Friday Jan 16, 2009

How to disable other methods in web server 6 ?

Sometimes, if you like/need to disable other methods which you do not need in web 6.1SPx, then you can add this into default object inside obj.conf,

in 6.1 web (for 7.0, please see comments below by Meena), you need to add

<Client method=("INDEX"|"OPTIONS"|"DELETE"|"PUT"|"MOVE"|"TRACE"|"MKDIR"|"RMDIR")>
AuthTrans fn="set-variable" remove-headers="transfer-encoding"

set-headers="content-length: -1" error="501"
</Client>

(NOTE - all in ONE single line for <Client method ...> and AuthTrans... above!
You saw wrapping above because of formatting in tools/browsers !)

as below :

apple:/export/home/iws6.1sp10/https-methods/config> cat obj.conf
# You can edit this file, but comments and formatting changes
# might be lost when the admin server makes changes.

<Object name="default">
AuthTrans fn="match-browser" browser="\*MSIE\*" ssl-unclean-shutdown="true"
<Client method=("INDEX"|"OPTIONS"|"DELETE"|"PUT"|"MOVE"|"TRACE"|"INDEX"|"MKDIR"|"RMDIR")>
AuthTrans fn="set-variable" remove-headers="transfer-encoding"

set-headers="content-length: -1" error="501"
</Client>
....

then restart and will work ok.

2. tests:

a. INDEX :

apple:/export/home/iws6.1sp10/https-methods/config> telnet apple 60106
Trying 129.158.175.16...
Connected to apple.
Escape character is '\^]'.
INDEX / HTTP/1.1
Host: apple

HTTP/1.1 501 Not Implemented
Server: Sun-ONE-Web-Server/6.1
Date: Fri, 16 Jan 2009 05:56:34 GMT
Content-length: 148
Content-type: text/html
Connection: close

<HTML><HEAD><TITLE>Not Implemented</TITLE></HEAD>
<BODY><H1>Not Implemented</H1>
This server does not implement the requested method.
</BODY></HTML>Connection closed by foreign host.

b. OPTIONS :

apple:/export/home/iws6.1sp10/https-methods/config> telnet apple 60106
Trying 129.158.175.16...
Connected to apple.
Escape character is '\^]'.
OPTIONS /banner.html HTTP/1.1
Host: apple

HTTP/1.1 501 Not Implemented
Server: Sun-ONE-Web-Server/6.1
Date: Fri, 16 Jan 2009 05:56:58 GMT
Content-length: 148
Content-type: text/html
Connection: close

<HTML><HEAD><TITLE>Not Implemented</TITLE></HEAD>
<BODY><H1>Not Implemented</H1>
This server does not implement the requested method.
</BODY></HTML>Connection closed by foreign host.
apple:/export/home/iws6.1sp10/https-methods/config>

c. TRACE method:

apple:/export/home/iws6.1sp10/https-methods/config> telnet apple 60106
Trying 129.158.175.16...
Connected to apple.
Escape character is '\^]'.
TRACE /index.html HTTP/1.1
Host: apple
X-header: test

HTTP/1.1 501 Not Implemented
Server: Sun-ONE-Web-Server/6.1
Date: Fri, 16 Jan 2009 05:57:32 GMT
Content-length: 148
Content-type: text/html
Connection: close

<HTML><HEAD><TITLE>Not Implemented</TITLE></HEAD>
<BODY><H1>Not Implemented</H1>
This server does not implement the requested method.
</BODY></HTML>Connection closed by foreign host.
apple:/export/home/iws6.1sp10/https-methods/config>

3. Some may like to set up ACL, but there is still a chance for hackers to use above methods

if they discover the ACL uid/password.

So, if the above methods are not needed, then better disable them as above.

4. you can see a list of methods at

http://www.ietf.org/rfc/rfc2616.txt

e.g. section 9 Method Definitions

 


 

Thursday Jan 01, 2009

how to bypass RPP and AM agent to get perfdump

Sometimes, you like to get perfdump (/.perf) from web or proxy servers, but the RPP or AM agent may prevent you from doing this. So, you can try below:


 1. follow the steps of perfdump at


http://docs.sun.com/app/docs/doc/820-5719/abyaq?l=en&a=view&q=perfdump


 2. if you got RPP in your web server, then


<Client match="none" uri="/.perf">

NameTrans fn="map" from="/" name="reverse-proxy-/" to="http:/"
</Client> 


then both perf dump and rpp will work ok.

