删除未使用的HTTP处理程序以获得更好的性能&安全 [英] Removing Unused HTTP Handlers for Better Performance & Security
问题描述
在哪里可以获得所有默认IIS HTTP处理程序的列表?我需要文件!!我读过一些博客,出于性能和安全原因,建议删除数十个未使用的HTTP处理程序.
Where can I get a list of what all of the default IIS HTTP handlers do? I need documentation!! I have read a few blogs which recommend removing dozens of unused HTTP handlers for performance and security reasons.
例如建议删除TraceHandler-Integrated和TraceHandler-Integrated-4.0,因为否则在生产环境中导航到/trace.axd会导致500 Internal Server Error(而不是404 Not Found),并且您不应进行跟踪.
E.g. Removing the TraceHandler-Integrated and TraceHandler-Integrated-4.0 is recommended because otherwise navigating to /trace.axd causes a 500 Internal Server Error instead of a 404 Not Found and you should not have tracing on, in a production environment.
GitHub项目(已删除)建议手动删除一些HTTP处理程序:
Some of the HTTP handlers that a GitHub project (Now Deleted) recommends removing a huge list manually:
<system.webServer>
<handlers>
<remove name="TraceHandler-Integrated-4.0" />
<remove name="TraceHandler-Integrated" />
<remove name="AssemblyResourceLoader-Integrated-4.0" />
<remove name="AssemblyResourceLoader-Integrated" />
<remove name="WebAdminHandler-Integrated-4.0" />
<remove name="WebAdminHandler-Integrated" />
<remove name="HttpRemotingHandlerFactory-soap-ISAPI-2.0-64" />
<remove name="svc-ISAPI-4.0_32bit" />
<remove name="ScriptHandlerFactoryAppServices-Integrated-4.0" />
<remove name="ScriptResourceIntegrated-4.0" />
<remove name="svc-ISAPI-4.0_64bit" />
<remove name="svc-Integrated-4.0" />
<remove name="vbhtm-ISAPI-4.0_32bit" />
<remove name="vbhtm-ISAPI-4.0_64bit" />
<remove name="vbhtm-Integrated-4.0" />
<remove name="vbhtml-ISAPI-4.0_32bit" />
<remove name="vbhtml-ISAPI-4.0_64bit" />
<remove name="vbhtml-Integrated-4.0" />
<remove name="xamlx-ISAPI-4.0_32bit" />
<remove name="xamlx-ISAPI-4.0_64bit" />
<remove name="xamlx-Integrated-4.0" />
<remove name="xoml-ISAPI-4.0_32bit" />
<remove name="xoml-ISAPI-4.0_64bit" />
<remove name="xoml-Integrated-4.0" />
<remove name="HttpRemotingHandlerFactory-rem-Integrated-4.0" />
<remove name="HttpRemotingHandlerFactory-rem-ISAPI-2.0" />
<remove name="rules-ISAPI-4.0_32bit" />
<remove name="rules-Integrated-4.0" />
<remove name="HttpRemotingHandlerFactory-soap-Integrated" />
<remove name="HttpRemotingHandlerFactory-soap-ISAPI-2.0" />
<remove name="HttpRemotingHandlerFactory-soap-ISAPI-4.0_64bit" />
<remove name="HttpRemotingHandlerFactory-soap-Integrated-4.0" />
<remove name="HttpRemotingHandlerFactory-soap-ISAPI-4.0_32bit" />
<remove name="rules-ISAPI-4.0_64bit" />
<remove name="HttpRemotingHandlerFactory-rem-ISAPI-2.0-64" />
<remove name="HttpRemotingHandlerFactory-rem-Integrated" />
<remove name="HttpRemotingHandlerFactory-rem-ISAPI-4.0_32bit" />
<remove name="HttpRemotingHandlerFactory-rem-ISAPI-4.0_64bit" />
<remove name="AXD-ISAPI-2.0-64" />
<remove name="cshtml-ISAPI-4.0_64bit" />
<remove name="cshtml-Integrated-4.0" />
<remove name="cshtm-Integrated-4.0" />
<remove name="cshtml-ISAPI-4.0_32bit" />
<remove name="cshtm-ISAPI-4.0_64bit" />
<remove name="cshtm-ISAPI-4.0_32bit" />
<remove name="AXD-ISAPI-4.0_64bit" />
<remove name="AXD-ISAPI-2.0" />
<remove name="AXD-ISAPI-4.0_32bit" />
<remove name="PageHandlerFactory-ISAPI-2.0-64" />
<remove name="PageHandlerFactory-ISAPI-2.0" />
<remove name="PageHandlerFactory-ISAPI-4.0_64bit" />
<remove name="PageHandlerFactory-ISAPI-4.0_32bit" />
<remove name="aspq-ISAPI-4.0_64bit" />
<remove name="aspq-Integrated-4.0" />
<remove name="WebServiceHandlerFactory-ISAPI-2.0" />
<remove name="aspq-ISAPI-4.0_32bit" />
<remove name="WebServiceHandlerFactory-Integrated-4.0" />
<remove name="WebServiceHandlerFactory-Integrated" />
<remove name="SimpleHandlerFactory-ISAPI-4.0_64bit" />
<remove name="SimpleHandlerFactory-Integrated-4.0" />
<remove name="SimpleHandlerFactory-Integrated" />
<remove name="SimpleHandlerFactory-ISAPI-2.0" />
<remove name="SimpleHandlerFactory-ISAPI-2.0-64" />
<remove name="WebServiceHandlerFactory-ISAPI-4.0_32bit" />
<remove name="WebServiceHandlerFactory-ISAPI-4.0_64bit" />
<remove name="WebServiceHandlerFactory-ISAPI-2.0-64" />
<remove name="SimpleHandlerFactory-ISAPI-4.0_32bit" />
<remove name="ISAPI-dll" />
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" />
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" />
<remove name="OPTIONSVerbHandler" />
<remove name="TRACEVerbHandler" />
</handlers>
</system.webServer>
推荐答案
如果您真的想要最少的处理程序映射集,建议您从头开始,在web.config中删除所有处理程序,并仅使用StaticFile:
If you really want a minimal set of handler mappings, I suggest you start clean, in your web.config remove all handlers and just use the StaticFile one:
<system.webServer>
<handlers>
<clear />
<add name="StaticFile" path="*" verb="*" modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule" resourceType="Either" requireAccess="Read" />
</handlers>
</system.webServer>
现在,添加您需要的所有处理程序,仅用于您所运行的位和模式.
