PathCheck
The PathCheck directive checks the local file system path that is returned after the NameTrans step to verify that the client is allowed to access the specified resource. For more information, see PathCheck.
The following PathCheck-class functions are described in detail in this section:
In addition, the following common SAFs are valid for the PathCheck directive:
check-acl
The check-acl function specifies an access control list (ACL) to use to check whether the client is allowed to access the requested resource. An ACL contains information about who is or is not allowed to access a resource, and under what conditions access is allowed.
Regardless of the order of PathCheck directives in the object, check-acl functions are executed first. They perform user authentication if required by the specified ACL, and also update the access control state. Because the server caches the ACLs returned by the check-acl function, do not use check-acl inside a Client, If, ElseIf, or Else container.
Parameters
The following table describes parameters for the check-acl function.
Table 7–16 check-acl Parameters|
Parameter |
Description |
|---|---|
|
Name of an access control list. |
|
|
(Optional) Wildcard pattern that specifies the path for which the ACL should be applied. |
|
|
bucket |
(Optional) Common to all obj.conf functions. Adds a bucket to monitor performance. For more information, see The bucket Parameter. |
Example
PathCheck fn="check-acl" acl="*HRonly*"
check-request-limits
The check-request-limits function monitors incoming requests matching a given attribute (for example, client IP address) and computes an average requests per second on a configurable time interval. When requests that match the monitored attribute exceed a threshold that you configure, subsequent matching requests are not serviced until the request rate drops. Use this function to detect possible denial-of-service attacks.
You must specify either max-rps or max-connections, otherwise check-request-limits does nothing. If you do not enter an attribute or attributes to monitor, the function monitors all requests.
By default, the function keeps entries on requests for 300 seconds (five minutes) before purging them. To adjust this time, use the init-request-limits SAF in magnus.conf. For more information, see init-request-limits.
Parameters
The following table describes parameters for the check-request-limits function.
Table 7–17 check-request-limits Parameters|
Parameter |
Description |
|---|---|
|
(Optional) Threshold for matching requests per second. If this threshold is exceeded subsequent connections matching the criteria are not serviced. Because an acceptable threshold value can vary widely between sites, there is no default value for this parameter. |
|
|
(Optional) Maximum number of concurrent matching connections. If the server receives a request that matches the criteria while the number of matching requests currently being processed meets or exceeds this number, the request is denied. Note that this number is the current requests at any time, and is independent of the interval. parameter. As soon as the number of concurrent requests falls below this limit, new matching requests are processed. Because an acceptable value can vary widely between sites, there is no default value for this parameter. |
|
|
(Optional) In seconds, the time interval during which average requests per second is computed. The max-rps limit is not applied until the next request rate computation. Because potential attackers can have unlimited requests serviced during this interval, balance the length of this interval against the performance cost of recomputing the maximum requests per second. The default is 30 seconds. |
|
|
(Optional) Determines what condition must be met in order for a blocked request type to become available again for servicing. Valid values are:
The default value is threshold. |
|
|
(Optional) The HTTP status code to use for blocked requests. The default value is 503 (the Service Unavailable error). |
|
|
(Optional) A request attribute to monitor. Request rates are tracked in a bucket named by the value of this parameter. If the monitor parameter is not specified, the matching requests are tracked in an unnamed (anonymous) bucket. Note that these buckets are different from the buckets you specify with the standard obj.conf bucket parameter. Although the value of the monitor parameter can be a fixed string, it is most useful when you use predefined variables, for example, monitor="$ip". You can also specify multiple variables, separated by a colon. For example, monitor="$ip:$uri". For a list of predefined variables, see Predefined Variables.
|
|
|
bucket |
(Optional) Common to all obj.conf functions. Adds a bucket to monitor performance. For more information, see The bucket Parameter. |
Example
The following example limits a client IP to a maximum request rate of 10 requests per second in the default interval of 30 seconds:
PathCheck fn="check-request-limit" monitor="$ip" max-rps="10"
The following example limits a client IP to a maximum request rate of 10 requests per second when accessing any Perl CGIs. Other types of requests are unlimited:
<If path = "*.pl"> PathCheck fn="check-request-limits" monitor="$ip" max-rps="10" </If>
For more information on using the If tag, see If, ElseIf, and Else.
