Thursday, November 15, 2007

Oracle Webcache error.

Currently we are running Oracle Application Server 10g (10.1.2.0.2) with Oracle HTTP Server / OracleAS Web-Cache 10g (10.1.2.0.2) at some of the servers running a high traffic website. For some time we have had the following error message shown in the clients web browsers at random times:

------------------------------------------------------
Illegal Characters in Request/Response

The security gateway refused to process and retrieve the URL you requested because of a protocol violation:

The security gateway saw the request/response:
HTTP/1.1 200 OK Date: Tue, 13 Nov 2007 14:41:56 GMT Server: Oracle-Application-Server-10g/10.1.2.0.2 Oracle-HTTP-Server OracleAS-Web-Cache-10g/10.1.2.0.2 (H;max-age=214741422+0;age=66556;ecid=1194964916: 10.32.4.3:8357:0:5777b\37777777613\001 ) Cache-Control: private Content-Type: text/html Content-Encoding: gzip Content-Length: 3497 X-Pad: avoid browser bug X-Cache: MISS from amssys02.dmz-out.smartapps.nl Keep-Alive: timeout=15, max=100 Connection: Keep-Alive \037\37777777613\010

This kind of protocol violation is denied in order to protect Web clients/servers from attacks that include control and other non-printable characters. It is also denied to ensure that only HTTP traffic is passed by the HTTP proxy, thus ensuring the integrity of your site's security policy.

If you believe that this request should have been allowed, contact the Web site administrator and request that their application be modified to be HTTP compliant.
------------------------------------------------------

After some research we found that the “server” header from the response from the webserver contained the illegal characters mentioned. Below we see a header that is passed correctly to the client without being refused by the security gateway. At the end of the “server” string we can see the following text 2136out.smarÇTÄ)” This text is changing every time you request the page. Meaning that in some cases the characters are not compliant to the characters that are agreed on in the RFC.

------------------------------------------------------
GET / HTTP/1.1
Host: www.thetasteoflife.nl
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071025

Firefox/2.0.0.9
Accept:

text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;

q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: __utma=83643603.296507212.1191756626.1195044105.1195049174.28; __utmz=83643603.1193130261.16.3.utmccn=(referral)|utmcsr=miele.nl|utmcct=/apps/vg/nl/miele/Miele001.nsf/LookUpPage/Homepage|utmcmd=referral; __utmc=83643603; __utmb=83643603

HTTP/1.1 200 OK
Date: Wed, 14 Nov 2007 14:09:42 GMT
Server: Oracle-Application-Server-10g/10.1.2.0.2 Oracle-HTTP-Server

OracleAS-Web-Cache-10g/10.1.2.0.2

(H;max-age=214748349+0;age=157949;ecid=1195049382:10.32.4.3:8408:0:2136out.smarÇTÄ)
Cache-Control: private
Content-Type: text/html
Content-Encoding: gzip
Content-Length: 1701
X-Cache: MISS from amssys02.dmz-out.smartapps.nl
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
------------------------------------------------------

If this is the case and some of the “random” characters are not in the character map agreed upon in the RFC the security gateway will close the connection and the client will get the following http header error (Illegal Character in Response Header):

------------------------------------------------------
GET / HTTP/1.1
Host: www.thetasteoflife.nl
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071025

Firefox/2.0.0.9
Accept:

text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;

q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: __utma=83643603.296507212.1191756626.1194798880.1195044105.27; __utmz=83643603.1193130261.16.3.utmccn=(referral)|utmcsr=miele.nl|utmcct=/apps/vg/nl/miele/Miele001.nsf/LookUpPage/Homepage|utmcmd=referral;__utmc=83643603

HTTP/1.x 400 Illegal Character in Response Header
MIME-Version: 1.0
Date: Wed, 14 Nov 2007 13:58:49 GMT
Connection: close
Content-Type: text/html
------------------------------------------------------

This will result in the error page in the browser on the client side. Meaning as long as the random chars are not hitting “faulty” characters the website is shown correct, if not the client is showing a error page. To prevent this the “server” header in the response headers needed to be modified. To do so in Oracle Web Cache you need to modify the webcache settings in the webcache.xml configuration file and restart webcache. Change the string:

<debuginfo header="YES" eventlog="NO" htmlcomment="NO" switchstring="+wcdebug">

To:

<debuginfo header="NO" eventlog="NO" htmlcomment="NO" switchstring="+wcdebug">

After that, restart webcache and your “server” response header will look clean and will not have “random” chars in it which can create the error.

“Oracle-Application-Server-10g/10.1.2.0.2 Oracle-HTTP-Server OracleAS-Web-Cache-10g/10.1.2.0.2”




No comments: