HttpErros 與 CustomErrors 的自訂導向

 

Introduction

自訂 .Net WebSite 的錯誤頁面導向。

Conetent

以下分別說明 HttpErrors 與 CustomErros ，這兩個差別在於

• HttpErrors

  存取靜態檔案（如.js、.html、.css、.jpg…）發生錯誤，會依照此設定執行

• CustomErros

  由 .Net 程式發生的錯誤（例如：.aspx、.ashx、MVC 路由），才會在 CustomError 的設定執行

HttpErrors

errorMode 非必要屬性，預設為 DetailedLocalOnly

• DetailedLocalOnly

  本機端顯示詳細錯誤訊息，非本機端顯示自訂錯誤頁面
  不想輸入 DetailedLocalOnly 文字的話，可以輸入代碼，其代碼為 0

• Custom

  不管本機端或是遠端客戶，皆顯示自訂錯誤頁面。
  其代碼為 1

• Detailed

  全部都顯示詳細錯誤訊息
  其代碼為 2

以下是我的設定

1 2 3 4 5 6 7 8

<system.webServer> <httpErrors errorMode="DetailedLocalOnly" existingResponse="Replace" defaultResponseMode="ExecuteURL"> <remove statusCode="404" subStatusCode="-1" /> <remove statusCode="500" subStatusCode="-1" /> <error statusCode="404" path="404.html" responseMode="File" /> <error statusCode="500" path="500.html" responseMode="File" /> </httpErrors> </system.webServer>

顯示畫面

CustomErrors

可以參考 MSDN 上的說明。
mode 必要屬性，有三種設定，預設為 RemoteOnly

• Off

  等於不使用，錯誤訊息都會直接顯示。

• On

  包含本機與 Client 端，都會收到自訂的顯示頁面

• RemoteOnly

  非本機端才會收到自訂的顯示頁面

redirectMode 決定當自訂錯誤頁面顯示時要如何處理原始要求的 URL

• ResponseRedirect

  指定導向瀏覽器的 URL 必須不同於原始的 Web 要求 URL。
  簡單說就是設定重新導向的位置。

• ResponseRewrite

  指定導向瀏覽器的 URL 必須是原始的 Web 要求 URL。
  這動作是把發生錯的輸出，按照設定的自訂內容複寫。

我的範例寫法

1 2 3 4 5 6

<system.web> <customErrors mode="RemoteOnly" defaultRedirect="~/error.aspx" redirectMode="ResponseRedirect" > <error statusCode="404" redirect="404Test.html" /> <error statusCode="500" redirect="500.html" /> </customErrors> </system.web>

示範畫面，故意輸入以下位置，讓路徑錯誤，接著按照我的設定，畫面將會跳轉到設定好的畫面與路徑。

1	localhost:1900/abcd

Reference

• HttpErrors
• MSDN CustomErrors
• DarkThread customErrors and httpErrors

nonexistent page (404) physical path disclosure fix iis

 When someone try to enter the URL with folder name that time below error raiser in browser :

For Eg : https://MyDomainAddress/JS

I had to adjust the tag:

<httpErrors errorMode="DetailedLocalOnly" />

This is inside the "system.webserver" tag. Mine was previously set to "Detailed"

https://docs.microsoft.com/en-us/iis/configuration/system.webserver/httperrors/

-----------------------------------------------------------------------------------------------------------------------------

You can modify web.config.xml even as far as to creating custom error pages.

<!--  CUSTOM ERROR MESSAGES

      Set customErrors mode="On" or "RemoteOnly" to enable custom error messages, "Off" to disable.

      Add <error> tags for each of the errors you want to handle.

      "On" Always display custom (friendly) messages.

      "Off" Always display detailed ASP.NET error information.

      "RemoteOnly" Display custom (friendly) messages only to users not running

       on the local Web server. This setting is recommended for security purposes, so

       that you do not display application detail information to remote clients.

-->

    <customErrors mode="RemoteOnly"/>

-----------------------------------------------------------------------------------------------------------------------------

There is no way to edit that Detailed Error Page as that is handled by a specific built-in handler. The correct way to approach this though is as the others have mentioned, to change the errorMode to "DetailedLocalOnly". This will only show those detailed error pages to "local" users (i.e. a browser running on the same system as IIS). You can also see most of this information inside a FREB trace should you need to collect this type of information for a request originating off the server.

More Info: https://docs.microsoft.com/en-us/iis/configuration/system.webserver/httperrors/ https://docs.microsoft.com/en-us/iis/troubleshoot/diagnosing-http-errors/how-to-use-http-detailed-errors-in-iis