Friday, 20 March 2015

Preventing a Slowloris attack on WebCenter

Slowloris refers to a software program that opens several connections to a target web server and tries to keep them alive as long as possible, it will send part of requests periodically, without finishing them, so the server will let the connections alive, waiting for the request to be completed; eventually connection pool will be full and all the requests from users will be refused. Thus, it is a type of hacking attack which makes the web server to stop granting access to users.

For WebCenter implementations that are publicly accessible on the internet, it is important to prevent this type of attacks by configuring the web server. If you are using Oracle HTTP Server (OHS) which is based on Apache technology, the mod_reqtimeout module will solve this issue, as it sets a timeout and a minimum data rate for incoming requests.

In the OHS configuration file (httpd.conf), the following lines would be added:


  <IfModule reqtimeout_module>
#Minimum time to receive the request header is 10 seconds, allowing an increase of 1 second for every 500 bytes received, with a maximum of 40 seconds.
RequestReadTimeout header=10-40,minrate=500
#Minimum time to receive the request body is 20 seconds, increasing 1 second for every 500 bytes received. Limit is set by LimitRequestBody.
RequestReadTimeout body=20,minrate=500
  </IfModule>

After restarting OHS, changes would be applied.

So, is that all? Wait, it is not that easy, those values should be adjusted according to the loading time of the Portal pages and the network perfomance of the users.

References

 

Slowloris Definition
Understanding OHS Modules
Apache Module mod_reqtimeout

Friday, 6 March 2015

Redirecting OAM errors

In a previous post I explained how to avoid an OAM timeout message being displayed in WebCenter Portal. Now, I am going to deal with OAM error pages at OHS/Apache level.

Recently, we faced the following access_denied error:


http://<myhost>:<ohs_port>/oic_rp/return?error=access_denied&state=2441cc276a41daca872fb2eaa364e6da785b0f58

To prevent that error to be displayed to users, we wanted to redirect that URL to the WC Portal login page. As OHS was the web server, we tried different RedirectMatch instructions like the following:



RedirectMatch 301 ^/oic_rp/return?error=access_denied.* http://<myhost>:<ohs_port>/myApp


However, the special character '?' was an issue and redirection did not work. Then we tried RewriteRule module with special characters flags (NE, B), but again, it did not work.

The solution was capturing errors instead of URL using RewriteCond. In this case:



        RewriteEngine on
        RewriteOptions Inherit
        RewriteCond %{QUERY_STRING} error=access_denied [NC]
        RewriteCond %{REQUEST_URI} ^/oic_rp/return$ [NC]
        RewriteRule ^/(.*) http://<myhost>:<ohs_port>/myApp? 


After restarting OHS, the naughty URL was redirecting to the login page.

References:


OAM Standard Error Codes

Redirecting and Remapping with mod_rewrite 

Apache Module mod_rewrite

RewriteRule Flags