Configuring Request Filtering 4-3 ■ Query String ■ Format The privileged IP filter permits allow-only rule; the header, query string, and format filters permit deny-only rules; and the client IP, method, and URL filters permit both allow and deny rules. Because the list of rules in the header, query string, and format filters are independent of each other, permitting allow rules could result in the skipping of other deny rules. Therefore, these filters only permit deny rules. Privileged IP The privileged IP filter enables Oracle Web Cache to bypass the other request filters. You use this filter to allow specified privileged IP addresses access. Client IP The client IP filter allows or denies site access to specific IP addresses. It enables Oracle Web Cache to restrict access to a site URL prefix within the site to only certain IP addresses. This filter restricts clients from certain IP addresses from launching attacks on a system. Not restricting access could allow clients access to the application or to areas of the site that contain sensitive information. An attacker from a certain IP address can continue making malicious attacks if Oracle Web Cache does not deny access. You can configure a black list by denying requests if the IP address and URL match or a white list if the IP address and URL match. Method The method filter allows or denies site access based on the HTTP request method. For example, if only GET and POST methods are allowed, Oracle Web Cache would refuse all other requests. This filter protects against clients attempting to read restricted files or modifying files using various HTTP methods. In addition to the HTTP request method, you can configure a URL to limit the rule to only requests that match the method and the specified URL. URL The URL filter allows or denies site access based on a URL. This filter protects against Internet attacks to an application server through a specific URL. Header The header filter denies site access based on HTTP header values. In addition to the HTTP header value, you can configure a URL to limit the rule to only requests that match the header value and the specified URL. Incoming requests matching the HTTP header and URL are compared to the expression in the rule. The expression can be either a substring or a regular expression. For both substring and regular expression comparisons, a rule can deny requests in which the requests header value matches the rules value expression. This filter protects against clients attempting to break into an application by manually creating header values and clients submitting unwanted content in header values. 4-4 Oracle Fusion Middleware Administrators Guide for Oracle Web Cache Query String The query string filters denies site access based on query string parameters. For a POST request, Oracle Web Cache checks both the query string, if is present, and the POST body. In addition to the query string, you can configure a URL to limit the rule to only requests that match the query string and the specified URL. Incoming requests matching the query string and URL are compared to the expression in the rule. The expression can be either a substring or a regular expression. For both substring and regular expression comparisons, a rule can deny requests in which the requests query string matches the rules value expression. This filter protects against clients attempting to break into a site by manually manipulating the query string parameters and values and clients submitting unwanted content within parameter values. Format The format filter denies site access based on the format of the HTTP request. This filter checks for embedded null byte characters, strict encoding and valid Unicode, and double URL encoding. Oracle Web Cache checks the format for each enabled type and denies the request if the format is invalid. This filter checks the components of the URL, including the path, filename, query string, and for POST requests, the request entity body. It protects against hackers attempting to disrupt a Web application by either sending a request which is not well formed or sending characters not expected to be in the URL.

4.3 About Learned Rules

Oracle Web Cache automatically creates learned rules for the method and URL filters. You can then choose to activate these learned rules. Client requests that match the filters Catch All rule are evaluated to see if there is some commonality to them that might warrant a new rule. These common patterns are shown as learned rules. You can then chose to activate or ignore these learned rules. After a rule is activated in the configuration, you can select to enable or disable it just like any other rule. Even if you select not to activate learned rules, Oracle Web Cache continues to collect and evaluate all common patterns for requests that fall into the Catch All rule. See Section 4.7.1 and Section 4.8.1 to enable learned rules.

4.4 About the Monitor Only Mode

When you configure rules for the filters, you can select the Monitor Only option. When you enable this option for a rule, Oracle Web Cache treats the rule as if it was disabled. However, Oracle Web Cache tracks matches in the statistics and writes them to the event log if verbosity is set to TRACE or higher and to the audit log if audit logging is enabled for the match action. When monitoring is enabled, requests are allowed, so you can examine results in the Request Statistics section. When you disable Monitor Only for a deny rule, the deny action is enforced. You typically set Monitor Only on to see the match activity of the rule. When results are expected, then disable Monitor Only to enforce the rules action.