The following example limits requests globally for Perl CGIs to 10 requests per second. No specific monitor parameter is specified:
<If path = "*.pl"> PathCheck fn="check-request-limits" max-rps="10" </If>
The following example limits a client IP from generating more than 10 Perl CGI requests per second, or 5 JSP requests per second. To track the Perl and JSP totals separately, the specified monitor parameters contain both a fixed string identifier and the client IP variable:
<If path = "*.pl"> PathCheck fn="check-request-limits" max-rps="10" monitor="perl:$ip" </If> <If path = "*.jsp"> PathCheck fn="check-request-limits" max-rps="5" monitor="jsp:$ip" </If>
The following example limits any one client IP to no more than 5 connections at a given time:
PathCheck fn="check-request-limits" max-connections="2" monitor="$ip"
deny-existence
The deny-existence function sends a 404 Not Found message when a client tries to access a specified path.
Parameters
The following table describes parameters for the deny-existence function.
Table 7–18 deny-existence Parameters|
Parameter |
Description |
|---|---|
|
(Optional) Wildcard pattern of the file system path to hide. If the path does not match, the function does nothing and returns REQ_NOACTION. If the path is not provided, it is assumed to match. |
|
|
(Optional) Specifies a file to send rather than responding with the 404 Not Found message. The value is a full file system path. |
|
|
bucket |
(Optional) Common to all obj.conf functions. Adds a bucket to monitor performance. For more information, see The bucket Parameter. |
Example
PathCheck fn="deny-existence" path="/usr/sun/server7/docs/private" PathCheck fn="deny-existence" bong-file="/svr/msg/go-away.html"
find-compressed
The find-compressed function checks if a compressed version of the requested file is available.
If the following conditions are met, find-compressed changes the path to point to the compressed file:
-
A compressed version is available.
-
The compressed version is as recent as the non-compressed version.
-
The client supports compression.
Not all clients support compression. The find-compressed function allows you to use a single URL for both the compressed and non-compressed versions of a file. The version of the file that is selected is based on the individual client's capabilities.
A compressed version of a file must have the same file name as the non-compressed version but with a .gz suffix. For example, the compressed version of a file named /httpd/docs/index.html would be named /httpd/docs/index.html.gz. To compress files, you can use the freely available gzip program.
Because compressed files are sent as is to the client, you should not compress files such as SHTML pages, CGI programs, or pages created with JavaServer PagesTM (JSPTM) technology that need to be interpreted by the server. To compress the dynamic content generated by these types of files, use the http-compression filter.
The find-compressed function does nothing if the HTTP method is not GET or HEAD.
Parameters
The following table describes parameters for the find-compressed function.
Table 7–19 find-compressed Parameters|
Parameter |
Description |
|---|---|
|
(Optional) Specifies whether to check if the compressed version is older than the non-compressed version. The values can be yes or no.
By default, the value is set to yes. |
|
|
(Optional) Specifies whether to insert a Vary: Accept-Encoding header. The values can be yes or no.
By default, the value is set to yes. |
|
|
bucket |
(Optional) Common to all obj.conf functions. Adds a bucket to monitor performance. For more information, see The bucket Parameter. |
Example
<Object name="default"> NameTrans fn="assign-name" from="*.html" name="find-compressed" ... </Object> <Object name="find-compressed"> PathCheck fn="find-compressed" </Object>
See Also
find-index
The find-index function investigates whether the requested path is a directory. If yes, the function searches for an index file in the directory, and then changes the path to point to the index file. If an index file is not found, the server generates a directory listing. If the obj.conf file has a NameTrans directive that calls home-page and the requested directory is the root directory, the server returns the home page to the client instead of the index page.
The find-index function does nothing if there is a query string, if the HTTP method is not GET, or if the path is that of a valid file.
Parameters
The following table describes parameters for the find-index function.
Table 7–20 find-index Parameters|
Parameter |
Description |
|---|---|
|
Comma-separated list of index file names to look for. Use spaces only if they are part of a file name. Do not include spaces before or after the commas. This list is case-sensitive if the file system is case-sensitive. |
|
|
bucket |
(Optional) Common to all obj.conf functions. Adds a bucket to monitor performance. For more information, see The bucket Parameter. |
Example
PathCheck fn="find-index" index-names="index.html,home.html"
See Also
find-index-j2ee
The find-index-j2ee function implements welcome-file-list processing for requests that map to directories in a Java web application. When configuring the server to host Servlet or JSP-technology-based web applications, position the find-index-j2ee SAF above the find-index SAF in obj.conf. This position ensures that web.xml welcome-file-list ordering takes precedence over the default index file order configured for the find-index SAF.
Parameters
The following table describes parameter for the find-index-j2ee function.
Table 7–21 find-index-j2ee Parameter|
Parameter |
Description |
|---|---|
|
bucket |
(Optional) Common to all obj.conf functions. Adds a bucket to monitor performance. For more information, see The bucket Parameter. |
Example
PathCheck fn="find-index-j2ee"
See Also
find-links
(UNIX only) The find-links function searches the current path for symbolic or hard links to other directories or file systems. If any are found, an error is returned. This function is normally used for directories that are not trusted (such as user home directories). It prevents someone from pointing to information that should not be made public.
Parameters
The following table describes parameters for the find-links function.
Table 7–22 find-links Parameters|
Parameter |
Description |
|---|---|
|
Character string of links to disable:
|
|
|
(Optional) Directory to begin checking. If you specify an absolute path, any request to that path and its subdirectories is checked for symbolic links. If you specify a partial path, any request containing that partial path is checked for symbolic links. For example, if you use /user/ and a request comes in for some/user/directory, then that directory is checked for symbolic links. If you do not specify a dir, all directories are checked. |
|
|
(Optional) Checks linked file for existence and aborts the request with the 403 Forbidden error if the check fails. Controls whether the server checks if the target of the link exists. If set to Y, the server aborts the request with a 403 Forbidden error if the target of a link does not exist. The default is N, meaning the server does not check whether the target exists. |
|
|
bucket |
(Optional) Common to all obj.conf functions. Adds a bucket to monitor performance. For more information, see The bucket Parameter. |
Example
PathCheck fn="find-links" disable="sh" dir="/foreign-dir" PathCheck fn="find-links" disable="so" dir="public_html"
See Also
find-pathinfo
The find-pathinfo function finds any extra path information after the file name in the URL and stores it for use in the CGI environment variable PATH_INFO.
Parameters
The following table describes parameters for the find-pathinfo function.
Table 7–23 find-pathinfo Parameter|
Parameter |
Description |
|---|---|
|
bucket |
(Optional) Common to all obj.conf functions. Adds a bucket to monitor performance. For more information, see The bucket Parameter. |
Example
PathCheck fn="find-pathinfo" PathCheck fn="find-pathinfo" find-pathinfo-forward=""
get-client-cert
The get-client-cert function gets the authenticated client certificate from the SSL3 session. It can apply to all HTTP methods, or only to those that match a specified pattern. It only works when SSL is enabled on the server.
If the certificate is present or obtained from the SSL3 session, the function returns REQ_NOACTION and allows the request to proceed. Otherwise, it returns REQ_ABORTED and sets the protocol status to 403 forbidden, causing the request to fail.
Parameters
The following table describes parameters for the get-client-cert function.
