1. Using Oracle WebLogic Server Proxy Plug-Ins
  2. Overview of Oracle WebLogic Server Proxy Plug-Ins

1 Overview of Oracle WebLogic Server Proxy Plug-Ins

Oracle provides different proxy plug-ins for use with Oracle WebLogic Server.

This chapter includes the following topics:

What are Oracle WebLogic Server Proxy Plug-Ins?

The Oracle WebLogic Server Proxy Plug-ins allow requests to be proxied from HTTP Web Server to Oracle WebLogic Server. In this way, proxy plug-ins enable the HTTP server to communicate with applications deployed on Oracle WebLogic Server.

A proxy plug-in enhances an HTTP server installation by allowing Oracle WebLogic Server to handle requests that require dynamic functionality. In other words, you typically use a proxy plug-in where the HTTP server serves static pages such as HTML pages, while Oracle WebLogic Server serves dynamic pages such as HTTP Servlets and Java Server Pages (JSPs).

Oracle WebLogic Server may be operating in a different process, possibly on a different host. To the end user—the browser—the HTTP requests delegated to Oracle WebLogic Server still appear to be coming from the HTTP server.

Parent topic: Overview of Oracle WebLogic Server Proxy Plug-Ins

Availability of Oracle WebLogic Server Proxy Plug-Ins

The Oracle WebLogic Server 14.1.1.0.0 Proxy Plug-ins are available for Apache Web Server 2.4.x on Linux systems. For more information, you can download the Oracle WebLogic Server (14.1.1.0.0) Certification Matrix from the Oracle Fusion Middleware Supported System Configurations page.

You can download the proxy plug-ins from the Oracle Web Tier Downloads page or the Software Delivery Cloud as .zip file containing the necessary binary and helper files.

For example, the following directories are included in the proxy plug-in distribution:

  • lib/mod_wl_24.so (Oracle WebLogic Server Proxy Plug-in for Apache HTTP Server)
  • lib/*.so (native libraries)
  • bin/orapki (orapki tool)
  • jlib/*.jar (Java helper libraries for orapki)

For information about installing and configuring the proxy plug-ins for Apache HTTP Server, see Installing the Oracle WebLogic Server Proxy Plug-In for Apache HTTP Server and Configuring the Oracle WebLogic Server Proxy Plug-In for Apache HTTP Server.

Parent topic: Overview of Oracle WebLogic Server Proxy Plug-Ins

Features of the 14.1.1.0.0 Proxy Plug-Ins

The Oracle WebLogic Server 14.1.1.0 Proxy Plug-ins add support for HTTP/2 and support for the use of TLS v1.3 with both HTTP/1.1 and HTTP/2 protocols.

This section includes the following topics:

Parent topic: Overview of Oracle WebLogic Server Proxy Plug-Ins

Support for HTTP/2 Protocol

The Oracle WebLogic Server 14.1.1.0.0 Proxy Plug-in for Apache HTTP Server on Linux supports the HTTP/2 protocol.

The HTTP/2 protocol uses a binary framing mechanism to exchange data between the client and the server. All HTTP/2 communication is split into smaller messages and frames, each of which is encoded in a binary format. As a result, both client and server must use the new binary encoding mechanism to understand each other. An HTTP/1.x client will not understand an HTTP/2-only server, and vice versa.

The HTTP/2 protocol is supported in the proxy plug-ins from 14.1.1.0.0 onwards. However, the Oracle WebLogic Server Proxy Plug-ins will continue to support HTTP/1.1 protocol. HTTP/1.1 is the default protocol supported. To use HTTP/2 for communication, you must configure a new directive called WLProtocol.

Note:

Websocket is not supported over HTTP/2.

Parent topic: Features of the 14.1.1.0.0 Proxy Plug-Ins

Server Push Functionality

The server push functionality is one of the key features of the HTTP/2 protocol.

Accessing websites follows the request and response pattern. A user sends a request to a remote server. The server responds with the requested content with some delay. The initial request to a web server is generally for an HTML document. In this scenario, the server replies with the requested HTML resource. The HTML is then parsed by the browser, where references to other assets are discovered, such as style sheets, scripts, and images. Upon their discovery, the browser makes separate requests for those assets, which are then responded to by the server. The problem with this mechanism is that it forces the user to wait for the browser to discover and retrieve critical assets until after an HTML document has been downloaded. This delays rendering time and increases load time.

The server push functionality is a solution to this problem. It lets the server preemptively push website assets to the client without the user having explicitly asked for them.

For example, consider a website where all pages rely on styles defined in an external style sheet named styles.css. When the user requests index.html from the server, the styles.css is sent to the user just after the server starts sending the response for index.html. Rather than waiting for the server to send index.html and then waiting for the browser to request and receive styles.css, the user only has to wait for the server to respond with both index.html and styles.css on the initial request. This decreases the rendering time of the page.

To enable the server push functionality, configure the H2Push directive and use link headers either in the web server configuration file or in the response. For configuring the H2Push directive, see H2Push Directive in the Apache HTTP Server Documentation.

The Oracle WebLogic Server Proxy Plug-ins support link headers created using the Link.Builder API.

Example of link header in the web server configuration file:

H2Push on
<Location /xxx.html>
    Header add Link "</xxx.css>;rel=preload"
    Header add Link "</xxx.js>;rel=preload"
</Location>

Example of link header in the response:

</xxx.css>;rel="preload";type="text/css"
To enable the server push functionality, set H2Push to on in the httpd.conf file if link header is sent in the response, as given below:
-----config section---
H2Push on
----------------------

Note:

PushBuilder from HTTPServeletRequest, and using 103 early hints along with the link headers are NOT supported.

Security Improvements

Support for TLSv1.3 Protocol

The Oracle WebLogic Server 14.1.1.0.0 Proxy Plug-ins support the TLSv1.3 protocol.

Use the WebLogicSSLVersion directive to specify the SSL protocol version to be used for communication between the proxy plug-in and Oracle WebLogic Server.

The support for TLSv1.3 protocol includes the following features:

Removal of TLSv1.1 Protocol From the Default List

In the 14.1.1.0.0 version of the Oracle WebLogic Server Proxy Plug-ins, the TLSv1.1 protocol is removed from the default list of supported protocols. If you want to use the TLSv1.1 protocol, it must be explicitly added to the configuration using the WebLogicSSLVersion directive. A warning message is logged if you configure the TLSv1.1 protocol.

TLS Ciphers

A few ciphers are deprecated in 14.1.1.0.0 and are removed from the list of supported ciphers. If you want to use the deprecated ciphers for handshake between the web server and the Oracle WebLogic Server, you must explicitly add them to the configuration using the WebLogicSSLCiphers directive. A warning message is generated if any cipher from the deprecated list is used.

  • Default list of ciphers for TLSv1.3:
    • TLS_AES_256_GCM_SHA384
    • TLS_AES_128_GCM_SHA256
  • Default list of ciphers for TLSv1.2:
    • ECDHE-RSA-AES256-GCM-SHA384
    • ECDHE-RSA-AES128-GCM-SHA256
    • ECDHE-ECDSA-AES256-GCM-SHA384
    • ECDHE-ECDSA-AES128-GCM-SHA256
  • Deprecated list of ciphers in 14.1.1.0.0:
    • AES128-GCM-SHA256
    • AES256-GCM-SHA384
    • AES128-SHA256
    • AES256-SHA256
    • AES256-SHA
    • AES128-SHA

Parent topic: Features of the 14.1.1.0.0 Proxy Plug-Ins

Features Inherited from Previous 12c Releases

In addition to the new features, Oracle WebLogic Server Proxy Plug-ins have also inherited features from the previous 12c releases.

The inherited features include the following:
  • The Oracle WebLogic Server Proxy Plug-in has removed support for TLS1.0 SSL protocol. Therefore, the proxy plug-in fails to connect to Oracle WebLogic Server when you configure TLS1.0 SSL protocol for SSL communication.
  • The proxy plug-in considers MD5 signed certificates as insecure. Therefore, these certificates are disabled by default. If you are using SSL to connect to Oracle WebLogic Server, and if the wallet contains any certificates signed with MD5, replace them by SHA-2 signed certificates. Otherwise, the server fails to start. For more information about MD5 signed certificates, see Replacing Certificates Signed Using the MD5 Algorithm.
  • The proxy plug-in supports Apache HTTP Server 2.4.x Web Server through the mod_wl_24.so proxy plug-in module. So, you will need to load the mod_wl_24.so module with Apache HTTP Server 2.4.x. This is typically done by editing the Apache HTTP Server configuration file(s).
  • The proxy plug-in does not support Apache HTTP Server 2.2.x through the mod_wl.so Oracle WebLogic Server module. Hence, this module has been removed from the proxy plug-in distribution.
  • Oracle WebLogic Server 12.1.2 supports deploying WebSocket applications. Oracle WebLogic Server 12.2.1.x Proxy Plug-in for Apache HTTP Server 2.4.x can now handle WebSocket connection upgrade requests and effectively proxy to WebSocket applications hosted within Oracle WebLogic Server 12.1.2 and later. See About WebSocket Proxy Configurations.
  • The proxy plug-in now includes the following Oracle WebLogic Server Proxy Plug-in configuration parameters:
    • WLMaxWebSocketClients: Limits the number of active WebSocket connections at any instant of time. The default value is Half of MaxClients (or MaxRequestWorkers).
    • WebLogicSSLVersion: Chooses the SSL protocol version to use while communicating HTTPS requests between Oracle WebLogic Server Proxy Plug-ins and WebLogic Managed Server(s)/ Cluster(s).
  • The proxy plug-in provides support for monitoring the performance of Oracle WebLogic Server Proxy Plug-in where a request is proxied to the back-end Oracle WebLogic Server. See Understanding the DMS Metrics for Oracle WebLogic Server Proxy Plug-In.
  • The proxy plug-in for Apache HTTP Server Web Server now logs the debug information to the respective web server error log files. Hence, the proxy plug-in parameters specific to the debug logs (Debug and WLLogFile) have been deprecated.
  • The proxy plug-ins improve performance using a pool of connections from the plug-in to Oracle WebLogic Server. The proxy plug-in implements HTTP 1.1 keep-alive connections between the proxy plug-in and Oracle WebLogic Server by reusing the same connection for subsequent requests from the same proxy plug-ins. If the connection is inactive for more than 20 seconds, (or a user-defined amount of time), the connection is closed. See KeepAliveEnabled.

    Note:

    The web server manages client connections.
  • The proxy plug-in proxies requests to Oracle WebLogic Server based on a configuration that you specify.
    • You can proxy requests based on the URL of the request or a portion of the URL. This is called proxying by path.
    • You can also proxy a request based on the MIME type of the requested file, which is called proxying by file extension.

    You can also enable both methods. If you enable both methods and a request matches both criteria, the request is proxied by path.

    You can also specify additional parameters for each of these types of requests that define additional behavior of the proxy plug-in.

Parent topic: Overview of Oracle WebLogic Server Proxy Plug-Ins