Altering Outbound Traffic from IIS with Rewrite Rules

Georg Dangl by Georg Dangl in Web Development Wednesday, July 04, 2018

Wednesday, July 04, 2018

Posted in IIS Security

Sometimes, you're hosting apps in IIS where you can't or won't access the source code. For example, I'm hosting a private Git server with Bonobo.Git, which I'm using to mirror repositories for customers that get source code access.

My main development happens on GitHub, but for some commercial projects I offer source code access. Since I can't do that via GitHub (it would be reselling of their services), I have set up a private instance of Bonobo Git.

While Bonobo Git is Open Source, I do use their prepackaged versions for deployments, instead of maintaining a fork. It works great out of the box and requires very little configuration. I had just one little requirement that was not offered: Hiding the list of users who have access to the source code since I don't have permission to share my customers data with each other.

While you could add some custom JavaScript or CSS, this wouldn't solve the issue - the server should not send the data at all, instead of relying it to be hidden by the client. That's a big No-No!

Luckily, there's a lot you can do with plan old IIS web.config entries, like using a rewrite rule that simply removes the section completely from the response before it's sent over the wire.

Take this little snippet:

There's an outboundRule called Remove Git Repository Contributors which does the following:

  • It's active only for urls like /Repository/Detail/{RepoId}
  • Only when the response content type starts with text/html
  • Text that matches a defined regular expression on the page is simply replaced with an empty string

This single rule takes care of preventing sensible information to ever be sent out from the server!

Additionally, there's one restriction with content-altering outbound rules: They work only for non-compressed content. This means, in case you have enabled compression, you must disable it for this to work:

Depending on your setup, you might have to tweak this a bit. Most of the time, you are probably fine with just disabling compression for certain url patterns or content types. In my case, since I'm hosting behind Cloudflare, it didn't matter much - my content will be compressed by their CDN anyways, so I was safe to turn it off.

Happy rewriting!


Share this post


comments powered by Disqus

About me

Hi, my name's George! I love coding and blogging about it. I focus on all things around .Net, Web Development and DevOps.

Dangl.Blog();
// Just 💗 Coding

Social Links