Oracle Cloud Infrastructure Documentation

Managing Rule Sets

This topic describes how you can create rule sets composed of actions to apply to requests or responses at the listener. For example, you can add, alter, or remove HTTP headers. For more information about managing load balancer listeners, see Managing Load Balancer Listeners.

Warning

Avoid entering confidential information when assigning descriptions, tags, or friendly names to your cloud resources through the Oracle Cloud Infrastructure Console, API, or CLI.

Required IAM Policy

To use Oracle Cloud Infrastructure, you must be given the required type of access in a An IAM document that specifies who has what type of access to your resources. It is used in different ways: to mean an individual statement written in the policy language; to mean a collection of statements in a single, named "policy" document (which has an Oracle Cloud ID (OCID) assigned to it); and to mean the overall body of policies your organization uses to control access to resources. written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you try to perform an action and get a message that you don’t have permission or are unauthorized, confirm with your administrator the type of access you've been granted and which A collection of related resources that can be accessed only by certain groups that have been given permission by an administrator in your organization. you should work in.

For administrators: For a typical policy that gives access to load balancers and their components, see Let network admins manage load balancers.

Also, be aware that a policy statement with inspect load-balancers gives the specified group the ability to see all information about the load balancers. For more information, see Details for Load Balancing.

If you're new to policies, see Getting Started with Policies and Common Policies.

Working with Rule Sets

A rule set is a named set of rules associated with a load balancer and applied to one or more listeners on that load balancer. Rules are objects that represent actions applied to requests or responses at a load balancer listener. Possible actions include adding, altering, or removing HTTP headers. You can associate a maximum of 50 rules with a load balancer.

Rule sets are not shared between load balancers. To use the same set of rules on another load balancer, you must create a new, identical rule set under that load balancer.

You can apply an existing rule set when you create or edit a listener. You can apply the same rule set to multiple listeners on the same load balancer.

Rules sets can help you to pass metadata to your backend servers to do things like:

  • Identify which listener sent a request.
  • Notify a backend server about SSL termination.

Examples of how rule sets can help you enhance site security include:

  • Adding headers to prevent external domains from iframing your site.
  • Removing debug headers, such as "Server", sent by backend servers. This action helps you hide the implementation details of your backend.
  • Adding the "strict-transport-security" header, with a proper value, to responses. This header helps guarantee that access to your site is HTTPS only.
  • Adding the "x-xss-protection" header with a proper value. This header helps you enforce the cross-site scripting (XSS) protection built into modern browsers.
  • Adding the "x-content-type" header with a proper value. This header helps you prevent attacks based on content type shifting.

Example: Notify WebLogic that the load balancer terminated SSL

You can configure your load balancer to perform SSL termination. Often, your backend applications require notification of this action. For example, HTTPS WebLogic e-commerce online transaction processing looks for the WL-Proxy-SSL header to confirm that a request came in over SSL. You can use rule sets to add this header at the load balancer listener.

  1. Follow the instructions to create a rule set and:

    1. Choose the Add Request Header option from the Action drop-down list.
    2. Enter WL-Proxy-SSL as the Header name.
    3. Set the header Value:

      • If your load balancer is configured to perform SSL termination, set this value to "true".
      • If the SSL termination point is in the web server where the plug-in operates, set this value to "false".
  2. Create a listener, or edit an existing listener, and add the new rule set.

Using the Console

To apply a rule set to a listener, you first create the rule set that contains the rules. The rule set becomes a part of the load balancer's configuration. You can specify the rule set to use when you create or update a listener for the load balancer.

To create a rule set
To update a rule set
To remove a rule set from a listener

Using the API

For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.

Use these API operations to manage rule sets: