X

Best Practices from Oracle Development's A‑Team

HTTP Redirect Access Control feature using OCI Web Application Firewall

Tim Melander
A-Team Cloud Solution Architect

This article covers an unpublished feature in Oracle Cloud Infrastructure, at least at this time, to configure an access rule in the Web Application Firewall (WAF) to immediately redirect a browser to a specific URI when accessing another URI.  For example, someone goes to https://www.acme.com/help which could immediately redirect the browser to https://www.acme.com/portal/support.html.  I know, you are probably thinking there are a number ways to accomplish this feat, and you would be correct.  However, this option can be more interesting for anyone using the WAF in Oracle Cloud Infrastructure for other things such as protection rules, other access rules, etc., and this adds another feature that could be layered into your use cases if appropriate.  As a fair warning, this tip does require the Oracle Cloud Infrastructure CLI to create the Access Rule in the WAF.  Alternatively, OCI now provides a Cloud Shell with built-in CLI that can be launched by clicking on the top right greater than sign ">_" on the right of your region.  At this time, it is not available in the user interface, but is planned in a future release.  

OCI Cloud Shell

Dissecting the HTTP Redirect Rule

Let’s break down the important attributes or keys of this rule by looking at the heart of an example JSON HTTP redirect access rule.
 

{
   "redirectResponseCode":"FOUND",
   "redirectUrl":"/warning/index.html",
   "criteria":
   [
     {
       "condition":"URL_IS",
       "value":"/redirectme"
     }
   ],
     "name":"API_Rule_redirect",
     "action":"REDIRECT"
 }

Key “redirectUrl”:

Let’s get "redirectUrl" out of the way first.   This is simply the URL or URI where you want the browser to be redirected when the condition is met.  It can be a relative URI or an absolute URL that will redirect the browser to its target location. 


Key “condition”:

The "condition" is self-explanatory, but I want to point out there are three possible options shown in the table below.  Each option will require respective values based on which is used.  You will of course decide the option based on your use case.

Condition

Value (Example)

What does it mean?

URL_IS

“/redirect/me”

URL exact match

URL_PART_CONTAINS

“findme”

URL contains a value

URL_REGEX

“(http:\/\/|https:\/\/)?[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}(:[0-9]{1,5})?(\/.*)?”

URL matches a regex pattern

 

Key “name”:

The "name" is simply any arbitrary name for your rule; nothing more.  As a best practice it is good to give the rule a name that describes its purpose so that if another administrator briefly looks at the rule they can quickly understand why it exists. 

Key “action”:

The "action" is nothing you provide a value for, it only tells the WAF this rule is a REDIRECT.  When creating rules using the OCI CLI you will quickly get aquatinted using JSONs to build rules and coincidentally find other actions relating to other types of rules.

 

Creating the HTTP Redirect Rule

I mentioned in the beginning Oracle Cloud Infrastructure CLI will be required.   To install and setup the CLI please follow the quickstart on the official Oracle Cloud documentation “Installing the CLI” at https://docs.cloud.oracle.com/iaas/Content/API/SDKDocs/cliinstall.htm.

ASSUMPTIONS:

  1. A local account in OCI to use the CLI.   
  2. A WAF Access Policy has been created, no rules need.
  3. OCI CLI has been installed and configured.

Now that we are past the nitty gritty let’s finally get into the fun stuff and create a WAF HTTP redirect access rule. 

 
STEP 1:  Create the JSON access rule

A JSON needs to be created with all the essentials.  Below are two example JSONs that can be copied and reused.  The first JSON can be used if you want to provide the waasPolicyId at the command-line.  Maybe you would like to reuse the same WAF rule to multiple policies, which you could script iterating the command that could apply the same rule to multiple waasPolicyIds.  The second JSON includes the waasPolicyId and be sure to include the maxWaitSeconds and waitIntervalSeconds keys otherwise you will get a complaint it is an invalid JSON.

Example JSON WAF Access Rule:

{
  "accessRules": [
    {
      "redirectResponseCode":"FOUND",
      "redirectUrl":"/warning/index.html",
      "criteria":
      [
        {
          "condition":"URL_IS",
          "value":"/redirect"
        }
      ],
        "name":"API_Rule_redirect",
        "action":"REDIRECT"
    }
  ]
}

 
Example JSON WAF Access Rule with waasPolicyId (replace):

{
  "accessRules": [
    {
      "redirectResponseCode":"FOUND",
      "redirectUrl":"/warning/index.html",
      "criteria":
      [
        {
          "condition":"URL_IS",
          "value":"/redirect"
        }
      ],
        "name":"API_Rule_redirect",
        "action":"REDIRECT"
    }
  ],
  "maxWaitSeconds": 0,
  "waasPolicyId": "ocid1.waaspolicy.oc1..aaaaaaaatsx2lhekje2yj2h4eei7oxhsbbnv2ulgipcftrhjs3vi5kapzeaa",
  "waitIntervalSeconds": 0
}

STEP 2: Execute the CLI to create the rule

Option 1: Run the following command if the waasPolicyId ocid was not included in the JSON.

oci waas access-rule update --waas-policy-id <ocid> --from-json file://my_waf_rule.json

Option 2: Run the following command if the WAF policy ocid waasPolicyId is included in the JSON.

oci waas access-rule update --from-json file://my_waf_rule.json

After a few seconds an output be produced and look something like the following. This is the ocid of the work request that is being processed by OCI.  Be patient. 

{
  "opc-work-request-id": "ocid1.waasworkrequest.oc1..aaaaaaaalxifr3l3m56twuejip2bglg4b3k6523htul33kfsbgxqn3tb5fba"
}

STEP 3:  Verify rule and test

If signed into the OCI Console you should see the WAF policy in an Updating… state in orange/yellow.  After several minutes it should finish and become ACTIVE and turn green.  At this point you can test it by accessing the URL condition value based on the option you decided.  If all went good the WAF access rule should identify the condition URL value, then redirect the browser to the target URL used in the redirectUrl value. 

 

Summary

This special access rule will add to your options to use when using the WAF in OCI.  I pointed out in the beginning, this feature can add another option to layer into use cases where you see fit.  Mixing in protection rules, access rules, bot management, and logging can be a powerful tool as a front door gate keeper for the DMZ.  To learn more about the OCI Web Application Firewall please go to https://docs.cloud.oracle.com/iaas/Content/WAF/Concepts/overview.htm.  Best of luck and I hope this hidden feature adds something to your black bag of tricks. :-)

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha