Using Web Server Plug-Ins with WebLogic Server

Parameters for Web Server Plug-Ins

The following sections describe the parameters that you use to configure the Apache, Netscape, and Microsoft IIS Web server plug-ins:

Entering Parameters in Web Server Plug-In Configuration Files

You enter the parameters for each Web server plug-in in special configuration files. Each Web server has a different name for this configuration file and different rules for formatting the file. For details, see the following sections on each plug-in:

General Parameters for Web Server Plug-Ins

Note: Parameters are case sensitive.


Table 6-1   Plug-In Parameters





	
		
			
Parameter


		 		
			
Default 


		 		
			
Description


		 		
			
Applicable to 


		
	
	
		
			
ConnectRetrySecs


		
		
			
2


		
		
			
Interval in seconds that the plug-in should sleep between attempts to connect to the WebLogic Server host. Make this number less than the ConnectTimeoutSecs. The number of times the plug-in tries to connect before returning an HTTP 503/Service Unavailable response to the client is calculated by dividing ConnectTimeoutSecs by ConnectRetrySecs. 


To specify no retries, set ConnectRetrySecs equal to ConnectTimeoutSecs. However, the plug-in attempts to connect at least twice.


You can customize the error response by using the ErrorPage parameter.


		
		
			
NSAPI, ISAPI, and Apache plug-in, and HttpClusterServlet


		

	
	
		
			
ConnectTimeoutSecs


		
		
			
10


		
		
			
Maximum time in seconds that the plug-in should attempt to connect to the WebLogic Server host. Make the value greater than ConnectRetrySecs. If ConnectTimeoutSecs expires without a successful connection, even after the appropriate retries (see ConnectRetrySecs), an HTTP 503/Service Unavailable response is sent to the client. 


You can customize the error response by using the ErrorPage parameter.


		
		
			
NSAPI, ISAPI, and Apache plug-in, and HttpClusterServlet 


		

	
	
		
			
CookieName


		
		
			
JSESSIONID


		
		
			
If you change the name of the WebLogic Server session cookie in the WebLogic Server Web application, you need to change the CookieName parameter in the plug-in to the same value. The name of the WebLogic session cookie is set in the WebLogic-specific deployment descriptor, in the <session-descriptor>element.

Note:	 The CookieName parameter has been renamed as WLCookieName. A warning message is issued if you continue to use the old parameter name.

		
		
			
NSAPI, ISAPI, and Apache plug-in, HttpClusterServlet, and HttpProxyServlet


		

	
	
		
			
Debug


		
		
			
OFF


		
		
			
Sets the type of logging performed for debugging operations. The debugging information is written to the /tmp/wlproxy.log file on UNIX systems and to the  c:\TEMP\wlproxy.log file on Windows NT/2000 systems. Override this location and filename by setting the WLLogFile parameter to a different directory and file. Ensure that the tmp or TEMP directory has write permission assigned to the user who is logged in to the server. Set any of the following logging options (HFC,HTW,HFW, and HTC options may be set in combination by entering them separated by commas, for example "HFC,HTW"):

ON

The plug-in logs informational and error messages.


OFF

No debugging information is logged.


HFC

The plug-in logs headers from the client, informational, and error messages.


HTW

The plug-in logs headers sent to WebLogic Server, and informational and error messages.


HFW

The plug-in logs headers sent from WebLogic Server, and informational and error messages.



		
		
			
NSAPI, ISAPI, and Apache plug-in, HttpClusterServlet, and HttpProxyServlet


		

	
	
		
			
Debug (contd)


		
		
			




		
		
			HTC

The plug-in logs headers sent to the client, informational messages, and error messages.


ERR

Prints only the error messages in the plug-in.


ALL

The plug-in logs headers sent to and from the client, headers sent to and from WebLogic Server, information messages, and error messages.



		
		
			




		

	
	
		
			
DebugConfigInfo


		
		
			
OFF


		
		
			
Enables the special query parameter "__WebLogicBridgeConfig". Use it to get details about configuration parameters from the plug-in.


For example, if you enable "__WebLogicBridgeConfig" by setting DebugConfigInfo and then send a request that includes the query string ?__WebLogicBridgeConfig, then the plug-in gathers the configuration information and run-time statistics and returns the information to the browser. The plug-in does not connect to WebLogic Server in this case. 


This parameter is strictly for debugging and the format of the output message can change with releases. For security purposes, keep this parameter turned OFF in production systems. 


