将 machineKey 添加到网络场站点上的 web.config

发布于 2024-09-26 11:41:46 字数 609 浏览 12 评论 0 原文

我们(实际上是我们的 IT 合作伙伴)最近为我们拥有的一个网站农场更改了一些 DNS,以便两个生产服务器在它们之间进行循环 DNS 切换。在此切换之前,我们实际上并没有遇到 WebResource.axd 文件的问题。自从切换以来,当我们点击实时公共 URL 时,我们会收到一个错误:

加密异常

填充无效且无法删除。

当我们访问特定服务器本身时,它们加载得很好。我研究了这个问题,看来由于它们在两台服务器之间共享资产,我们需要在每台服务器的 web.config 中拥有一致的 machineKey ,以便它们两者之间可以一致地加密和解密。我的问题是:

  1. 我可以通过服务器上的工具生成 machineKey,还是需要编写代码来执行此操作?
  2. 我是否只需将 machineKey 添加到每台服务器上的 web.config 中,还是您认为我需要执行其他操作才能使两台服务器协同工作? (两个 web.config 目前都没有 machineKey

We (our IT partner really) recently changed some DNS for a web farmed site we have, so that the two production server have round-robin DNS switching between them. Prior to this switch we didn't really have problems with WebResource.axd files. Since the switch, when we hit the live public URL, we get an error:

CryptographicException

Padding is invalid and cannot be removed.

When we hit the specific servers themselves, they load fine. I've researched the issue and it seems since they're sharing assets between two servers, we need to have a consistent machineKey in the web.config for each server so they can encrypt and decrypt consistently between the two. My questions are:

  1. Can I generate a machineKey via a tool on the server, or do I need to write code to do this?
  2. Do I just need to add the machineKey to the web.config on each server or do you think I'll need to do anything else to make the two server work together? (Both web.config's currently do not have a machineKey)

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

你是年少的欢喜 2024-10-03 11:41:47

这应该回答:

如何:在 ASP.NET 2.0 中配置 MachineKey - Web Farm部署注意事项

网络场部署注意事项

如果您在网络场中部署应用程序,则必须确保
每个服务器上的配置文件共享相同的值
验证密钥和解密密钥,用于散列和
分别解密。这是必需的,因为您无法保证
哪个服务器将处理连续的请求。

对于手动生成的键值,设置应该
类似于以下示例。

<前><代码>>

如果您想将您的应用程序与网络上的其他应用程序隔离
同一服务器,将其放置在每个服务器的 Web.config 文件中
场中每台服务器上的应用程序。确保您使用单独的
每个应用程序的键值,但复制每个应用程序的键
跨场中的所有服务器。

简而言之,要设置机器密钥,请参阅以下链接:
设置机器密钥 - Orchard 文档

使用 IIS 管理器设置机器密钥

如果您有权访问服务器的 IIS 管理控制台
Orchard 已安装,这是设置机器密钥的最简单方法。

启动管理控制台,然后选择网站。打开
机器按键配置:
IIS 网站站点配置面板

机器按键控制面板有以下设置:

机器按键配置面板

取消选中“在运行时自动生成”以进行验证
密钥和解密密钥。

点击面板右侧“操作”下的“生成密钥”。

点击“应用”。

并将以下行添加到 system.web 标记下的所有 webservers 中的 web.config 文件(如果不存在)。

<machineKey  
    validationKey="21F0SAMPLEKEY9C2C797F69BBAAD8402ABD2EE0B667A8B44EA7DD4374267A75D7
                   AD972A119482D15A4127461DB1DC347C1A63AE5F1CCFAACFF1B72A7F0A281B"           
    decryptionKey="ABAASAMPLEKEY56D75D217CECFFB9628809BDB8BF91CFCD64568A145BE59719F"
    validation="SHA1"
    decryption="AES"
/>

请确保您有机器密钥和 web.config 文件的永久备份

This should answer:

How To: Configure MachineKey in ASP.NET 2.0 - Web Farm Deployment Considerations

Web Farm Deployment Considerations

If you deploy your application in a Web farm, you must ensure that the
configuration files on each server share the same value for
validationKey and decryptionKey, which are used for hashing and
decryption respectively. This is required because you cannot guarantee
which server will handle successive requests.

With manually generated key values, the settings should
be similar to the following example.

