Netsh delete all urlacl reservations of a specific port - c#

is there any way to delete every urlacl reservation of a specific port.
I mean something like this is possible (customer constelation):
netsh http add urlacl url=http://localhost:55521/ user="everyone"
netsh http add urlacl url=http://+:55521/ user="everyone"
Now I would like to delete every reservation of port 55521, this could be any ip constelation!
By the way I am doing this in a c# application with a nancy self host.

to show the urls:
netsh http show urlacl
to delete a url:
netsh http delete urlacl url=http://localhost:55521/

Adding to the solution from 0x53olution, an easy way to get all acls in a list is running PowerShell:
netsh http show urlacl | Select-String -Pattern "55521"
I copied the output to a temporary file and deleted the Reserved URL : part, then you can do:
Get-Content <temp-file>.txt | % {netsh http delete urlacl url=$_}
The saving to a temporary file part could be skipped with some -replace action.
If you want to find more rules, you can use for example Select-String -Pattern "55521|55522|55523" instead.

Related

NancyFX and IPv6 issues

I have a client-server application that works using a https connection with a self signed certificate and a Nancy Selfhost server.
After installing the application i run the following scripts to prepeare the server.
Add SSL Certificate to store
Check witch ip:ports are configured with netsh http show sslcert
Remove all registrations with port number 4443 (only if they are found with previous step):
netsh http del sslcert ipport=0.0.0.0:4443
netsh http del sslcert ipport=[::]:4443
netsh http del urlacl url=https://+:4443/
And then add url reservation with: netsh http add urlacl url=https://+:4443/ user=everyone
Add SSL Certicates with:
netsh http add sslcert ipport=0.0.0.0:4443 certhash=XXX appid={XXX}
netsh http add sslcert ipport=[::]:4443 certhash=XXX appid={XXX}
Then I start the server. The code for starting the self host server is:
public void Start(string baseUrl) {
string url = baseUrl;
Uri uri = new Uri(url);
var uris = new[]
{
new Uri($"{uri.Scheme}://localhost:{uri.Port}"),
};
server = new NancyHost(new CustomBootstrapper(url, Api1, Api2, applicationConfiguration), uris);
server.Start();
}
In this code is the baseURL the Hostname of the machine.
The client server connection works in most cases, but one situation it doesn't. This is when i try to run the the server on a specific computer. It has the following differences from other servers:
Windows 8
Pinging the hostname of this returns a IPv6 adress.
When starting the client application, it gives the following error:
The underlying connection was closed: Could not establsh trust relationship for the ssl/tls secure channel
Now i'm stuck, because I am not sure why it would not work.
Apparently I had some old certification registrations and url reservations still active. After clearing them all, the issue was resolved.

WebAPI self-host 503 error (HttpSelfHostConfiguration setted HttpSelfHostConfiguration)

I have a window service using self-hosted WebAPI.
HttpSelfHostConfiguration.HostNameComparisonMode set HostNameComparisonMode.Exact for hostname strong match.
var config = new HttpSelfHostConfiguration(uri);
config.HttpSelfHostConfiguration = System.ServiceModel.HostNameComparisonMode.Exact;
this._server = new HttpSelfHostServer(config);
_server.OpenAsync().Wait();
And URL reservation for the specified URL namespace for the domain.
netsh http add urlacl url=https://+:443/ user=EVERYONE
To bind an SSL certificate to a port number.
netsh http add sslcert ipport=0.0.0.0:443 certhash=xxxxxxxxxxx appid={xxxxxxxxx}
But Result appear HTTP 503 error.
I don't know state.
I had a similar problem. Problem in my case was duplicate urlacl for my URL.
netsh http show urlacl
...
http://+:80/api
http://127.0.0.1:80/api (or any IP)
Remove any possible duplicate urlacl for your program.

Self hosted OWIN and urlacl

I've created a self hosted Nancy/SignalR application self-hosted in OWIN using Microsoft.Owin.Host.HttpListener and Microsoft.Owin.Hosting
Things work perfectly fine locally but as soon as I try to use anything but localhost to access the app I get a HTTP Error 503. The service is unavailable error. I can't even access the app using 127.0.0.1 or the machine name.
I've tried adding the port to urlacl using
http add urlacl http://*:8989/ user=EVERYONE but doesn't seem to do anything.
here are the OWIN start options that I've tried,
var options = new StartOptions
{
Url = "127.0.0.1",
App = GetType().AssemblyQualifiedName,
Port = _configFileProvider.Port
};
var options = new StartOptions
{
App = GetType().AssemblyQualifiedName,
Port = _configFileProvider.Port
};
Here is the source code for the file that starts and stops the server.
so it turns out you need to pass in a url into StartOptions in the same format as the urlacl.
Changing the start options to the code below fixed the problem. now the app is accessible across the network.
var options = new StartOptions("http://*:8989")
{
ServerFactory = "Microsoft.Owin.Host.HttpListener"
};
I spend many hours solving similar issue on Windows 8.1.
StartOptions options = new StartOptions();
options.Urls.Add("http://localhost:9000");
options.Urls.Add("http://127.0.0.1:9000");
options.Urls.Add("http://192.168.0.102:9000");
options.Urls.Add(string.Format("http://{0}:9000", Environment.MachineName));
WebApp.Start<Startup>(options);
I could not listen or was getting 503 error...
If you want to listen on several IP addresses, each address needs its own urlacl record:
Does NOT work:
netsh http>add urlacl http://+:9000/ user=EveryOne
OK:
netsh http>add urlacl http://localhost:9000/ user=EveryOne
netsh http>add urlacl http://127.0.0.1:9000/ user=EveryOne
etc.
After adding reservation for each address individually, everything works fine.
Thanks to the info that #kay.one provided I was able to access my self-hosted Web API 2.2 (OWIN/Katana, console app) from the same machine via IP address. However just consolidate it into a simple step-by-step:
In Main of Program.cs (for console app): WebApp.Start<Startup>("http://*:8080");
From Windows Command Prompt (run as Administrator) enter netsh http add urlacl http://*:8080/ user=EVERYONE
Go to Windows Firewall with Advanced Security and add an Inbound Rule that opens up TCP port 8080
You should then be able to access from another machine using IP address or computer name.
Disclaimer: I'm not a security expert so I don't know the security implications of doing this.

HttpListener not listening outside of host computer?

I can use HttpListener to listen for requests coming from the same computer, but I have not figured out how to make it listen to outside requests.
My prefix is:
"http://192.168.103.82:5000/"
I have also tried:
"http://*:5000/"
I can type my local network IP into the browser and get a response. However if I do the same thing from a different computer on the same network, no such luck.
Is there some extra configuration that I need to do? Is this an OS specific problem? I am running Windows 7 Home.
You need to allow port 5000 through Windows Firewall.
From the command: netsh http add urlacl
The following commands are available:
Commands in this context: add cacheparam - Adds HTTP service cache
parameter add iplisten - Adds an IP address to the IP listen list.
add sslcert - Adds a SSL server certificate binding for an IP
address and port. add timeout - Adds a global timeout to the
service. add urlacl - Adds an URL reservation entry. PS
C:\Users\dwalker> netsh http add urlacl ?
Usage: add urlacl [url=]
[ [user=]
[ [listen=]yes|no [delegate=]yes|no ]
|
[sddl=]
]
Parameters:
Tag Value
url - The fully qualified URL
user - The user or user-group name
listen - One of the following values:
yes: Allow the user to register URLs. This is the Default value.
no: Deny the user from registering URLs
delegate - One of the following values:
yes: Allow the user to delegate URLs
no: Deny the user from delegating URLs. This is the default value.
sddl - SDDL string that describes the DACL
Remarks: This command reserves the URL for non-administrator users and
accounts. The DACL can be specified by using an NT account name
with the listen and delegate parameters or by using an SDDL string.
Example:
add urlacl url=http://+:80/MyUri user=DOMAIN\user
add urlacl url=http://www.contoso.com:80/MyUri user=DOMAIN\user listen=yes
add urlacl url=http://www.contoso.com:80/MyUri user=DOMAIN\user delegate=no
add urlacl url=http://+:80/MyUri sddl=...
example: netsh http add urlacl user=Everyone url="http://192.168.103.82:5000/"

.NET HttpListener Prefix issue with anything other than localhost

I'm trying to use C# and HttpListener with a prefix of anything other than localhost and it fails (i.e. if I give it server1, i.e.
http://localhost:1234 works, but
http://server1:1234 fails
The code is...
HttpListener listener = new HttpListener();
String prefix = #"http://server1:1234";
listener.Prefixes.Add(prefix);
listener.Start();
The failure occurs on listener.Start() with an exception of Access is denied..
I had the same issue once and i solved it by adding an URL reservation for the specified URL namespace for a user/users to the Network Shell (netsh). Here's an example on how to reserv an URL for every user, run this in the command prompt as an administrator:
netsh http add urlacl url=http://server1:1234/ user=Everyone
Here's an example on how reserv an URL for one user, run this in the command prompt as an administrator:
netsh http add urlacl url=http://server1:1234/ user=Steve
In this way you don't need to run the application as an administrator
Is your app running with elevated privilege?
Normal accounts cannot hook the Http pipeline without first making a reservation.
http://msdn.microsoft.com/en-us/library/Aa364673
It can be done programatically at install time. Let me know if this is of interest, and I'll dig out some code.
EDIT:
Actually, as I can't identify where the code came from at the moment, I can't post it here. There's a codeplex project for doing this kind of thing which is definitely worth picking apart.
/EDIT
Here's a way make the reservation on the command line:
http://www.casadehambone.com/HowToAddAURLACLAndAvoidAddressAccessDeniedExceptionInWindowsVista.aspx

Categories

Resources