Now add all the handlers you need back in, just for the bitness and mode you're running in.
对于基本的MVC项目,添加可能就足够了
For a basic MVC project it may be enough to add
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" responseBufferLimit="0" />
所有处理程序做什么?
What do all the handlers do?
我也找不到任何文档,所以这是我的尝试:
I couldn't find any documentation either, so here's my attempt:
处理程序映射在%SystemRoot%\System32\inetsrv\config\applicationHost.config - system.webServer/handlers
在我的情况下,有87个映射.
In my case there were 87 mappings.
50个是ASP.NET的modules="IsapiModule" scriptProcessor="...aspnet_isapi.dll".这些涵盖了所有各种asp.net扩展,并且可能存在于CLR版本2.0和4.0以及32位和64位.其中大多数用于经典模式.
50 of them are modules="IsapiModule" scriptProcessor="...aspnet_isapi.dll" for ASP.NET. These cover all the various asp.net extentions and may exist for CLR versions 2.0 and 4.0 and for 32bit and 64bit. Most of them are for Classic Mode.
他们通常处理以下扩展名:
They usually handle the following extensions:
*. = ExtensionlessUrlHandler-ISAPI
*.ashx = SimpleHandlerFactory-ISAPI
*.asmx = WebServiceHandlerFactory-ISAPI
*.aspq = aspq-ISAPI
*.aspx = PageHandlerFactory
*.axd = AXD-ISAPI
*.cshtm = cshtm-ISAPI
*.cshtml = cshtml-ISAPI
*.rem = HttpRemotingHandlerFactory-rem-ISAPI
*.rules = rules-ISAPI
*.soap = HttpRemotingHandlerFactory-soap
*.svc = svc-ISAPI
*.vbhtm = vbhtm-ISAPI
*.vbhtml = vbhtml-ISAPI
*.xamlx = xamlx-ISAPI
*.xoml = xoml-ISAPI
如果您的项目不使用某些扩展名,则可以删除这些处理程序.
If your project doesn't use certain extensions, you may remove these handlers.
大多数处理程序映射都具有preCondition,例如在32位ApplicationPools中或在经典模式下适用.如果仅运行64Big集成模式,则可以删除所有经典模式和32位处理程序映射.
Most handler mappings have a preCondition like apply in 32bit ApplicationPools, or when in Classic Mode. If you only ever run 64Big integrated mode, you can remove all classic mode and 32bit handler mappings.
如果我们在Razor视图文件中查看* .cshtml,您会发现三个映射,两个映射为32/64位的ClassicMode,它们指向ASP.NET ISAPI模块,但是第三个仅适用于集成模式和映射到HttpForbiddenHandler,因为MVC路由在集成模式下的工作方式不同,并且您永远不希望允许直接访问查看文件.
If we look at *.cshtml for a Razor view file, you will find three mappings, two for ClassicMode in 32/64 bit which point to the ASP.NET ISAPI modules, but the third applies only in integrated mode and maps to HttpForbiddenHandler, because the MVC routing works differently in Integrated Mode and you never want to allow access to view files directly.
可能有用于经典asp或CGI的IsapiModules,例如ASP.NET映射,在那里可以处理对具有某些扩展名的文件的请求.
There may be IsapiModules for classic asp or CGI, like the ASP.NET mapping there are there to handle the requests for files with certain extensions.
第二大组是type="System.处理程序,让我们看看它们:
The second biggest group are the type="System. handlers, lets look at them:
System.Runtime.Remoting.Channels.Http.HttpRemotingHandlerFactory
以集成模式处理*.rem和*.soap文件.如果不使用远程处理,可以将其删除.