Table 7–24 get-client-cert Parameters|
Parameter |
Description |
|---|---|
|
(Optional) Controls whether to actually get the certificate, or just test for its presence.
The default value is 0. |
|
|
(Optional) Controls whether failure to get a client certificate will abort the HTTP request.
The default value is 1. |
|
|
(Optional) Specifies a wildcard pattern for the HTTP methods for which the function will be applied. If method is absent, the function is applied to all requests. |
|
|
bucket |
(Optional) Common to all obj.conf functions. Adds a bucket to monitor performance. For more information, see The bucket Parameter. |
Example
# Get the client certificate from the session. # If a certificate is not already associated with the session, request one. # The request fails if the client does not present a #valid certificate. PathCheck fn="get-client-cert" dorequest="1"
nt-uri-clean
(Windows only) The nt-uri-clean function denies access to any resource whose physical path contains \.\, \..\ or \\ (these are potential security problems).
Parameters
The following table describes parameters for the nt-uri-clean function.
Table 7–25 nt-uri-clean Parameters|
Parameter |
Description |
|---|---|
|
(Optional) If present, allows tilde (~) characters in URIs. This is a potential security risk on the Windows platform, where longfi~1.htm might reference longfilename.htm but does not go through the proper ACL checking. If present, “//” sequences are allowed. |
|
|
(Optional) If present, /./ sequences are allowed. |
|
|
bucket |
(Optional) Common to all obj.conf functions. Adds a bucket to monitor performance. For more information, see The bucket Parameter. |
Example
PathCheck fn="nt-uri-clean"
See Also
ntcgicheck
(Windows only) The ntcgicheck function specifies the file name extension to be added to any file name that does not have an extension, or to be substituted for any file name that has the extension .cgi.
Parameters
The following table describes parameters for the ntcgicheck function.
Table 7–26 ntcgicheck Parameters|
Parameter |
Description |
|---|---|
|
The replacement file extension. |
|
|
bucket |
(Optional) Common to all obj.conf functions. Adds a bucket to monitor performance. For more information, see The bucket Parameter. |
Example
PathCheck fn="ntcgicheck" extension="pl"
See Also
pcheck-dav
The pcheck-dav function inserts a DAV-specific service function as the first service function, if the following are true:
-
The Translate:f header is present
-
DAV is enabled for the request URI
-
A corresponding source URI for the request URI exists
During the Service stage, this inserted service function restarts the request if necessary; otherwise, REQ_NOACTION is returned.
Parameters
The following table describes parameters for the pcheck-dav function.
Table 7–27 pcheck-dav Parameter|
Parameter |
Description |
|---|---|
|
bucket |
(Optional) Common to all obj.conf functions. Adds a bucket to monitor performance. For more information, see The bucket Parameter. |
See Also
require-auth
The require-auth function allows access to resources only if the user or group is authorized. Before this function is called, an authorization function (such as basic-auth) must be called in the AuthTrans directive.
If a user is authorized in the AuthTrans directive and the auth-user parameter is provided, the name of the user must match with the auth-user wildcard value. Also, if the auth-group parameter is provided, the authorized user must belong to an authorized group, which must match the auth-user wildcard value.
Parameters
The following table describes parameters for the require-auth function.
Table 7–28 require-auth Parameters|
Parameter |
Description |
|---|---|
|
(Optional) Wildcard local file system path on which this function should operate. If no path is provided, the function applies to all paths. |
|
|
Type of HTTP authorization used. Currently, basic is the only authorization type defined. |
|
|
String sent to the browser indicating the secure area (or realm) for which user name and password are requested. |
|
|
(Optional) Specifies a wildcard list of users who are allowed access. If this parameter is not provided, any user authorized by the authorization function is given access. |
|
|
(Optional) Specifies a wildcard list of groups that are allowed access. |
|
|
bucket |
(Optional) Common to all obj.conf functions. Adds a bucket to monitor performance. For more information, see The bucket Parameter. |
Example
PathCheck fn="require-auth" auth-type="basic" realm="Marketing Plans"
auth-group="mktg" auth-user="(jdoe|johnd|janed)"
See Also
set-virtual-index
The set-virtual-index function specifies a virtual index for a directory, which determines the URL forwarding. The index can refer to a LiveWire application, a Servlet in its own namespace, a Sun Java System Application Server, and so on.
