Prev  Chapter 5. Web application firewall (WAF)  Next

2. Deny and error handling

When a request is blocked at the application level Web Security Manager can either just close the connection and not respond at all, send an HTTP error code along with an error message or redirect the client to a URL.

2.1. Deny action

Web Security Manager distinguishes between violations that are Query and Authentication. () and Parameter (given value for a known parameter failed the access policy)

URL Policy Violation

Violations related generally to the URL like HTTP method and headers, path and parameter names.

Parameter Policy Violation

Violations related to the content of query parameters.

Authentication Required

Violations related to authentication and authorization.

For each type a Deny Action can be configured.

Deny with [deny type]

Radio button

Display 404 not found or 403 authentication required error message.

When a request is denied the corresponding error page (403 or 404) is displayed.

Default: <selected>
Close connection

Radio button

Close the connection.

When a request is denied Web Security Manager simply closes the connection. No response is sent to the offending client.

Default: <not selected>
Redirect

Radio button

Redirect the request.

When a request is denied Web Security Manager sends HTTP/302 and a Location redirect HTTP header which redirects the offending client to the URL configured.

Default: <not selected>

2.2. Error messages

Web Security Manager intercepts error messages from the backend and replaces them with a generic customizable error page. These are also the pages that are displayed If Web Security Manager is configured to display an error message when a request is denied.

The error pages are customizable and timed redirects can be inserted.

2.2.1. Document not found (error 40x)

When a request is denied with an error message or if the backend server returns an HTTP error 40x (400 401 402 404 405 406 407 408 409 410 411 412 413 414 415 416 417) the Document not found page is displayed.

Heading

Input field

The heading of the message page.

Valid input

Any string

Default value

Requested URL cannot be found
Message

Input field

The message displayed.

Valid input

Any string not containing html tags.

Newlines are transformed into <br>.

Use [b]text[/b] to put some text in bold typeface.

Use [p]paragraph text[/p] to insert paragraphs.

Default value

We are sorry, but the page you are looking for cannot be found. The page has either been removed, renamed or is temporarily unavailable.
Error

Input field

The error message displayed.

Valid input

Any string

Default value

HTTP 404 Not Found
Nav. back

Input field

The error page contains two navigation buttons. The nav. back button will take the user to the page the user came from.

Valid input

Any string

Default value

Back to previous page
Nav. forward

Input field

The error page contains two navigation buttons. The nav. forward button will take the user to the web site homepage.

Valid input

Any string

Default value

Proceed to homepage
Include redirect text and script

Check box

Enable / disable insertion of timed redirect javascript with corresponding text.

If enabled a redirect text and a piece of javascript displaying a configurable countdown is displayed with the error text configured (above).

Default: <disabled>
Redirect text

Input field

The redirect message displayed.

Valid input

Any string not containing html tags.

Newlines are transformed into <br>.

Use [b]text[/b] to put some text in bold typeface.

Use [p]paragraph text[/p] to insert paragraphs.

Use [countdown] to display countdown.

Use [link]link text[/link] to insert link to configured redirect target server.

Default value

You will be redirected to a an error page in [countdown] seconds. [link]Click here[/link] to be redirected immediately.
Redirect delay

Input field

Idle session timeout specifies tha maximum duration of an idle session before it is dropped resulting in the user being logged out from the web site.

Valid input

A number (integer) in the interval 2 - 3600 (one hour).

Input example

60 - (one minute)

Default value

10
Redirect URL

Input field

The URL to redirect to.

Valid input

A valid URL

Input example

http://sorryserver.mydomain.tld

Default value

none
Web Security Manager text

Read only

Trial license only.

In Web Security Manager Trial error messages contains the message Web Security Manager web application firewall - TRIAL VERSION

2.2.2. Authentication required (error 403)

When a client request fails authentication or resource authorization and the request is denied with an error message or if the backend server returns an HTTP error 403 the Authentication required page is displayed.

Heading

Input field

The heading of the message page.

Valid input

Any string

Default value

Not allowed
Message

Input field

The message displayed.

