Techs – rogersay

基於安全性的考量，應該要儘量減少對外界揭露系統相關資訊。但是，在 Apache伺服器及網站的預設狀態下，在網頁的回應表頭中(Response Headers)會包含一些伺服器相關的訊息，比方說：Server、X-AspNet-Version等等的資訊，因此我們需要透過一些設定去變更或是移除這些資料，以減少風險。

mod_headers
這個是 Apache的預設模組之一，可以用來設定 Response Headers，預設是沒有啟用，也沒有提供預設的設定檔。

首先，到 /etc/apache2/mods-availables/ 建立設定檔

cd /etc/apache2/mods-availables/
sudo nano headers.conf

加入下列內容，並且存檔

<IfModule mod_headers.c>
Header unset X-AspNet-Version
Header unset X-AspNetMvc-Version
Header unset X-Powered-By
</IfModule>

啟用模組並重新載入 Apache

sudo a2enmod headers
sudo service apache2 restart

Server欄位需要採用另一個模組來處理，請往下看！

mod_security

這個模組可以做非常多的事，詳情請參考modsecurity.org。這邊採用這個模組的預設值，並增加指令以便控制 Apache伺服器的 response header中的 Server欄位。

安裝 libapache2-mod-security2

sudo apt-get install libapache2-mod-security2

複製建議設定值

sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

修改設定檔 modsecurity.conf

sudo nano /etc/modsecurity/modsecurity.conf

在檔案的最後，加入

SecServerSignature “My Server"

啟用模組，並重啟Apache伺服器

sudo a2enmod security2
sudo service apache2 reload

參考資料：
Apache module – mod_headers
modsecurity.org
mod_security reference manual

實際案例：
roger543

Question 1: You got an error message like this:

System.InvalidOperationException Assembly ‘System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35’ does not contain a Web resource with name ‘jquery’.

Answer:
You are trying to load script from the System.Web.Extensions. Some auto-generated code such as:

<asp:ScriptReference Name="jquery" />

will cause this error. Remove this kind of codes will solve this kind of questions.
Question 2: You got error messages like these:

System.TypeLoadException
Could not load type ‘System.Web.UI.IScriptResourceDefinition’ from assembly ‘System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a’.
or
System.InvalidProgramException
Invalid IL code in System.Web.Handlers.ScriptModule:.ctor (): method body is empty.

Answer:
You use the wrong version of some assemblies. Currently known, mono has its own version for the following assemblies:
System.Web.Extensions.dll
System.Web.Entity.dll
Remove them from your bin folder.
※ mono doesn’t support entity framework.
Question 3:
You got error messages like this while hosting an MVC web on Apache with mono:

System.Web.HttpException
The resource cannot be found.
Description: HTTP 404.The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. Please review the following URL and make sure that it is spelled correctly.
Details: Requested URL: someurl

Answer:
It seems like a routing error, files and folders are all there, why “NOT FOUND"???
You may find some solutions such as remove the targetFramework in Web.config, or ensure some libraries in the bin folder.
But, all that not work for me.
Finally, I found that this is a question relates to how you publish and deploy your site.
I use the publish function in VS 2015, and I checked the “Precompile during publishing".
Uncheck it, and publish again, everything done!!!
System.Web.Routing.dll is not required to be deployed in the bin folder.
Question 4:
You got an error message like this:

System.UnauthorizedAccessException
Access to the path “/etc/mono/registry" is denied.

Answer:
Ensure that the “/etc/mono/registry" exists. If not, create it.

sudo mkdir /etc/mono/registry

Change its privileges, and restart your apache.

sudo chmod uog+rw /etc/mono/registry

Question 5:
You got an error message like this:

Application Exception
System.NullReferenceException
Object reference not set to an instance of an object
Description: HTTP 500.Error processing request.
Details: Non-web exception. Exception origin (name of application or object): SID.
Exception stack trace:
at SID.Controllers.HomeController.Index () <IL 0x00046, 0x00127> at (wrapper dynamic-method) object.lambda_method (System.Runtime.CompilerServices.Closure,System.Web.Mvc.ControllerBase,object[]) <IL 0x00006, 0x0004c> at System.Web.Mvc.ActionMethodDispatcher.Execute

And there are apache error logs like this:

Stacktrace:

at <unknown> <0xffffffff>
at SID.Business.SIDRepository/<>c__DisplayClass4.<GetContentOfDay>b__3 () <IL 0x0000d, 0x00017>
at myQuiz.Caching.CacheRepository.Update<T> (string,System.Func`1<T>,System.DateTime,System.TimeSpan) <IL 0x00003, 0x00044>
at myQuiz.Caching.CacheRepository.Get<T> (string,System.Func`1<T>,System.DateTime,System.TimeSpan) <IL 0x00026, 0x000c3>
at myQuiz.Caching.CacheRepository.Get<T> (string,System.Func`1<T>,System.TimeSpan) <IL 0x0000a, 0x00053>
at SID.Business.SIDRepository.GetContentOfDay (int,int) <IL 0x00044, 0x00187>
at SID.Controllers.HomeController.Index () <IL 0x0002f, 0x000db>
at (wrapper dynamic-method) object.lambda_method (System.Runtime.CompilerServices.Closure,System.Web.Mvc.ControllerBase,object[]) <IL 0x00006, 0x0004c>

And, if you use some logging tool such as log4net, you may got this:

System.BadImageFormatException: Could not resolve field token 0x04000005
File name: 'SID.DataAccess'
at SID.Business.SIDRepository+<>c__DisplayClass4.<GetContentOfDay>b__3 () [0x00000] in <filename unknown>:0
at myQuiz.Caching.CacheRepository.Update[String] (System.String key, System.Func`1 act, DateTime absoluteExpiration, TimeSpan slidingExpiration) [0x00000] in <filename unknown>:0

Answer:
I write an ASP.NET MVC web application using MySQL connector to communicate with MySQL database. According to MSDN BadImageFormatException said, this is because the DLL is not valid. But what MSDN not said is WHY NOT VALID!!!
Finally, I found that this is a dependency problem. My SID.DataAccess.dll requires MySql.Data.dll to run properly, but the default compile & publish doesn’t output MySql.Data.dll into target bin folder.
So, simply change the “Copy Local" property of MySql.Data.dll to “True" will solve this question.
the copy local property

分類: Techs

Db null and empty string

Apache伺服器管理 – Response Headers

Some MONO and ASP.NET questions.