trying to delete an Azure Active-irectory by using the management portal I have received the error message “Directory contains one or more applications that were added by a user or administrator” and I was really confused.

Then I found out this is a common issue. The solution was even more confusing, some PowerShell cmdlets are needed. Unfortunately I was not able to proceed, it was not possible to login with my Microsoft-ID to execute the needed commands.

Here I found out I have to install the correct version of the tools. These are located here.

Did you ever think about two-step verification to increase your password security?

My feeling is that two-step verification is still not very common, although a lot of services are listing this feature. Here you will find them:
Facebook Google Microsoft Twitter Evernote Dropbox Apple (currently just available in U.S., UK, Australia, Ireland, and New Zealand) Helpful apps are e.g. Google Authenticator or Authy.
Updated my list on 27.02.2014 with some more services Buffer Yahoo! Apple added, Canada, France, Germany, Italy, Japan, Spain Updated my list on 10.03.2014 with one more Hootsuite Updated my list on 26.03.2014 tumblr Updated my list on 02.04.2014 APP.NET LinkedIn

Have you ever reconsidered your personal iPhone security policy?

Why should I reconsider my iPhone security policy? I have my iPhone four digit pass code and Find my iPhone feature feature is activated. So how should abuse be possible? What could a thief be doing with my stolen iPhone? Well, possibly quite a lot. At least the bold print bullets in this article should be mandatory for everyone. Of course this is no guarantee for invulnerability but it will improve your security. After watching this video you should consider the following actions:
Change your Apple ID rescue mail address and do not add this mail account to your iPhone.Consider to use a proper and usable password policy for your Apple ID like this or this (German article).Consider a complex pass code for your iPhone. As you can see in the video four digit pass codes can be hacked in no time on iPhone 4. For newer iPhone a leak is not yet known but it is properly there. Definitely do not use these pass codes.Alternative to point three: activate delete iPhone after 10 wrong attempts (Go …