[Mono-aspnet-list] nginx + multiple fastcgi-mono-server4 instance => WebResource.axd 404 error

Kornél Pál kornelpal at gmail.com
Wed Jan 2 14:23:32 UTC 2013

If you have reasons to use Mono or you are already using it, then I 
think that fixing Mono is a more reasonable option than moving to MS .NET.


On 1/2/2013 3:09 PM, Ovidiu Deac wrote:
> Thanks for the answer.
> So the short version is that if I want to have multiple instances of the
> application and do load balancing then I must drop mono and use .NET
> instead ?
> Is there any other possibility to achieve load  balancing/high
> availability with mono?
> On Wed, Jan 2, 2013 at 3:20 PM, Kornél Pál <kornelpal at gmail.com
> <mailto:kornelpal at gmail.com>> wrote:
>     Based on the source code of Mono's
>     System.Web.Handlers.AssemblyResourceLoader I think that the
>     implementation is flawed.
>     I am going to describe the problem, but I think that you should file
>     a bug report.
>     Although it is using a hashing algorithm that always results in the
>     same hash for the same script resource, hashes are not generated and
>     stored in the dictionaries unless a link is generated, thus a
>     resource is not available until a link to it was generated by the
>     same AppDomain before.
>     As such even AppDomain restarts can trigger the problem, although a
>     simple refresh on the page fixes it by generating hashes for the web
>     resources that subsequently can be retrieved from the server,
>     provided that there is only one AppDomain (one process, one server)
>     serving the requests.
>     As I see at least the assembly name should be included in the query
>     string, resource hashes can be regenerated based on
>     WebResourceAttributes of the assembly.
>     To prevent loading arbitrary assemblies, the assembly name should be
>     encrypted using the machine key and also should be signed using HMAC
>     to avoid padding oracle vulnerability similar to CVE-2010-3332 that
>     the MS implementation had (encrypted view state, forms
>     authentication cookie, and WebResource.axd were all affected).
>     Kornel
>     On 1/2/2013 12:34 PM, Ovidiu Deac wrote:
>         I'm running nginx which does load balancing over several
>         instances of
>         fastcgi-mono-server4
>         Apparently when a webresource link is handled by a different
>         fastcgi-mono-server than the one which originally produced the
>         link it
>         returns a 404 error.
>         I have set a persistent machinekey as recommended for webfarms
>         but the
>         problem still remains.
>         Any idea what else could be wrong?
>         If it makes any difference: the application is written with
>         F#/WebSharper and we disabled the session state and the forms
>         authentication.
>         Thanks
>         _______________________________________________
>         Mono-aspnet-list mailing list
>         Mono-aspnet-list at lists.ximian.com
>         <mailto:Mono-aspnet-list at lists.ximian.com>
>         http://lists.ximian.com/mailman/listinfo/mono-aspnet-list

More information about the Mono-aspnet-list mailing list