This article covers an unpublished feature in Oracle Cloud Infrastructure, at least at this time, to configure an access rule in the Web Application Firewall (WAF) to immediately redirect a browser to a specific URI when accessing another URI. For example, someone goes to https://www.acme.com/help which could immediately redirect the browser to https://www.acme.com/portal/support.html. I know, you are probably thinking there are a number ways to accomplish this feat, and you would be correct. However, this option can be more interesting for anyone using the WAF in Oracle Cloud Infrastructure for other things such as protection rules, other access rules, etc., and this adds another feature that could be layered into your use cases if appropriate. As a fair warning, this tip does require the Oracle Cloud Infrastructure CLI to create the Access Rule in the WAF. Alternatively, OCI now provides a Cloud Shell with built-in CLI that can be launched by clicking on the top right greater than sign ">_" on the right of your region. At this time, it is not available in the user interface, but is planned in a future release.
Let’s break down the important attributes or keys of this rule by looking at the heart of an example JSON HTTP redirect access rule.
{ "redirectResponseCode":"FOUND", "redirectUrl":"/warning/index.html", "criteria": [ { "condition":"URL_IS", "value":"/redirectme" } ], "name":"API_Rule_redirect", "action":"REDIRECT" }
Let’s get "redirectUrl" out of the way first. This is simply the URL or URI where you want the browser to be redirected when the condition is met. It can be a relative URI or an absolute URL that will redirect the browser to its target location.
The "condition" is self-explanatory, but I want to point out there are three possible options shown in the table below. Each option will require respective values based on which is used. You will of course decide the option based on your use case.
Condition |
Value (Example) |
What does it mean? |
URL_IS |
“/redirect/me” |
URL exact match |
URL_PART_CONTAINS |
“findme” |
URL contains a value |
URL_REGEX |
“(http:\/\/|https:\/\/)?[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}(:[0-9]{1,5})?(\/.*)?” |
URL matches a regex pattern |
The "name" is simply any arbitrary name for your rule; nothing more. As a best practice it is good to give the rule a name that describes its purpose so that if another administrator briefly looks at the rule they can quickly understand why it exists.
The "action" is nothing you provide a value for, it only tells the WAF this rule is a REDIRECT. When creating rules using the OCI CLI you will quickly get aquatinted using JSONs to build rules and coincidentally find other actions relating to other types of rules.
I mentioned in the beginning Oracle Cloud Infrastructure CLI will be required. To install and setup the CLI please follow the quickstart on the official Oracle Cloud documentation “Installing the CLI” at https://docs.cloud.oracle.com/iaas/Content/API/SDKDocs/cliinstall.htm.
ASSUMPTIONS:
Now that we are past the nitty gritty let’s finally get into the fun stuff and create a WAF HTTP redirect access rule.
A JSON needs to be created with all the essentials. Below are two example JSONs that can be copied and reused. The first JSON can be used if you want to provide the waasPolicyId at the command-line. Maybe you would like to reuse the same WAF rule to multiple policies, which you could script iterating the command that could apply the same rule to multiple waasPolicyIds. The second JSON includes the waasPolicyId and be sure to include the maxWaitSeconds and waitIntervalSeconds keys otherwise you will get a complaint it is an invalid JSON.
Example JSON WAF Access Rule:
{ "accessRules": [ { "redirectResponseCode":"FOUND", "redirectUrl":"/warning/index.html", "criteria": [ { "condition":"URL_IS", "value":"/redirect" } ], "name":"API_Rule_redirect", "action":"REDIRECT" } ] }
Example JSON WAF Access Rule with waasPolicyId (replace):
{ "accessRules": [ { "redirectResponseCode":"FOUND", "redirectUrl":"/warning/index.html", "criteria": [ { "condition":"URL_IS", "value":"/redirect" } ], "name":"API_Rule_redirect", "action":"REDIRECT" } ], "maxWaitSeconds": 0, "waasPolicyId": "ocid1.waaspolicy.oc1..aaaaaaaatsx2lhekje2yj2h4eei7oxhsbbnv2ulgipcftrhjs3vi5kapzeaa", "waitIntervalSeconds": 0 }
Option 1: Run the following command if the waasPolicyId ocid was not included in the JSON.
oci waas access-rule update --waas-policy-id <ocid> --from-json file://my_waf_rule.json
Option 2: Run the following command if the WAF policy ocid waasPolicyId is included in the JSON.
oci waas access-rule update --from-json file://my_waf_rule.json
After a few seconds an output be produced and look something like the following. This is the ocid of the work request that is being processed by OCI. Be patient.
{ "opc-work-request-id": "ocid1.waasworkrequest.oc1..aaaaaaaalxifr3l3m56twuejip2bglg4b3k6523htul33kfsbgxqn3tb5fba" }
If signed into the OCI Console you should see the WAF policy in an Updating… state in orange/yellow. After several minutes it should finish and become ACTIVE and turn green. At this point you can test it by accessing the URL condition value based on the option you decided. If all went good the WAF access rule should identify the condition URL value, then redirect the browser to the target URL used in the redirectUrl value.
This special access rule will add to your options to use when using the WAF in OCI. I pointed out in the beginning, this feature can add another option to layer into use cases where you see fit. Mixing in protection rules, access rules, bot management, and logging can be a powerful tool as a front door gate keeper for the DMZ. To learn more about the OCI Web Application Firewall please go to https://docs.cloud.oracle.com/iaas/Content/WAF/Concepts/overview.htm. Best of luck and I hope this hidden feature adds something to your black bag of tricks. :-)
I started with Oracle in 2005 and been a member of the Oracle A-Team since 2012 though have worked in Identity and Access Management since 1999. My journey with security continues the cloud that heavily includes Oracle Infrastructure Cloud (OCI). I enjoy writing articles built on real life use cases to help in areas where a standard document may not provide. I am a strong believer in learning by example to which I try to incorporate as many helpful tips, excellent diagrams, and instructional steps as I can.