当前位置: 文江博客话题详情

在仅 HTTPS 的站点上正确响应 HTTP HEAD 请求

发布于 2024-12-21 05:16:07 字数 462 浏览 4 评论 0原文

我们有一个只能通过 HTTPS 访问的 ASP.Net MVC3 站点,方法是使用控制器上的 RequireHTTPS 属性。

我们收到大量 HTTP HEAD 方法请求,主要来自 Twitter 机器人。默认的 ASP.Net/MVC3 响应是“500 内部服务器错误”,并且由 elmah 和 log4net 捕获/记录(现已过滤掉!)。

我可以根据这个问题编写一个特定的控制器和路由来处理这些非 HTTPS 请求 - 在 asp.NET MVC 3 中响应 HEAD 请求

但是,从机器人的角度来看,最好的回应是什么? 200 表示服务器处于活动状态,302 重定向到 HTTPS url,还是坚持使用 500,因为该网站无法通过 HTTP 访问?

原文

We have an ASP.Net MVC3 site only accessible over HTTPS, by using the RequireHTTPS attribute on the controller.

We are receiving numerous HTTP HEAD method requests, mainly from what appear to be Twitter bots. The default ASP.Net/MVC3 response is a '500 Internal Server Error', and are being caught/logged by elmah and log4net (now filtered out!).

I could write a specific controller and route to handle these non-HTTPS requests as per this question - Responding to HEAD Request in asp.NET MVC 3.

But, from the bots perspective what would be the best response? 200 to show the server is alive, a 302 redirect to the HTTPS url, or stick with the 500 as the site isn't accessible over HTTP?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

不打扰别人 2024-12-28 05:16:07

回应

405 Method Not Allowed

你可以用以下方式

Request-URI 标识的资源不允许使用 Request-Line 中指定的方法。响应必须包含一个Allow标头,其中包含所请求资源的有效方法列表。

或用

501 Not Implemented

什么手段

服务器不支持完成请求所需的功能。当服务器无法识别请求方法并且无法支持任何资源时,这是适当的响应。

就我个人而言,我会选择 405 因为这是客户端的错误,“嘿伙计,我们这里不提供这些东西。” 似乎更适合我比“你到底在说什么?我听不懂。”之一,后者是由服务器无法识别请求方法位建议的501 描述。

所有 HTTP 状态代码: http://www.w3.org/Protocols/ rfc2616/rfc2616-sec10.html

You could respond with

405 Method Not Allowed

which means

The method specified in the Request-Line is not allowed for the resource identified by the Request-URI. The response MUST include an Allow header containing a list of valid methods for the requested resource.

or with

501 Not Implemented

which means

The server does not support the functionality required to fulfill the request. This is the appropriate response when the server does not recognize the request method and is not capable of supporting it for any resource.

Personally, I would go with the 405 since it's an error on the client side, a "Hey man, we don't serve that stuff here." seems more appropriate to me than "What the hell are you talking about? I don't understand it." one, the latter is suggested by the the server does not recognize the request method bit of the 501 description.

All the HTTP status codes: http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html

回复 原文
虫児飞 2024-12-28 05:16:07

就我而言,我只在网站 / 的根目录上收到 HEAD 请求,这看起来像是机器人探测。所以,我有点担心返回 500 或 404。

更多关于 405

根据 Albireo 的回答,405 可能没问题,但你需要返回接受的动词,例如:

// 405 must include allowable methods.
// https://tools.ietf.org/html/rfc2616#section-14.7
httpContext.Response.StatusCode = (int)HttpStatusCode.MethodNotAllowed;
httpContext.Response.AddHeader( "Allow", "GET" );

302 选项

查看 MVC 代码中不重定向 HEAD 请求的注释:

//only redirect for GET requests, otherwise the browser might not propagate the verb and request
//body correctly.

似乎另一个选择是发送 302。返回 302 应该相当安全到 HTTPS 站点,以便 bot HEAD 请求根目录(这就是 MVC 对 GET 所做的操作)。因此,我根据 MVC 的方式实现了以下内容:

if( isHead == true && isRoot == true )
{
    httpContext.ClearError();
    httpContext.Response.Clear();                    
    httpContext.Response.StatusCode = 302;
    string url = "https://" + httpContext.Request.Url.Host + httpContext.Request.RawUrl;
    httpContext.Response.Redirect(url, endResponse: false);                    
    return;
}

在 global.asax.cs 中实现:

protected void Application_Error( object sender, EventArgs e )
{
     //Your code here
}

In my case, I was only getting HEAD requests on the root of the site / which seems like bots probing. So, I was a bit worried about returning a 500 or 404.

More on 405

405 may be OK as per Albireo's answer, but you need to return the accepted verbs, something like:

// 405 must include allowable methods.
// https://tools.ietf.org/html/rfc2616#section-14.7
httpContext.Response.StatusCode = (int)HttpStatusCode.MethodNotAllowed;
httpContext.Response.AddHeader( "Allow", "GET" );

302 option

Looking at the comment in the MVC code which does not redirect the HEAD request:

//only redirect for GET requests, otherwise the browser might not propagate the verb and request
//body correctly.

It seems like another option is to send a 302. It should be reasonably safe to return a 302 to the HTTPS site for bot HEAD requests to root (which is what MVC does for a GET). So, I implemented the following which is based on the way that MVC does it:

if( isHead == true && isRoot == true )
{
    httpContext.ClearError();
    httpContext.Response.Clear();                    
    httpContext.Response.StatusCode = 302;
    string url = "https://" + httpContext.Request.Url.Host + httpContext.Request.RawUrl;
    httpContext.Response.Redirect(url, endResponse: false);                    
    return;
}

Implement in global.asax.cs:

protected void Application_Error( object sender, EventArgs e )
{
     //Your code here
}
回复 原文
~没有更多了~

关于作者

归属感

暂无简介

文章
评论
20981 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

浪子阿飞

文章 0 评论 0

JK.Yang

文章 0 评论 0

人间不值得

文章 0 评论 0

静待花开

文章 0 评论 0

只涨不跌

文章 0 评论 0

污浊的双黑

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文