Interaction between URL Rewriter and Request Filtering Modules for IIS7

I hope folks have noticed the TP for the URL Rewriter module. Download it and give it a try!

Microsoft URL Rewrite Module for IIS 7.0 CTP1 (x86)

Microsoft URL Rewrite Module for IIS 7.0 CTP1 (x64)

I have been playing around with in my spare time to get a feel for it, and if you are not familiar with rewrite, stop by the walkthrough here.

While playing around with it an interesting question occurred to me ... how do the Rewriter module and the Request Filtering module interact with a request? I ask this question because if I block an HTTP request with a particular pattern in Request Filtering, and I attempt to rewrite the very same pattern to something else in the Rewriter module, who trumps who?

Expectation of a secure server

First let's figure out what we should expect to happen. Request filtering exercises a contract to look at requests coming to the server from the client, unadulterated. So if I have a rule that says disallow .aspx requests and a client types in the URL http://localhost/foo.aspx in his/her browser, the request should be blocked, period.

URL Rewriter module is a server-side request modification entity. So one should put it in the same bucket as an ASP.NET application that redirects or changes request parameters. So if I have a rewrite rule that changes the file extension of every request that ends in .foo to .aspx, it should not be considered a violation of the request filtering rule. The reason being that the client typed in http://localhost/xxxxxx.foo in his/her browser and since that does not have the .aspx extension, the request should be allowed to execute.

Behavior on IIS7

In a nutshell, IIS 7.0 is well behaved. In the request processing pipeline, the request filtering module gets a higher priority than the rewriter module. The rewriter module also has a sufficiently high priority in the request processing queue (otherwise it wouldn't be a very useful module), but it still kicks in after request filtering module on the BeginRequest path. The important takeaway here is that this is the desired order of processing, and so if you are manually tweaking module order and priority in configuration, swapping the order of these two could be considered as breaking the security contract that request filtering tries to establish, don't do it!

Bottom line, the defaults are good ... we have thought about things before putting them in order, even though it may look like a random ordering to the untrained eye :)

Published Friday, June 6, 2008 1:39 AM by naziml

Comments

# re: Interaction between URL Rewriter and Request Filtering Modules for IIS7

Sunday, July 27, 2008 10:05 PM by Anonymous

GtfMZn  <a href="hrqfekxzjgrv.com/.../a>, [url=http://feoyftbmfquz.com/]feoyftbmfquz[/url], [link=http://tsoohbmouhpm.com/]tsoohbmouhpm[/link], http://dozsixdztqvf.com/

# re: Interaction between URL Rewriter and Request Filtering Modules for IIS7

Saturday, September 20, 2008 11:30 PM by Sohbet

<a href="http://www.gencsohbetci.net" title="Sohbet" target="_blank">Sohbet</a>

thank you

# re: Interaction between URL Rewriter and Request Filtering Modules for IIS7

Saturday, September 20, 2008 11:31 PM by Sohbet

thank you

# re: Interaction between URL Rewriter and Request Filtering Modules for IIS7

Friday, October 10, 2008 3:38 PM by oyunara

thanx

# re: Interaction between URL Rewriter and Request Filtering Modules for IIS7

Sunday, October 12, 2008 6:38 AM by sohbet

thanks..

# re: Interaction between URL Rewriter and Request Filtering Modules for IIS7

Saturday, November 1, 2008 12:38 PM by dış cephe

thanks a lot.

# re: Interaction between URL Rewriter and Request Filtering Modules for IIS7

Saturday, November 1, 2008 12:39 PM by hekimboard

thanks.

# re: Interaction between URL Rewriter and Request Filtering Modules for IIS7

Tuesday, November 18, 2008 9:31 AM by Meme

For those of you thinking that if they implement this it will eliminate some of the waiting and lines…

# re: Interaction between URL Rewriter and Request Filtering Modules for IIS7

Friday, November 28, 2008 4:06 PM by burun estetigi

Ok, I have an inkling (pun not intended) to modify that book image to the right to say "Schneier on Squid."

"The closest the squid industry has to a rock star."

# re: Interaction between URL Rewriter and Request Filtering Modules for IIS7

Tuesday, December 2, 2008 1:16 PM by chat

It is interesting blog. Pleasant to me.

I wish you a nice day!

# re: Interaction between URL Rewriter and Request Filtering Modules for IIS7

Saturday, December 13, 2008 6:56 PM by oyun

ı have followed your writing for a long time.really you have given very successful information.

In spite of my english trouale,I am trying to read and understand your writing.

And ı am following frequently.I hope that you will be with us together with much more scharings.

I hope that your success will go on.

# re: Interaction between URL Rewriter and Request Filtering Modules for IIS7

Friday, February 6, 2009 1:17 PM by Oyun

I attempt to rewrite the very same pattern to something else in the Rewriter module, who trumps who?

# re: Interaction between URL Rewriter and Request Filtering Modules for IIS7

Tuesday, February 10, 2009 5:06 PM by halo

ı have followed your writing for a long time.really you have given very successful information.

In spite of my english trouale,I am trying to read and understand your writing.

And ı am following frequently.I hope that you will be with us together with much more scharings.

I hope that your success will go on.

# re: Interaction between URL Rewriter and Request Filtering Modules for IIS7

Friday, February 27, 2009 5:48 PM by oyunlar

Using iis 6, will upgrade to 7 next week.

# re: Interaction between URL Rewriter and Request Filtering Modules for IIS7

Sunday, August 16, 2009 11:42 AM by homelie

iis7 rocks

Leave a Comment

(required) 
(required) 
(optional)
(required) 
Powered by Community Server (Commercial Edition), by Telligent Systems