Tuesday, April 28, 2009

URL Firewall in DMZ Setup

In Self Service or DMZ Setup (from 11.5.10) you might have noticed new configuration file url_fw.conf under $IAS_ORACLE_HOME/Apache/Apache/conf . In today's post We'll understand requirement of this file , building blocks of this file, mod_rewrite module of apache and regular expressions.

Overview of url_fw.conf file is required ?

This file is delievered by patch 3942483 (included in 11.5.10) and called by Apache/Webserver configuration file httpd.conf .

This file uses mod_rewrite module of Apache to allow/disallow URL's matched by regular expression.

Why I need this file - > This file provide extra security for DMZ or Self Service implementation accessible over internet. Only few URL's opened/allowed by this file are accessible thus protecting secured URL which should not be accessible via internet.

On what basis its decided to include url_fw.conf -> If node trust level is marked as external (Three type of Node Trust level for a node , External, Internal, Administration) then Autoconfig includes url_fw.conf file in httpd.conf

What is mod_rewrite and where to get more information -> mod_rewrite is URL Rewrite Engine in Apache (on which Oracle-Apache or Oracle HTTP Server or Web Server in Apps). mod_rewrite is powerful tool for URL manipulation like to

- Restrict Access to directories and files
- Conditional redirection of access
- Relocating Servers, File System or Directories
- Regeneration of static pages based on HTTP Header Variable

For more information on mod_rewrite module of apache visit http://httpd.apache.org/docs/1.3/mod/mod_rewrite.html

How to debug mod_rewite issues ?
If you think some of URL's (complete url or partial - gif, jpg, html or jsp file) are blocked by above URL Firewall and you wish to know which file is blocked , you can enable logging by adding following directive in url_fw.conf

RewriteLog "/your_log_directory/rewrite.log"
RewriteLogLevel 7

By default logging is disabled , logLevel value is from 0-10 (0 means no logging and 10 is log everything which records all steps mod_rewrite is doing in background) a sensible value is 6 or 7 and you will see in log what URL is blocked and by what rule; so that if you think user should have access to that URL you can grant access on that resource by adding new rule in url_fw.conf

Sample url_fw.conf value and its meaning -
RewriteRule ^/$ /OA_HTML/AppsLocalLogin.jsp [R,L]
RewriteRule ^/OA_HTML/jsp/fnd/fndhelp.jsp$ - [L]

Here first rule is saying that when user type / i.e. after hostname , domainname and port number and then /; redirect user to /OA_HTML/AppsLocalLogin.jsp and stop applying any rewrite rule after that.

In second rule; - which means don't do any thing and present User same url as mentioned in left side i.e. /OA_HTML/jsp/fnd/fndhelp.jsp

here [R,L] in end
R- Means Rewrite
L - Last rewrite rule (No more rule to apply after this)

In order to understand above rules , you should know regular expression and here few tips/meta characters on regular expressions

1) . (dot) means matches any characters
2) [] specifies a class
---> [a-z] matches any lower case characters from a to z
--->[a-zA-Z0-9] matches any character upper or lower case from a to z and numeric 0 to 9
---> [abc$] matches a or b or c or $
---> [^0-9] matches anything except digit 0 to 9 . Here ^ is negation

Meta Characters in Regular Expressions

^ -> Matches Start of a line
$ -> Matches End of line


^appsdba -> Matches any line starting with appsdba
appsdba$ -> Matches any line ending with appsdba
^appsdba$ -> Matches any line which consist of just one word appsdba

Quantifiers for Characters
--> ? matches zero or one instance of character
--> + matches one or more instance of character
--> * matches zero or more instance of character

For Example
appsdba? matches appsdb or appsdba
appasdba+ matches appsdba, appsdbaa, appsdbaaa and so on
appsdba* matches appsdb, appsdba, appsdbaa, appsdbaaa and so on

Few error messages related to URL Firewall are
-- Access to requested URL has been blocked by the url firewall
-- Gone URL you are looking for is blocked by url Firewall
-- Error in opening up attachments or date picker in iStore, iRec, iProc
-- FW-1 at Firewall-2: Access denied

For more information on DMZ and E-Business Suite visit Steven Chan's post at


Please leave your comments about anything and things you wish to see on this blog.

Few things on Users Request, coming soon on Oracle Applications R12
-- Startup / Shutdown scripts and changes in scripts with 11i version
-- New Top INSTANCE_TOP and its advantages in Oracle Apps Release 12

No comments:

Post a Comment