| URL Firewall in DMZ/Self Service Setup (url_fw.conf) |
| Friday, June 01, 2007 |
|
We have moved to http://onlineAppsDBA.com kindly check http://onlineAppsDBA.comin future
In Self Service or DMZ Setup (from 11.5.10) you might have noticed new configuration file url_fw.conf under $IAS_ORACLE_HOME/Apache/Apache/conf . In today's post We'll understand requirement of this file , building blocks of this file, mod_rewrite module of apache and regular expressions.
Overview of url_fw.conf file is required ?
This file is delievered by patch 3942483 (included in 11.5.10) and called by Apache/Webserver configuration file httpd.conf .
This file uses mod_rewrite module of Apache to allow/disallow URL's matched by regular expression.
Why I need this file - > This file provide extra security for DMZ or Self Service implementation accessible over internet. Only few URL's opened/allowed by this file are accessible thus protecting secured URL which should not be accessible via internet.
On what basis its decided to include url_fw.conf -> If node trust level is marked as external (Three type of Node Trust level for a node , External, Internal, Administration) then Autoconfig includes url_fw.conf file in httpd.conf
What is mod_rewrite and where to get more information -> mod_rewrite is URL Rewrite Engine in Apache (on which Oracle-Apache or Oracle HTTP Server or Web Server in Apps). mod_rewrite is powerful tool for URL manipulation like to
- Restrict Access to directories and files
- Conditional redirection of access
- Relocating Servers, File System or Directories
- Regeneration of static pages based on HTTP Header Variable
For more information on mod_rewrite module of apache visit http://httpd.apache.org/docs/1.3/mod/mod_rewrite.html
How to debug mod_rewite issues ?
If you think some of URL's (complete url or partial - gif, jpg, html or jsp file) are blocked by above URL Firewall and you wish to know which file is blocked , you can enable logging by adding following directive in url_fw.conf
RewriteLog "/your_log_directory/rewrite.log"
RewriteLogLevel 7
By default logging is disabled , logLevel value is from 0-10 (0 means no logging and 10 is log everything which records all steps mod_rewrite is doing in background) a sensible value is 6 or 7 and you will see in log what URL is blocked and by what rule; so that if you think user should have access to that URL you can grant access on that resource by adding new rule in url_fw.conf
Sample url_fw.conf value and its meaning -
RewriteRule ^/$ /OA_HTML/AppsLocalLogin.jsp [R,L]
or
RewriteRule ^/OA_HTML/jsp/fnd/fndhelp.jsp$ - [L]
Here first rule is saying that when user type / i.e. after hostname , domainname and port number and then /; redirect user to /OA_HTML/AppsLocalLogin.jsp and stop applying any rewrite rule after that.
In second rule; - which means don't do any thing and present User same url as mentioned in left side i.e. /OA_HTML/jsp/fnd/fndhelp.jsp
here [R,L] in end
R- Means Rewrite
L - Last rewrite rule (No more rule to apply after this)
In order to understand above rules , you should know regular expression and here few tips/meta characters on regular expressions
1) . (dot) means matches any characters
2) [] specifies a class
i.e.
---> [a-z] matches any lower case characters from a to z
--->[a-zA-Z0-9] matches any character upper or lower case from a to z and numeric 0 to 9
---> [abc$] matches a or b or c or $
---> [^0-9] matches anything except digit 0 to 9 . Here ^ is negation
Meta Characters in Regular Expressions
^ -> Matches Start of a line
$ -> Matches End of line
like
^appsdba -> Matches any line starting with appsdba
appsdba$ -> Matches any line ending with appsdba
^appsdba$ -> Matches any line which consist of just one word appsdba
Quantifiers for Characters
--> ? matches zero or one instance of character
--> + matches one or more instance of character
--> * matches zero or more instance of character
For Example
appsdba? matches appsdb or appsdba
appasdba+ matches appsdba, appsdbaa, appsdbaaa and so on
appsdba* matches appsdb, appsdba, appsdbaa, appsdbaaa and so on
Few error messages related to URL Firewall are
-- Access to requested URL has been blocked by the url firewall
-- Gone URL you are looking for is blocked by url Firewall
-- Error in opening up attachments or date picker in iStore, iRec, iProc
-- FW-1 at Firewall-2: Access denied
For more information on DMZ and E-Business Suite visit Steven Chan's post at
http://blogs.oracle.com/schan/2006/05/17
Please leave your comments about anything and things you wish to see on this blog.
