paulklinkenberg · December 10, 2019 23:52
diff --git a/Web.config b/Web.config
 <?xml version="1.0" encoding="utf-8" ?>
 <configuration>
  <system.web>
    <customErrors mode="Off" />
  </system.web>
    <system.webServer>
        <httpErrors errorMode="Detailed" />

  <rewrite>
    <rules>
        <rule name="Disable CFML Admin Contexts">
            <match url="^(railo-context|lucee|cfide|bluedragon)/admin.*"/>
            <conditions>
                <add input="{HTTP_HOST}" pattern="localhost" negate="true" />
                <add input="{HTTP_HOST}" pattern="127.0.0.1" negate="true" />
                <add input="{REMOTE_ADDR}" pattern="127.0.0.1" negate="true" />
            </conditions>
            <action type="AbortRequest" />
        </rule>

        <rule name="Remove query string when it contains cfid, cftoken, or jsessionid. This is to prevent accidental or deliberate session leaking.">
            <conditions>
                <add input="{QUERY_STRING}" pattern="\b(cfid|cftoken|jsessionid)=" negate="false" />
            </conditions>
            <match url="^(.+)" />
            <action type="Redirect" url="/{R:1}" />
        </rule>

        <rule name="Remove bulk of URL when it contains suspicious ;jsessionid= or ;cftoken=, etc. This is to put an end to suspicious session fixation attack scanning.">
            <match url="^(.*);(jsessionid|cftoken|cfid)=.*$" />
            <action type="Redirect" url="/{R:1}" redirectType="Permanent" />
        </rule>

        <rule name="Add trailing slash to directories without a trailing slash">
            <match url="((^.+\/|^)[^/\.]+)$" />
            <action type="Redirect" url="/{R:1}/" redirectType="Permanent" />
        </rule>

        <rule name="Request to / will be rewritten to /index.cfm">
            <match url="^$" />
            <action type="Rewrite" url="/index.cfm" />
        </rule>
        <rule name="All request to *.html will be rewritten to /index.cfm">
            <match url="^(.+\.html)$" />
            <action type="Rewrite" url="/index.cfm/{R:1}" />
        </rule>
        <rule name="All request ending in / will be rewritten to /index.cfm">
            <match url="^(.+/)$" />
            <action type="Rewrite" url="/index.cfm/{R:1}" />
        </rule>

        <rule stopProcessing="true" name="All request to system static assets that live under /preside/system/assets should go through CFML and will be rewritten to /index.cfm">
            <match url="^(preside/system/assets/.*)$" />
            <action type="Rewrite" url="/index.cfm/{R:1}" />
        </rule>

        <rule name="All the following requests should not be allowed and should return with a 404
                We block any request to:

                * the application folder (where all the logic and views for your site lives)
                * the uploads folder (should be configured to be somewhere else anyways)
                * this url rewrite file!
                * Application.cfc">
            <match url="^(application/|preside/|uploads/|urlrewrite\.xml\b|Application\.cfc\b|logs/)" />
            <action type="AbortRequest" />
        </rule>
    </rules>
  </rewrite>


    </system.webServer>

 </configuration>
	<?xml version="1.0" encoding="utf-8" ?>
	<configuration>
	<system.web>
	<customErrors mode="Off" />
	</system.web>
	<system.webServer>
	<httpErrors errorMode="Detailed" />

	<rewrite>
	<rules>
	<rule name="Disable CFML Admin Contexts">
	<match url="^(railo-context\|lucee\|cfide\|bluedragon)/admin.*"/>
	<conditions>
	<add input="{HTTP_HOST}" pattern="localhost" negate="true" />
	<add input="{HTTP_HOST}" pattern="127.0.0.1" negate="true" />
	<add input="{REMOTE_ADDR}" pattern="127.0.0.1" negate="true" />
	</conditions>
	<action type="AbortRequest" />
	</rule>

	<rule name="Remove query string when it contains cfid, cftoken, or jsessionid. This is to prevent accidental or deliberate session leaking.">
	<conditions>
	<add input="{QUERY_STRING}" pattern="\b(cfid\|cftoken\|jsessionid)=" negate="false" />
	</conditions>
	<match url="^(.+)" />
	<action type="Redirect" url="/{R:1}" />
	</rule>

	<rule name="Remove bulk of URL when it contains suspicious ;jsessionid= or ;cftoken=, etc. This is to put an end to suspicious session fixation attack scanning.">
	<match url="^(.);(jsessionid\|cftoken\|cfid)=.$" />
	<action type="Redirect" url="/{R:1}" redirectType="Permanent" />
	</rule>

	<rule name="Add trailing slash to directories without a trailing slash">
	<match url="((^.+\/\|^)[^/\.]+)$" />
	<action type="Redirect" url="/{R:1}/" redirectType="Permanent" />
	</rule>

	<rule name="Request to / will be rewritten to /index.cfm">
	<match url="^$" />
	<action type="Rewrite" url="/index.cfm" />
	</rule>
	<rule name="All request to *.html will be rewritten to /index.cfm">
	<match url="^(.+\.html)$" />
	<action type="Rewrite" url="/index.cfm/{R:1}" />
	</rule>
	<rule name="All request ending in / will be rewritten to /index.cfm">
	<match url="^(.+/)$" />
	<action type="Rewrite" url="/index.cfm/{R:1}" />
	</rule>

	<rule stopProcessing="true" name="All request to system static assets that live under /preside/system/assets should go through CFML and will be rewritten to /index.cfm">
	<match url="^(preside/system/assets/.*)$" />
	<action type="Rewrite" url="/index.cfm/{R:1}" />
	</rule>

	<rule name="All the following requests should not be allowed and should return with a 404
	We block any request to:

	* the application folder (where all the logic and views for your site lives)
	* the uploads folder (should be configured to be somewhere else anyways)
	* this url rewrite file!
	* Application.cfc">
	<match url="^(application/\|preside/\|uploads/\|urlrewrite\.xml\b\|Application\.cfc\b\|logs/)" />
	<action type="AbortRequest" />
	</rule>
	</rules>
	</rewrite>


	</system.webServer>

	</configuration>