<machineKey  
validationKey="21F090935F6E49C2C797F69BBAAD8402ABD2EE0B667A8B44EA7DD4374267A75D7
               AD972A119482D15A4127461DB1DC347C1A63AE5F1CCFAACFF1B72A7F0A281B"       

decryptionKey="ABAA84D7EC4BB56D75D217CECFFB9628809BDB8BF91CFCD64568A145BE59719F"
validation="SHA1"
decryption="AES"
/>

If you want to isolate your application from other applications on the
same server, place the in the Web.config file for each
application on each server in the farm. Ensure that you use separate
key values for each application, but duplicate each application's keys
across all servers in the farm.

In short, to set up the machine key refer the following link:
Setting Up a Machine Key - Orchard Documentation.

Setting Up the Machine Key Using IIS Manager

If you have access to the IIS management console for the server where
Orchard is installed, it is the easiest way to set-up a machine key.

Start the management console and then select the web site. Open the
machine key configuration:
The IIS web site configuration panel

The machine key control panel has the following settings:

The machine key configuration panel

Uncheck "Automatically generate at runtime" for both the validation
key and the decryption key.

Click "Generate Keys" under "Actions" on the right side of the panel.

Click "Apply".

and add the following line to the web.config file in all the webservers under system.web tag if it does not exist.

<machineKey  
    validationKey="21F0SAMPLEKEY9C2C797F69BBAAD8402ABD2EE0B667A8B44EA7DD4374267A75D7
                   AD972A119482D15A4127461DB1DC347C1A63AE5F1CCFAACFF1B72A7F0A281B"           
    decryptionKey="ABAASAMPLEKEY56D75D217CECFFB9628809BDB8BF91CFCD64568A145BE59719F"
    validation="SHA1"
    decryption="AES"
/>

Please make sure that you have a permanent backup of the machine keys and web.config file

自我难过 2024-10-03 11:41:47

如果您使用的是 IIS 7.5 或更高版本,您可以从 IIS 生成计算机密钥并将其直接保存到 Web 场中的 web.config,然后只需将新的 web.config 复制到每个服务器即可。

  1. 打开 IIS 管理器。
  2. 如果您需要为所有应用程序生成并保存 MachineKey,请在左侧窗格中选择服务器名称,在这种情况下,您将修改根 web.config 文件(位于 .NET Framework 文件夹中)。如果您打算为特定网站/应用程序创建 MachineKey,请从左侧窗格中选择该网站/应用程序。在这种情况下,您将修改应用程序的 web.config 文件。
  3. 双击中间窗格中 ASP.NET 设置中的 Machine Key 图标:
  4. MachineKey 部分将从您的配置文件中读取并显示在 UI 中。如果您没有配置特定的 MachineKey 并且它是自动生成的,您将看到以下选项:
  5. 现在您可以单击右侧窗格中的“生成密钥”来生成随机 MachineKey。单击“应用”后,所有设置都将保存在 web.config 文件中。

完整详细信息可以查看@ 生成 MachineKey 的最简单方法 - 提示和技巧:ASP.NET、IIS 和 .NET 开发...

If you are using IIS 7.5 or later you can generate the machine key from IIS and save it directly to your web.config, within the web farm you then just copy the new web.config to each server.

  1. Open IIS manager.
  2. If you need to generate and save the MachineKey for all your applications select the server name in the left pane, in that case you will be modifying the root web.config file (which is placed in the .NET framework folder). If your intention is to create MachineKey for a specific web site/application then select the web site / application from the left pane. In that case you will be modifying the web.config file of your application.
  3. Double-click the Machine Key icon in ASP.NET settings in the middle pane:
  4. MachineKey section will be read from your configuration file and be shown in the UI. If you did not configure a specific MachineKey and it is generated automatically you will see the following options:
  5. Now you can click Generate Keys on the right pane to generate random MachineKeys. When you click Apply, all settings will be saved in the web.config file.

Full Details can be seen @ Easiest way to generate MachineKey – Tips and tricks: ASP.NET, IIS and .NET development…

(り薆情海 2024-10-03 11:41:47

确保学习 padding oracle asp .net 漏洞 刚刚发生(您应用了补丁,对吧?...)并使用 用于加密机器密钥和任何其他敏感配置的受保护部分。

另一种选择是将其设置在计算机级别的 web.config 中,因此它甚至不在网站文件夹中。

要生成它,就像大卫回答中的链接文章一样。

Make sure to learn from the padding oracle asp.net vulnerability that just happened (you applied the patch, right? ...) and use protected sections to encrypt the machine key and any other sensitive configuration.

An alternative option is to set it in the machine level web.config, so its not even in the web site folder.

To generate it do it just like the linked article in David's answer.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文