In Self Service or DMZ Setup (from 11.5.10) you might have noticed new configuration file url_fw.conf under $IAS_ORACLE_HOME/Apache/Apache/conf . In today’s post We’ll understand requirement of this file , building blocks of this file, mod_rewrite module of apache and regular expressions.
Overview of url_fw.conf file is required ?
This file is delievered by patch 3942483 (included in 11.5.10) and called by Apache/Webserver configuration file httpd.conf .
This file uses mod_rewrite module of Apache to allow/disallow URL’s matched by regular expression.
Why I need this file – > This file provide extra security for DMZ or Self Service implementation accessible over internet. Only few URL’s opened/allowed by this file are accessible thus protecting secured URL which should not be accessible via internet.
On what basis its decided to include url_fw.conf -> If node trust level is marked as external (Three type of Node Trust level for a node , External, Internal, Administration) then Autoconfig includes url_fw.conf file in httpd.conf
What is mod_rewrite and where to get more information -> mod_rewrite is URL Rewrite Engine in Apache (on which Oracle-Apache or Oracle HTTP Server or Web Server in Apps). mod_rewrite is powerful tool for URL manipulation like to
– Restrict Access to directories and files
– Conditional redirection of access
– Relocating Servers, File System or Directories
– Regeneration of static pages based on HTTP Header Variable
For more information on mod_rewrite module of apache visit http://httpd.apache.org/docs/1.3/mod/mod_rewrite.html
How to debug mod_rewite issues ?
If you think some of URL’s (complete url or partial – gif, jpg, html or jsp file) are blocked by above URL Firewall and you wish to know which file is blocked , you can enable logging by adding following directive in url_fw.conf
RewriteLog “/your_log_directory/rewrite.log”
RewriteLogLevel 7
By default logging is disabled , logLevel value is from 0-10 (0 means no logging and 10 is log everything which records all steps mod_rewrite is doing in background) a sensible value is 6 or 7 and you will see in log what URL is blocked and by what rule; so that if you think user should have access to that URL you can grant access on that resource by adding new rule in url_fw.conf
Sample url_fw.conf value and its meaning –
RewriteRule ^/$ /OA_HTML/AppsLocalLogin.jsp [R,L]
or
RewriteRule ^/OA_HTML/jsp/fnd/fndhelp.jsp$ – [L]
Here first rule is saying that when user type / i.e. after hostname , domainname and port number and then /; redirect user to /OA_HTML/AppsLocalLogin.jsp and stop applying any rewrite rule after that.
In second rule; – which means don’t do any thing and present User same url as mentioned in left side i.e. /OA_HTML/jsp/fnd/fndhelp.jsp
here [R,L] in end
R- Means Rewrite
L – Last rewrite rule (No more rule to apply after this)
In order to understand above rules , you should know regular expression and here few tips/meta characters on regular expressions
1) . (dot) means matches any characters
2) [] specifies a class
i.e.
—> [a-z] matches any lower case characters from a to z
—>[a-zA-Z0-9] matches any character upper or lower case from a to z and numeric 0 to 9
—> [abc$] matches a or b or c or $
—> [^0-9] matches anything except digit 0 to 9 . Here ^ is negation
Meta Characters in Regular Expressions
^ -> Matches Start of a line
$ -> Matches End of line
like
^appsdba -> Matches any line starting with appsdba
appsdba$ -> Matches any line ending with appsdba
^appsdba$ -> Matches any line which consist of just one word appsdba
Quantifiers for Characters
–> ? matches zero or one instance of character
–> + matches one or more instance of character
–> * matches zero or more instance of character
For Example
appsdba? matches appsdb or appsdba
appasdba+ matches appsdba, appsdbaa, appsdbaaa and so on
appsdba* matches appsdb, appsdba, appsdbaa, appsdbaaa and so on
Few error messages related to URL Firewall are
— Access to requested URL has been blocked by the url firewall
— Gone URL you are looking for is blocked by url Firewall
— Error in opening up attachments or date picker in iStore, iRec, iProc
— FW-1 at Firewall-2: Access denied
For more information on DMZ and E-Business Suite visit Steven Chan’s post at
http://blogs.oracle.com/schan/2006/05/17
Please leave your comments about anything and things you wish to see on this blog.
Few things on Users Request, coming soon on Oracle Applications R12
— Startup / Shutdown scripts and changes in scripts with 11i version
— New Top INSTANCE_TOP and its advantages in Oracle Apps Release 12