Valid input

Any string

Default value

Access to the page you are trying to access is restricted to authorized clients. Please contact the site administrator if this is an error.
Error

Input field

The error message displayed.

Valid input

Any string

Default value

HTTP 403 Forbidden
Nav. back

Input field

The error page contains two navigation buttons. The nav. back button will take the user to the page the user came from.

Valid input

Any string

Default value

Back to previous page
Nav. forward

Input field

The error page contains two navigation buttons. The nav. forward button will take the user to the web site homepage.

Valid input

Any string

Default value

Proceed to homepage
Include redirect text and script

Check box

Enable / disable insertion of timed redirect javascript with corresponding text.

If enabled a redirect text and a piece of javascript displaying a configurable countdown is displayed with the error text configured (above).

Default: <disabled>
Redirect text

Input field

The redirect message displayed.

Valid input

Any string not containing html tags.

Newlines are transformed into <br>.

Use [b]text[/b] to put some text in bold typeface.

Use [p]paragraph text[/p] to insert paragraphs.

Use [countdown] to display countdown.

Use [link]link text[/link] to insert link to configured redirect target server.

Default value

You will be redirected to a an error page in [countdown] seconds. [link]Click here[/link] to be redirected immediately.
Redirect delay

Input field

Idle session timeout specifies tha maximum duration of an idle session before it is dropped resulting in the user being logged out from the web site.

Valid input

A number (integer) in the interval 2 - 3600 (one hour).

Input example

60 - (one minute)

Default value

10
Redirect URL

Input field

The URL to redirect to.

Valid input

A valid URL

Input example

http://sorryserver.mydomain.tld

Default value

none
Web Security Manager text

Read only

Trial license only.

In Web Security Manager Trial error messages contains the message Web Security Manager web application firewall - TRIAL VERSION

2.2.3. Server error (error 50x)

When the the backend server returns an HTTP error 50x (500 501 502 503 504 505 506 507) the the Server error page is displayed.

Heading

Input field

The heading of the message page.

Valid input

Any string

Default value

Requested URL cannot be found
Message

Input field

The message displayed.

Valid input

Any string

Default value

We are sorry, but the page you are looking for cannot be found. The page has either been removed, renamed or is temporarily unavailable.
Error

Input field

The error message displayed.

Valid input

Any string

Default value

HTTP 502 Bad Gateway
Nav. back

Input field

The error page contains two navigation buttons. The nav. back button will take the user to the page the user came from.

Valid input

Any string

Default value

Back to previous page
Nav. forward

Input field

The error page contains two navigation buttons. The nav. forward button will take the user to the web site homepage.

Valid input

Any string

Default value

Proceed to homepage
Include redirect text and script

Check box

Enable / disable insertion of timed redirect javascript with corresponding text.

If enabled a redirect text and a piece of javascript displaying a configurable countdown is displayed with the error text configured (above).

Default: <disabled>
Redirect text

Input field

The redirect message displayed.

Valid input

Any string not containing html tags.

Newlines are transformed into <br>.

Use [b]text[/b] to put some text in bold typeface.

Use [p]paragraph text[/p] to insert paragraphs.

Use [countdown] to display countdown.

Use [link]link text[/link] to insert link to configured redirect target server.

Default value

You will be redirected to a an error page in [countdown] seconds. [link]Click here[/link] to be redirected immediately.
Redirect delay

Input field

Idle session timeout specifies tha maximum duration of an idle session before it is dropped resulting in the user being logged out from the web site.

Valid input

A number (integer) in the interval 2 - 3600 (one hour).

Input example

60 - (one minute)

Default value

10
Redirect URL

Input field

The URL to redirect to.

Valid input

A valid URL

Input example

http://sorryserver.mydomain.tld

Default value

none
Web Security Manager text

Read only

Trial license only.

In Web Security Manager Trial error messages contains the message Web Security Manager web application firewall - TRIAL VERSION

2.3. Lower button bar

Default values

Revert to default values.
Save settings

Click Save settings to save settings.

© 2005 - 2012 Alert Logic inc.
Prev  Up  Next
1. Policy  Home  3. Learning