Handles *.rem and *.soap files in integrated mode. Can be removed if you are not using remoting.
System.ServiceModel.Activation.HttpHandler,System.ServiceModel.Activation
处理具有*.rules,*.xoml,*.svc扩展名的某些WCF请求.
Handles certain WCF requests with *.rules,*.xoml,*.svc extensions.
System.Web.Handlers.AssemblyResourceLoader
处理WebResource.axd请求,这些请求可在WebForms中使用,但通常不在MVC项目中使用.
Handles WebResource.axd requests, these may be used in WebForms, but usually not in MVC projects.
System.Web.Handlers.ScriptResourceHandler,System.Web.Extensions
用于处理ScriptResource.axd,它在WebForms中提供JavaScript和CSS资源.
For handling ScriptResource.axd which provides JavaScript and CSS resources in WebForms.
System.Web.Handlers.TraceHandler
trace.axd的处理程序,以显示ASP.NET跟踪信息.在生产站点上,您要删除此处理程序.
Handler for trace.axd to display ASP.NET trace information. On a production site, you want to remove this handler.
System.Web.Handlers.TransferRequestHandler
用于在集成模式下处理无扩展请求.这会将请求转发到路由引擎,以决定如何处理这些请求.
Used to handle extensionless requests in integrated mode. This forwards the request to the routing engine to decide how to handle these requests. More Info
System.Web.Handlers.WebAdminHandler
处理WebAdmin.axd以显示ASP.NET Website Administration Toolkit,如果不使用该内置功能,则可以将其删除.
Handles WebAdmin.axd to display the ASP.NET Website Administration Toolkit, you can remove this if you don't use that builtin feature.
System.Web.HttpForbiddenHandler
允许我们阻止访问任何具有某些扩展名的文件.但是,它返回500 HTTP状态,并实际上在服务器上引发System.Web.HttpException异常. 在我看来,有更好的方法可以对某些扩展进行博客发布,例如 IIS请求过滤.
Allows us to prevent access to any files with certain extensions. However it returns a 500 HTTP status and actually throws a System.Web.HttpException exception on the server. In my opinion there are better ways to blog certain extensions such as IIS Request Filtering.
System.Web.HttpMethodNotAllowedHandler
我认为这个在现代IIS中已不再使用,它返回405 HTTP状态并抛出HttpException
I think this one is no longer used in modern IIS, it returns a 405 HTTP status and also throws and HttpException
System.Web.HttpNotFoundHandler
此外,不再使用我的当前配置.它会引发404 HTTP异常.
Also, not longer in my current configuration. It throws a 404 HTTP exception.
System.Web.Script.Services.ScriptHandlerFactory,System.Web.Extensions
处理*.asmx和*_AppService.axd以支持通过Ajax进行Web服务调用.
Handles *.asmx and *_AppService.axd to support Web service calls via Ajax.
System.Web.Services.Protocols.WebServiceHandlerFactory,System.Web.Services
还以集成模式处理DOT.NET 2的*.asmx Web服务请求
Also handles *.asmx web service requests in integrated mode for DOT.NET 2
System.Web.StaticFileHandler
是否返回不再使用的静态文件?
Returns a static file, no longer used?
System.Web.UI.PageHandlerFactory
以集成模式处理ASP.NET WebForm页面.aspx.
Handles ASP.NET WebForm pages .aspx in integrated mode.
System.Web.UI.SimpleHandlerFactory
以集成模式处理ASP.NET自定义处理程序.ashx.
Handles ASP.NET custom handlers .ashx in integrated mode.
System.Xaml.Hosting.XamlHttpHandlerFactory,System.Xaml.Hosting
以集成模式处理Windows Workflow Foundation服务.xamlx.
Handles Windows Workflow Foundation services .xamlx in integrated mode.
更多处理程序:
modules ="StaticFileModule,DefaultDocumentModule,DirectoryListingModule"
这通常是最后一个映射,用于处理以前的任何句柄path="*" verb="*"未处理的任何请求.它实际上使用了三个不同的模块. StaticFileMode会寻找与请求的URL匹配的物理文件,如果找不到,DefaultDocumentModule会在与请求的URL相同的文件夹中寻找默认文件,如果也找不到,DirectoryListingModule可能会显示目录的内容启用.
This is usually the very last mapping to handle any requests that has not been handled by any of the previous handles path="*" verb="*". It actually uses three different modules. The StaticFileMode one looks for a physical file matching the requested URL, if not found, the DefaultDocumentModule looks for a default document in the same folder as the requested URL and if that is also not found, the DirectoryListingModule may display the content of the directory if enabled.
modules ="ProtocolSupportModule"
此操作处理所有对HTTP动词TRACE和OPTIONS的请求,如果删除此映射,则所有跟踪和选项请求都将返回"405方法不允许"
This handles all requests for the HTTP verbs TRACE and OPTIONS, if you remove this mapping, all trace and options request will return a "405 Method not allowed"
这篇关于删除未使用的HTTP处理程序以获得更好的性能&安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
