Reputation: 26300
Security considerations when porting asp.net application to mono
I've set up a mono 2.10 on ubuntu 12.04 lts. I also installed mono-apache-server4 and mod-mono. I create a simple "hello world" mvc3 project in Visual Studio and then copied the compiled project to ubuntu. The application ran with no issues, however I was surprised that when I tried to download http://mysite/app/bin/helloworld.dll that succeeded.
I obviously can tweak apache settings to disallow access to the bin folder, but I was wondering: what else should I secure and are there any facilities inside mono itself (as compared to apache) to do that?
If there is no standard way, may be it's possible to write an MVC route that would prevent access to files that does not need to be accessed?
Upvotes: 1
Views: 230
Answers (2)
Reputation: 63244
The original protection against downloading dll from bin directory or any other special ones are placed on IIS during ASP.NET registration. So as @miracledev pointed out, when you move to Linux/Apache you will have to manually do the same protection in the new way (aka Apache way), as Apache is so general purposed, that it is not aware of such ASP.NET specific requirements.
If you use an ASP.NET specific web server solution, such as Jexus Web Server, such protection comes by default.
Upvotes: 0
Reputation: 1409
You need to configure a .htaccess to disallow access to the sensitive files, you can find the basic instructions for setting it up on the mono homepage
Upvotes: 1