Is there a way to ignore HTTP 1.0 requests in IIS (7.0)? I don't see any reason to accept requests that are not HTTP 1.1.
1 Answer
Step 1: download and install URL Rewrite.
Step 2: add the following to your web.config file, to the <system.webServer> section:
<rewrite> <rules> <rule name="RequestBlockingRule1" patternSyntax="Wildcard" stopProcessing="true"> <match url="*" /> <conditions> <add input="{SERVER_PROTOCOL}" pattern="HTTP/1.0" /> </conditions> <action type="AbortRequest" /> </rule> </rules> </rewrite> This will refuse all HTTP 1.0 requests with a HTTP 504 error code.
Edit: after installing URL Rewrite, you can also configure rewrite rules in IIS Manager:
- This works perfectly! I tested using
curl -v -0 http://localhostand it does indeed respond with an abort.Mark Richman– Mark Richman2012-05-11 21:03:58 +00:00Commented May 11, 2012 at 21:03 - 3I have tried the above re-write rule but it did not give us the desired result. HTTP 1.0 request is still getting processed and internal IP address of the server is disclosed.HadidAli– HadidAli2018-05-07 09:02:19 +00:00Commented May 7, 2018 at 9:02
- The internal IP address is disclosed lower down in the stack, before it gets to URL Rewrite and Customer Error page.JD Brennan– JD Brennan2020-10-20 19:48:24 +00:00Commented Oct 20, 2020 at 19:48
- URL Rewrite module is very late in the HTTP request processing due to IIS architecture, so if a response is generated (usually by Windows HTTP API/http.sys) before reaching URL Rewrite module this rule won't be able to block the leak. You don't have much control on HTTP API, so the common workaround is to block HTTP 1.0 requests long before they reach Windows/IIS, such as setting up a reverse proxy of nginx in front, serverfault.com/questions/389132/block-http-1-0-with-nginxLex Li– Lex Li2022-06-19 04:28:51 +00:00Commented Jun 19, 2022 at 4:28
Hostheader. That's not a reason to reject HTTP 1.0 clients, most of which do sendHost.Host.