4-4 Oracle Fusion Middleware Administrators Guide for Oracle Web Cache Query String The query string filters denies site access based on query string parameters. For a POST request, Oracle Web Cache checks both the query string, if is present, and the POST body. In addition to the query string, you can configure a URL to limit the rule to only requests that match the query string and the specified URL. Incoming requests matching the query string and URL are compared to the expression in the rule. The expression can be either a substring or a regular expression. For both substring and regular expression comparisons, a rule can deny requests in which the requests query string matches the rules value expression. This filter protects against clients attempting to break into a site by manually manipulating the query string parameters and values and clients submitting unwanted content within parameter values. Format The format filter denies site access based on the format of the HTTP request. This filter checks for embedded null byte characters, strict encoding and valid Unicode, and double URL encoding. Oracle Web Cache checks the format for each enabled type and denies the request if the format is invalid. This filter checks the components of the URL, including the path, filename, query string, and for POST requests, the request entity body. It protects against hackers attempting to disrupt a Web application by either sending a request which is not well formed or sending characters not expected to be in the URL.

4.3 About Learned Rules

Oracle Web Cache automatically creates learned rules for the method and URL filters. You can then choose to activate these learned rules. Client requests that match the filters Catch All rule are evaluated to see if there is some commonality to them that might warrant a new rule. These common patterns are shown as learned rules. You can then chose to activate or ignore these learned rules. After a rule is activated in the configuration, you can select to enable or disable it just like any other rule. Even if you select not to activate learned rules, Oracle Web Cache continues to collect and evaluate all common patterns for requests that fall into the Catch All rule. See Section 4.7.1 and Section 4.8.1 to enable learned rules.

4.4 About the Monitor Only Mode

When you configure rules for the filters, you can select the Monitor Only option. When you enable this option for a rule, Oracle Web Cache treats the rule as if it was disabled. However, Oracle Web Cache tracks matches in the statistics and writes them to the event log if verbosity is set to TRACE or higher and to the audit log if audit logging is enabled for the match action. When monitoring is enabled, requests are allowed, so you can examine results in the Request Statistics section. When you disable Monitor Only for a deny rule, the deny action is enforced. You typically set Monitor Only on to see the match activity of the rule. When results are expected, then disable Monitor Only to enforce the rules action. Configuring Request Filtering 4-5

4.5 Configuring Rules for the Privileged IP Filter

The privileged IP request filter enables Oracle Web Cache to bypass all request filters for certain privileged IP addresses. Any request from a privileged IP address does not pass through the other request filters. See Section 4.2 for further information about the privileged IP request filter. To configure the privileged IP request filter: 1. Navigate to the Web Cache Home page in Fusion Middleware Control. See Section 2.6.2 .

2. From the Web Cache menu, select Administration and then Request Filters.

The Request Filters Summary page displays.

3. From the Site list, select the site to apply the filter. See

Section 2.11.3 and Section 2.11.4 to create additional sites. You can configure filters and filter rules for specific sites or Undefined Sites. Oracle Web Cache directs client requests that do not match a defined site to the request filters configured for Undefined Sites.

4. Click the Privileged IP link.

The Privileged IP Request Filter page displays.

5. From the Audit list, select the level of action for Oracle Web Cache to include in

the audit log for the request filter. 6. Create a new rule:

a. Click Create to create a row in the table.

b. In the IP Address field, enter the IP address, either as an IP version 4 or IP

version 6 address mask of the client. See Section 2.5 for examples of IP addresses.

c. Click the Enable check box to enable the rule; deselect the check box to disable

the rule temporarily without losing the rule definition.

d. Click the Monitor Only check box to see the match activity of the rule without

enforcing the rule. When results are expected, then disable Monitor Only to enforce the rule. See Section 4.4 for further information about the Monitor Only option.

e. Click Apply to save the rule settings.

7. Perform Step 6 for any additional rules.

8. Use the Move Up and Move Down icons to change the order in which the rules

are matched against requests. The order of the rules is important. Oracle Web Cache matches higher priority rules first.

9. Click the Request Filters Summary breadcrumb at the top of the page, or from the

Web Cache menu, select Administration and then Request Filters to navigate back to the Request Filters Summary page.

10. In the Privileged IP row, click Enable to enable the filter.

If you do not click Enable, Oracle Web Cache ignores any configured filter rules for this filter. 4-6 Oracle Fusion Middleware Administrators Guide for Oracle Web Cache

11. Click Apply to save the configuration for the request filter.

4.6 Configuring Rules for the Client IP Request Filter

This client IP request filter restricts application access to specific IP addresses or range of IP addresses. Not restricting access enables access to restricted information and potential attackers from particular IP addresses. See Section 4.2 for further information about the client IP request filter. To configure rules for the client IP request filter: 1. Navigate to the Web Cache Home page in Fusion Middleware Control. See Section 2.6.2 .

2. From the Web Cache menu, select Administration and then Request Filters.

The Request Filters Summary page displays.

3. From the Site list, select the site to apply the filter. See

Section 2.11.3 and Section 2.11.4 to create additional sites. You can configure filters and filter rules for specific sites or Undefined Sites. Oracle Web Cache directs client requests that do not match a defined site to the request filters configured for Undefined Sites.

4. Click the Client IP link.

The Client IP Request Filter page displays.

5. From the Audit list, select the level of action for Oracle Web Cache to include in

the audit log for the request filter.

6. From the Response to deny list, select the HTTP response for Oracle Web Cache to

return to browsers for requests that are denied by this request filter. The Close Connection option does not return any HTTP responses. It just closes the connection. 7. Create a new rule:

a. Click Create to create a row in the table.

b. In the IP Address field, enter the IP address, either as an IP version 4 or IP

version 6 address mask of the client. See Section 2.5 for examples of IP addresses.

c. Click the Enable check box to enable the rule; deselect the check box to disable

the rule temporarily without losing the rule definition.

d. In the URL field, based on the URL Type you select, enter an optional URL

string. If no URLs are specified, then all requests are checked. It is equivalent to specifying a URL with a prefix . - Path Prefix: Enter the path prefix of the objects. Start the path with ; do not start the path with http:host_name:port. The prefix is interpreted literally, including reserved regular expression characters. These characters include periods ., question marks ?, asterisks , brackets [], curly braces {}, carets , dollar signs , and backslashes \. - File Extension: Enter the file extension. Because Oracle Web Cache internally starts the file extension with a period ., it is not necessary to enter it.