REQ_NOACTION is returned if none of the URIs listed in the from parameter match the current URI. REQ_ABORTED is returned if the file specified by the virtual-index parameter is missing, or if the current URI is not found. REQ_RESTART is returned if the current URI matches any one of the URIs mentioned in the from parameter, or if the from parameter is not specified.
Parameters
The following table describes parameters for the set-virtual-index function.
Table 7–29 set-virtual-index Parameters|
Parameter |
Description |
|---|---|
|
URI of the content generator that acts as an index for the URI that the user enters. |
|
|
(Optional) Comma-separated list of URIs for which this virtual-index is applicable. If from is not specified, the virtual-index always applies. |
|
|
bucket |
(Optional) Common to all obj.conf functions. Adds a bucket to monitor performance. For more information, see The bucket Parameter. |
Example
# MyLWApp is a LiveWire application PathCheck fn="set-virtual-index" virtual-index="MyLWApp"
ssl-check
The ssl-check function is used along with a Client tag to limit access of certain directories to non-exportable browsers. If a restriction is selected that is not consistent with the current cipher settings, this function displays a warning that ciphers with larger secret keysizes must be enabled.
The function returns REQ_NOACTION if SSL is not enabled, or if the secret-keysize parameter is not specified. If the secret keysize for the current session is less than the specified secret-keysize and the bong-file parameter is not specified, the function returns REQ_ABORTED with a status of PROTOCOL_FORBIDDEN. If the bong-file is specified, the function returns REQ_PROCEED, and the path variable is set to the bong-file name. Also, when a keysize restriction is not met, the SSL session cache entry for the current session is invalidated so that a full SSL handshake will occur the next time the same client connects to the server.
Requests that use ssl-check are not cacheable in the accelerator file cache if ssl-check returns something other than REQ_NOACTION.
Parameters
The following table describes parameters for the ssl-check function.
Table 7–30 ssl-check Parameters|
Parameter |
Description |
|---|---|
|
(Optional) Minimum number of bits required in the secret key. |
|
|
(Optional) Name of a file (not a URI) to be served if the restriction is not met. |
|
|
bucket |
(Optional) Common to all obj.conf functions. Adds a bucket to monitor performance. For more information, see The bucket Parameter. |
ssl-logout
The ssl-logout function invalidates the current SSL session in the server's SSL session cache. This does not affect the current request, but the next time that the client connects, a new SSL session is created. If SSL is enabled, this function returns REQ_PROCEED after invalidating the session cache entry. If SSL is not enabled, it returns REQ_NOACTION.
Parameters
The following table describes parameters for the ssl-logout function.
Table 7–31 ssl-logout Parameter|
Parameter |
Description |
|---|---|
|
bucket |
(Optional) Common to all obj.conf functions. Adds a bucket to monitor performance. For more information, see The bucket Parameter. |
unix-uri-clean
(UNIX only) The unix-uri-clean function denies access to any resource whose physical path contains /./ or /../ or // (these are potential security problems).
Parameters
The following table describes parameters for the unix-uri-clean function.
Table 7–32 unix-uri-clean Parameters|
Parameter |
Description |
|---|---|
|
If present, /./ sequences are allowed. |
|
|
bucket |
(Optional) Common to all obj.conf functions. Adds a bucket to monitor performance. For more information, see The bucket Parameter. |
Example
PathCheck fn="unix-uri-clean"
See Also
- © 2010, Oracle Corporation and/or its affiliates