[Mono-aspnet-list] nginx + multiple fastcgi-mono-server4 instance => WebResource.axd 404 error
kornelpal at gmail.com
Wed Jan 2 13:20:43 UTC 2013
Based on the source code of Mono's
System.Web.Handlers.AssemblyResourceLoader I think that the
implementation is flawed.
I am going to describe the problem, but I think that you should file a
Although it is using a hashing algorithm that always results in the same
hash for the same script resource, hashes are not generated and stored
in the dictionaries unless a link is generated, thus a resource is not
available until a link to it was generated by the same AppDomain before.
As such even AppDomain restarts can trigger the problem, although a
simple refresh on the page fixes it by generating hashes for the web
resources that subsequently can be retrieved from the server, provided
that there is only one AppDomain (one process, one server) serving the
As I see at least the assembly name should be included in the query
string, resource hashes can be regenerated based on
WebResourceAttributes of the assembly.
To prevent loading arbitrary assemblies, the assembly name should be
encrypted using the machine key and also should be signed using HMAC to
avoid padding oracle vulnerability similar to CVE-2010-3332 that the MS
implementation had (encrypted view state, forms authentication cookie,
and WebResource.axd were all affected).
On 1/2/2013 12:34 PM, Ovidiu Deac wrote:
> I'm running nginx which does load balancing over several instances of
> Apparently when a webresource link is handled by a different
> fastcgi-mono-server than the one which originally produced the link it
> returns a 404 error.
> I have set a persistent machinekey as recommended for webfarms but the
> problem still remains.
> Any idea what else could be wrong?
> If it makes any difference: the application is written with
> F#/WebSharper and we disabled the session state and the forms
> Mono-aspnet-list mailing list
> Mono-aspnet-list at lists.ximian.com
More information about the Mono-aspnet-list