Few things on Users Request, coming soon on Oracle Applications R12
-- Startup / Shutdown scripts and changes in scripts with 11i version
-- New Top INSTANCE_TOP and its advantages in Oracle Apps Release 12Labels: apps, security |
We have moved to kindly check onLineAppsDBA.com in future
|
|
|
 del.icio.us
¦
 Digg This
¦
 My Yahoo
¦
 Reddit
¦
 BlinkList
¦
 Furl It
¦
Email This
¦
Leave Your Comments
|
posted by Atul Kumar @ 6:55 PM
  |
|
| 2 Comments: |
-
Dear Atul,
IHAC who has currently Oracle E-Business Suite instance 11.5.10.2 that is running on two node severs (Applications and Database Tiers). They are planning to deploy the iRecruitment Module so that it can be accessed from the internet.
After reviewing the Metalink Note # 287176.1 [DMZ Configuration with Oracle E-Business Suite 11i], they found that the best deployment topology for their case is to have a new separate external webtier in a DMZ behind a DMZ external firewall [Figure F4], so the existing two servers will be used, one for the database, the second for the internal middletier, and they have to buy a new server to act as an external webtier locating in the DMZ.
But because of additional server unavailability, they are not able to setup additional webtier for external access.
They are using Microsoft ISA server, where the applications tier is secured under ISA firewall using a DMZ Configuration.
They published the webtier server through the ISA server, so for now, the iRecruitment application is accessible from internet using the following URL:
http://abc.xyz.com:8008/OA_HTML/XXXYZ_IrcVisitor_Expat.jsp which automatically directs to
http://abc.xyz.com:8008/OA_HTML/RF.jsp?function_id=1017473&resp_id=53596&resp_appl_id=800&security_group_id=0&lang_code=US¶ms=EQ1-o5Tx8LZPAp-n2utaWLhEDYDHVdNFbYJZweZCUc-Bj2SJ--5Ns96OKvxJIzsai3Rz9lmB2Hf6QfoSZynQAA&oas=AU16QneQJZWe8PYhxLuRxA..
The problem they are facing currently that the internet user is able to access the main home page using [http://abc.xyz.com:8008], which means that he can login to the system or to the OAM, or even to the sub URLs.
How can they restrict access to the homepage and the login screen from outside http://abc.xyz.com:8008 ? so restricting the Internet access for the specific iRec. URLS.
I found in the above mentioned Metalink Note 287176.1 that this problem is easy solvable by using something called “URL Firewall” which is a configuration inside $IAS_CONFIG_HOME/Apache/Apache/conf/url_fw.conf file, but using this configuration requires separate external webtier.
Please Advise ?
Regards
Mohammad Muhtadi
-
I have been visiting various blogs for my term papers writing research. I have found your blog to be quite useful. Keep updating your blog with valuable information... Regards
|
| |
| << Home |
| |
|
|
Dear Atul,
IHAC who has currently Oracle E-Business Suite instance 11.5.10.2 that is running on two node severs (Applications and Database Tiers). They are planning to deploy the iRecruitment Module so that it can be accessed from the internet.
After reviewing the Metalink Note # 287176.1 [DMZ Configuration with Oracle E-Business Suite 11i], they found that the best deployment topology for their case is to have a new separate external webtier in a DMZ behind a DMZ external firewall [Figure F4], so the existing two servers will be used, one for the database, the second for the internal middletier, and they have to buy a new server to act as an external webtier locating in the DMZ.
But because of additional server unavailability, they are not able to setup additional webtier for external access.
They are using Microsoft ISA server, where the applications tier is secured under ISA firewall using a DMZ Configuration.
They published the webtier server through the ISA server, so for now, the iRecruitment application is accessible from internet using the following URL:
http://abc.xyz.com:8008/OA_HTML/XXXYZ_IrcVisitor_Expat.jsp which automatically directs to
http://abc.xyz.com:8008/OA_HTML/RF.jsp?function_id=1017473&resp_id=53596&resp_appl_id=800&security_group_id=0&lang_code=US¶ms=EQ1-o5Tx8LZPAp-n2utaWLhEDYDHVdNFbYJZweZCUc-Bj2SJ--5Ns96OKvxJIzsai3Rz9lmB2Hf6QfoSZynQAA&oas=AU16QneQJZWe8PYhxLuRxA..
The problem they are facing currently that the internet user is able to access the main home page using [http://abc.xyz.com:8008], which means that he can login to the system or to the OAM, or even to the sub URLs.
How can they restrict access to the homepage and the login screen from outside http://abc.xyz.com:8008 ? so restricting the Internet access for the specific iRec. URLS.
I found in the above mentioned Metalink Note 287176.1 that this problem is easy solvable by using something called “URL Firewall” which is a configuration inside $IAS_CONFIG_HOME/Apache/Apache/conf/url_fw.conf file, but using this configuration requires separate external webtier.
Please Advise ?
Regards
Mohammad Muhtadi