URL Firewall in DMZ Setup

In Self Service or DMZ Setup (from 11.5.10) you might have noticed new configuration file url_fw.conf under $IAS_ORACLE_HOME/Apache/Apache/conf . In today's post We'll understand requirement of this file , building blocks of this file, mod_rewrite module of apache and regular expressions.

Overview of url_fw.conf file is required ?

This file is delievered by patch 3942483 (included in 11.5.10) and called by Apache/Webserver configuration file httpd.conf .

This file uses mod_rewrite module of Apache to allow/disallow URL's matched by regular expression.

Why I need this file - > This file provide extra security for DMZ or Self Service implementation accessible over internet. Only few URL's opened/allowed by this file are accessible thus protecting secured URL which should not be accessible via internet.

On what basis its decided to include url_fw.conf -> If node trust level is marked as external (Three type of Node Trust level for a node , External, Internal, Administration) then Autoconfig includes url_fw.conf file in httpd.conf

What is mod_rewrite and where to get more information -> mod_rewrite is URL Rewrite Engine in Apache (on which Oracle-Apache or Oracle HTTP Server or Web Server in Apps). mod_rewrite is powerful tool for URL manipulation like to

- Restrict Access to directories and files
- Conditional redirection of access
- Relocating Servers, File System or Directories
- Regeneration of static pages based on HTTP Header Variable

For more information on mod_rewrite module of apache visit http://httpd.apache.org/docs/1.3/mod/mod_rewrite.html

How to debug mod_rewite issues ?
If you think some of URL's (complete url or partial - gif, jpg, html or jsp file) are blocked by above URL Firewall and you wish to know which file is blocked , you can enable logging by adding following directive in url_fw.conf

RewriteLog "/your_log_directory/rewrite.log"
RewriteLogLevel 7

By default logging is disabled , logLevel value is from 0-10 (0 means no logging and 10 is log everything which records all steps mod_rewrite is doing in background) a sensible value is 6 or 7 and you will see in log what URL is blocked and by what rule; so that if you think user should have access to that URL you can grant access on that resource by adding new rule in url_fw.conf

Sample url_fw.conf value and its meaning -
RewriteRule ^/$ /OA_HTML/AppsLocalLogin.jsp [R,L]
or
RewriteRule ^/OA_HTML/jsp/fnd/fndhelp.jsp$ - [L]

Here first rule is saying that when user type / i.e. after hostname , domainname and port number and then /; redirect user to /OA_HTML/AppsLocalLogin.jsp and stop applying any rewrite rule after that.

In second rule; - which means don't do any thing and present User same url as mentioned in left side i.e. /OA_HTML/jsp/fnd/fndhelp.jsp

here [R,L] in end
R- Means Rewrite
L - Last rewrite rule (No more rule to apply after this)

In order to understand above rules , you should know regular expression and here few tips/meta characters on regular expressions

1) . (dot) means matches any characters
2) [] specifies a class
i.e.
---> [a-z] matches any lower case characters from a to z
--->[a-zA-Z0-9] matches any character upper or lower case from a to z and numeric 0 to 9
---> [abc$] matches a or b or c or $
---> [^0-9] matches anything except digit 0 to 9 . Here ^ is negation

Meta Characters in Regular Expressions

^ -> Matches Start of a line
$ -> Matches End of line

like

^appsdba -> Matches any line starting with appsdba
appsdba$ -> Matches any line ending with appsdba
^appsdba$ -> Matches any line which consist of just one word appsdba


Quantifiers for Characters
--> ? matches zero or one instance of character
--> + matches one or more instance of character
--> * matches zero or more instance of character

For Example
appsdba? matches appsdb or appsdba
appasdba+ matches appsdba, appsdbaa, appsdbaaa and so on
appsdba* matches appsdb, appsdba, appsdbaa, appsdbaaa and so on

Few error messages related to URL Firewall are
-- Access to requested URL has been blocked by the url firewall
-- Gone URL you are looking for is blocked by url Firewall
-- Error in opening up attachments or date picker in iStore, iRec, iProc
-- FW-1 at Firewall-2: Access denied

For more information on DMZ and E-Business Suite visit Steven Chan's post at

http://blogs.oracle.com/schan/2006/05/17

Please leave your comments about anything and things you wish to see on this blog.

Few things on Users Request, coming soon on Oracle Applications R12
-- Startup / Shutdown scripts and changes in scripts with 11i version
-- New Top INSTANCE_TOP and its advantages in Oracle Apps Release 12