The Request Filters Summary page displays.
You select an individual filter from the Filter column, and specify individual rules for the filter. When configuring rules, you order the rules based on the order you want Oracle Web Cache to match requests. When ordering caching rules, give allow rules a higher priority than deny rules.
After configuring rules for a filter and enabling or disabling the rules, you return to the Request Filters Summary page to enable the filters. If you do not click Enable for a filter, then you are disabling the rule, which means Oracle Web Cache ignores any configured rules for that filter.
4.2 Types of Request Filters
Oracle Web Cache provides the following filters, each designed to focus on a particular type of HTTP request vulnerability.
■ Privileged IP
■ Client IP
■ Method
■ URL
■ Header
■ Query String
■ Format
The privileged IP filter permits allow-only rule; the header, query string, and format filters permit deny-only rules; and the client IP, method, and URL filters permit both allow and deny rules. Because the list of rules in the header, query string, and format filters are independent of each other, permitting allow rules could result in the skipping of other deny rules. Therefore, these filters only permit deny rules.
Privileged IP
The privileged IP filter enables Oracle Web Cache to bypass the other request filters.
You use this filter to allow specified privileged IP addresses access.
Client IP
The client IP filter allows or denies site access to specific IP addresses.
It enables Oracle Web Cache to restrict access to a site URL prefix within the site to only certain IP addresses. This filter restricts clients from certain IP addresses from launching attacks on a system. Not restricting access could allow clients access to the application or to areas of the site that contain sensitive information. An attacker from a certain IP address can continue making malicious attacks if Oracle Web Cache does not deny access.
You can configure a black list by denying requests if the IP address and URL match or a white list if the IP address and URL match.
Method
The method filter allows or denies site access based on the HTTP request method. For example, if only GET and POST methods are allowed, Oracle Web Cache would refuse all other requests.
This filter protects against clients attempting to read restricted files or modifying files using various HTTP methods. In addition to the HTTP request method, you can configure a URL to limit the rule to only requests that match the method and the specified URL.
URL
The URL filter allows or denies site access based on a URL.
This filter protects against Internet attacks to an application server through a specific URL.
Header
The header filter denies site access based on HTTP header values. In addition to the HTTP header value, you can configure a URL to limit the rule to only requests that match the header value and the specified URL.
Incoming requests matching the HTTP header and URL are compared to the
expression in the rule. The expression can be either a substring or a regular expression.
For both substring and regular expression comparisons, a rule can deny requests in which the request's header value matches the rule's value expression.
This filter protects against clients attempting to break into an application by manually creating header values and clients submitting unwanted content in header values.
Query String
The query string filters denies site access based on query string parameters. For a POST request, Oracle Web Cache checks both the query string, if is present, and the POST body. In addition to the query string, you can configure a URL to limit the rule to only requests that match the query string and the specified URL.
Incoming requests matching the query string and URL are compared to the expression in the rule. The expression can be either a substring or a regular expression. For both substring and regular expression comparisons, a rule can deny requests in which the request's query string matches the rule's value expression.
This filter protects against clients attempting to break into a site by manually manipulating the query string parameters and values and clients submitting unwanted content within parameter values.
Format
The format filter denies site access based on the format of the HTTP request. This filter checks for embedded null byte characters, strict encoding and valid Unicode, and double URL encoding. Oracle Web Cache checks the format for each enabled type and denies the request if the format is invalid.
This filter checks the components of the URL, including the path, filename, query string, and for POST requests, the request entity body. It protects against hackers attempting to disrupt a Web application by either sending a request which is not well formed or sending characters not expected to be in the URL.
4.3 About Learned Rules
Oracle Web Cache automatically creates learned rules for the method and URL filters.
You can then choose to activate these learned rules.
Client requests that match the filter's Catch All rule are evaluated to see if there is some commonality to them that might warrant a new rule. These common patterns are shown as learned rules. You can then chose to activate or ignore these learned rules.
After a rule is activated in the configuration, you can select to enable or disable it just like any other rule. Even if you select not to activate learned rules, Oracle Web Cache continues to collect and evaluate all common patterns for requests that fall into the Catch All rule.
See Section 4.7.1 and Section 4.8.1 to enable learned rules.
4.4 About the Monitor Only Mode
When you configure rules for the filters, you can select the Monitor Only option.
When you enable this option for a rule, Oracle Web Cache treats the rule as if it was disabled. However, Oracle Web Cache tracks matches in the statistics and writes them to the event log (if verbosity is set to TRACE or higher) and to the audit log if audit logging is enabled for the match action.
When monitoring is enabled, requests are allowed, so you can examine results in the Request Statistics section. When you disable Monitor Only for a deny rule, the deny action is enforced. You typically set Monitor Only on to see the match activity of the rule. When results are expected, then disable Monitor Only to enforce the rule's action.
4.5 Configuring Rules for the Privileged IP Filter
The privileged IP request filter enables Oracle Web Cache to bypass all request filters for certain privileged IP addresses. Any request from a privileged IP address does not pass through the other request filters.
See Section 4.2 for further information about the privileged IP request filter.
To configure the privileged IP request filter:
1. Navigate to the Web Cache Home page in Fusion Middleware Control. See Section 2.6.2.
2. From the Web Cache menu, select Administration and then Request Filters.
The Request Filters Summary page displays.
3. From the Site list, select the site to apply the filter. See Section 2.11.3 and Section 2.11.4 to create additional sites.
You can configure filters and filter rules for specific sites or Undefined Sites.
Oracle Web Cache directs client requests that do not match a defined site to the request filters configured for Undefined Sites.