The above will map rpp if uri not equal to /.perf, and will skip rpp
if uri is /.perf


So, both requests to rpp and .perf will work ok.

3. if you got AM agent in your proxy server, then


................ 


NameTrans fn="assign-name" name="stats-xml" from="(/stats-xml|/stats-xml/.\*)"
NameTrans fn="assign-name" name="statistics" from="/.abc/.statistics"
................


PathCheck fn="url-check"
<Client match="none" uri="/.abc(/.\*|)">
PathCheck fn="validate_session_policy"
</Client>

Service fn="deny-service"
AddLog fn="flex-log" name="access"
</Object>


.........


<Object name="stats-xml">
Service fn="stats-xml"
</Object>

<Object name="statistics">
Service fn="service-dump"
</Object>


 then a request to get the statistics will work ok without the AM agent Path Check .





Wednesday Sep 24, 2008

Why sometimes we cannot see the custom errors in IE ?

Sometimes, you have configured the web server to return custom errors, e.g. in obj.conf,

Error fn="send-error" code="404" path="<path>/error404.html"
Error fn="send-error" code="401" path="<path>/error401.html"
Error fn="send-error" code="403" path="<path>/error403.html"
Error fn="send-error" code="405" path="<path>/error405.html"
Error fn="send-error" code="500" path="<path>/error500.html"

But you can see the above custom error pages ok in Firefox and telnet test,

e.g.

apple:> telnet localhost 61801
Trying 127.0.0.1...
Connected to localhost.
Escape character is '\^]'.
GET /nono1.html HTTP/1.1
Host: apple

HTTP/1.1 404 Not found
Server: Sun-ONE-Web-Server/6.1
Date: Wed, 16 Jan 2008 10:02:35 GMT
Content-length: 44
Content-type: text/html

this is a customer error page, crowded.html

But you will see IE showing its standard error, e.g.


But not the custom error page, why ?

This can be because of the IE option "Show friendly HTTP error messages" in the Advanced tab in Internet Options.

See  below,

This will  force the IE to show its  friendly HTTP error messages  in  404,  401, 500  status code, instead of the custom errors sent out by web server. This is why you can see the custom error ok in Firefox and telnet test, but not in IE sometimes. If you uncheck this option, then restart IE, then you can see the custom error page in response to a 404 Not Found.

If you really want your custom error page shown in IE, then one possible workaround (although I do not recommend, because changing status code is not a good idea/practice in general).

You can add this below in obj.conf to change from , e.g. 404 to 306 which is unused.

(see http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.3.7

"
10.3.7 306 (Unused)

The 306 status code was used in a previous version of the specification, is no longer used, and the code is reserved.
"     )

Service method="TRACE" fn="service-trace"
<Client code="404">
Output fn="set-variable" error="306 Not Found" noaction="true"
Error fn="send-error" path="/export/home/iws6.1sp8/docs2/crowded.html"
</Client>
Error fn="error-j2ee"
....

Then, IE can see the new custom error page because now we change its status from 404 to 306. IE does not have a friendly error page for 306, so it will show our custom error page now. However, I have to say again - I do not recommend this. It is shown here just in case you really need to workaround this IE option to show your custom error page.

Friday Aug 01, 2008

How to redirect from http to https ?

In web 7.0, you can have the new feature to handle protocol mistmatch, see below:



This will help any user who may enter , e.g. http://www.abc.com:443  to the proper protocol https://www.abc.com:443 .


This feature is not something you can do in 6.1SPx.


In 6.1SPx, the most is you set up two LS, e.g. port 80 and port 443,


then in obj.conf,


<Client security="false">
NameTrans fn="redirect" from="/" url-prefix="https://apple.asia.sun.com:443/"
</Client>


then when a request to http://apple.asia.sun.com:80 comes in, the obj.conf above will match security="false". Then a redirect to https://apple.asia.sun.com:443 in the user browser.


But any request to http://apple.asia.sun.com:443 will not be processed properly in 6.1 because of protocol mismatch.

Friday Jul 04, 2008

url rewrite in Sun Java Web server 6.1

First, if you can use web 7.0u3, then please use web 7.0u3 because it has much better rewrite capability in rewrite, e.g.

from its release notes at

http://docs.sun.com/app/docs/doc/820-4848/gduun?a=view

"You can use these new features to define flexible URL rewriting and redirection rules such as those possible with mod_rewrite from the Apache HTTP server. Unlike mod_rewrite, regular expressions and conditional processing in Web Server 7.0 can be used at any stage of request processing, even with third-party plug-ins."

 If you cannot use web 7.0u3 because of e.g. other plugins compatibility, then you can still use 6.1SP9 to rewrite in some situations.

e.g. If you like to rewrite such that

http://host.domain:port/abc/en_US/\*.\* to

http://host.domain:port/en_US/\*.\*

(Note - no more /abc after the rewrite ).

Then , one possible way is :

<Object name="default">
AuthTrans fn="match-browser" browser="\*MSIE\*" ssl-unclean-shutdown="true"
<Client $path =~ "/abc\\/">
NameTrans fn="redirect" from="/abc/" url-prefix="http://apple.asia.sun.com:61901/"
</Client>
NameTrans fn="ntrans-j2ee" name="j2ee"
....
then restart web server,

(my LS port is at 61901  , so url-prefix="http://apple.asia.sun.com:61901"  above,
you can try something like http://www.something.com/  instead in above)

Then some testings:

0.  an original request to

http://apple.asia.sun.com:61901/abc/en_US/banner.html

will result in a redirect request with a Location header,

Location: http://apple.asia.sun.com:61901/en_US/banner.html   \*\*\* this is a correct rewrite new Location


1. an original request to

http://apple.asia.sun.com:61901/abc/

will result in a redirect request with a Location header,

Location: http://apple.asia.sun.com:61901/   \*\*\* this is a correct rewrite new Location

2.  an original request to

http://apple.asia.sun.com:61901/abc/test2.jsp 

will result in a redirect request with a Location header,

Location: http://apple.asia.sun.com:61901/test2.jsp  \*\*\* this is a correct rewrite new Location

3.  an original request to

http://apple.asia.sun.com:61901/abc/index.html

will result in a redirect request with a Location header,

Location: http://apple.asia.sun.com:61901/index.html    \*\*\* this is a correct rewrite new Location

4. an original request to

http://apple.asia.sun.com:61901/abc2/banner.html

(Note - we tested /abc2 to make sure it will not over-match!)

will NOT result in a any new redirect request with a Location header as expected.

The response is:

HTTP/1.x 304 Use local copy   \*\*\* see no redirect (correct and as expected)
Date: Fri, 04 Jul 2008 03:22:19 GMT
Etag: "723-486d95a1"

5. an original request to

http://apple.asia.sun.com:61901/abc.html

(Note - we tested /abc.html to make sure it will not over-match!)

will NOT result in a any new redirect request with a Location header as expected.

The response is:

HTTP/1.x 200 OK   \*\*\* see no redirect (correct and as expected)
Date: Fri, 04 Jul 2008 03:22:48 GMT
Content-Length: 49
Content-Type: text/html
Last-Modified: Fri, 04 Jul 2008 02:03:30 GMT
Etag: "20-486d84f2"

Wednesday May 21, 2008

How to block certain file types from outside users in Sun Java System Web Server 6.1 SP9

If you want to block certain file types , e.g. some .ini or .conf files,  from outside access in Sun Java System Web Server 6.1 SP9, then you can add <Client> tag into obj.conf, e.g.

.....
NameTrans fn="document-root" root="$docroot"
<Client uri="\*.(ini|conf)">
PathCheck fn=deny-existence bong-file="<web install root>/docs/bongfile.html"
</Client>
PathCheck fn="unix-uri-clean"
....

and the bongfile is :

shell> cat bongfile.html
You cannot view this type of files here !!!

If you do not specify the "bong-file=" above, then the users will get the standard "Not Found" error in their browser.

e.g.

<Client uri="\*.(ini|conf)">
PathCheck fn=deny-existence
</Client>


then restart the web server and test, e.g.

http://<hostname.domain>/test.conf
 
or
 
http://<hostname.domain>/test.ini

will result in the response as set in bongfile.html to prevent users accessing these types of ini/conf files.

Errors logs:

[21/May/2008:14:38:03] security (10791): for host xx.xx.xx.xx trying to GET /test.conf, deny-existence reports: HTTP4129: denying existence of <web root>/docs/test.conf

[21/May/2008:14:41:12] security (10791): for host xx.xx.xx.xx trying to GET /test.ini, deny-existence reports: HTTP4129: denying existence of <web root>/docs/test.ini

This can add security to file types you do not want outside users accidentally access.
About

Wing-Yip Walter Lee

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today