		
		
			
NSAPI, ISAPI, and Apache plug-in, HttpClusterServlet, and HttpProxyServlet


		

	
	
		
			
DefaultFileName


		
		
			
none


		
		
			
If the URI is "/" then the plug-in performs the following steps:

1.	 Trims the path specified with the PathTrim parameter.
2.	 Appends the value of DefaultFileName.
3.	 Prepends the value specified with PathPrepend.
This procedure prevents redirects from WebLogic Server.


Set the DefaultFileName to the default welcome page of the Web Application in WebLogic Server to which requests are being proxied. For example, If the DefaultFileName is set to welcome.html, an HTTP request like "http://somehost/weblogic" becomes "http://somehost/weblogic/welcome.html". For this parameter to function, the same file must be specified as a welcome file in all the Web Applications to which requests are directed. For more information, see "Configuring Welcome Pages".


Note for Apache users: If you are using Stronghold or Raven versions, define this parameter inside of a Location block, and not in an IfModule block.


		
		
			
NSAPI, ISAPI, and Apache plug-in, HttpClusterServlet, and HttpProxyServlet


		

	
	
		
			
DynamicServerList


		
		
			
ON


		
		
			
When set to OFF, the plug-in ignores the dynamic cluster list used for load balancing requests proxied from the plug-in and only uses the static list specified with the WebLogicCluster parameter. Normally this parameter should remain set to ON.


There are some implications for setting this parameter to OFF:

If one or more servers in the static list fails, the plug-in could waste time trying to connect to a dead server, resulting in decreased performance.
If you add a new server to the cluster, the plug-in cannot proxy requests to the new server unless you redefine this parameter. WebLogic Server automatically adds new servers to the dynamic server list when they become part of the cluster.

		
		
			
NSAPI, ISAPI, and Apache plug-in, and HttpClusterServlet


		

	
	
		
			
ErrorPage


		
		
			
none


		
		
			
You can create your own error page that is redirected to, when your Web server is unable to forward requests to WebLogic Server.


The plug-in redirects to an error page when the back-end server returns an HTTP 503/Service Unavailable response and there are no servers for failover.


		
		
			
ISAPI, Apache, and NSAPI plug-in


		

	
	
		
			
FileCaching


		
		
			
ON


		
		
			
When set to ON, and the size of the POST data in a request is greater than 2048 bytes, the POST data is first read into a temporary file on disk and then forwarded to the WebLogic Server in chunks of 8192 bytes.  This preserves the POST data during failover, allowing all necessary data to be repeated to the secondary if the primary goes down.


Note that when FileCaching is ON, any client that tracks the progress of the POST will see that the transfer has completed even though the data is still being transferred between the WebServer and WebLogic.  So, if you want the progress bar displayed by a browser during the upload to reflect when the data is actually available on the WebLogic Server, you might not want to have FileCaching ON.


When set to OFF and the size of the POST data in a request is greater than 2048 bytes, the reading of the POST data is postponed until a WebLogic Server cluster member is identified to serve the request. Then the Plugin reads and immediately sends the POST data to the WebLogic Server in chunks of 8192 bytes.


Note that turning FileCaching OFF limits failover. If the WebLogic Server primary server goes down while processing the request, the POST data already sent to the primary cannot be repeated to the secondary.


Finally, regardless of how FileCaching is set, if the size of the POST data is 2048 bytes or less the plugin will read the data into memory and use it if needed during failover to repeat to the secondary.


		
		
			
ISAPI, Apache and NSAPI plug-in, and HttpClusterServlet


		

	
	
		
			
FilterPriorityLevel


		
		
			
2


		
		
			
The values for this parameter are 0 (low), 1 (medium), and 2 (high). The default value is 2. This priority should be put in iisforward.ini file. This property is used to set the priority level for the iisforward.dll filter in IIS. Priority level is used by IIS to decide which filter will be invoked first, in case multiple filters match the incoming request. 


		
		
			
ISAPI plug-in


		

	
	
		
			
Idempotent


		
		
			
ON


		
		
			
When set to ON and if the servers do not respond within WLIOTimeoutSecs (new name for HungServerRecoverSecs), the plug-ins fail over. 


If set to "OFF" the plug-ins do not fail over. If you are using the Netscape Enterprise Server Plug-In, or Apache HTTP Server you can set this parameter differently for different URLs or MIME types.


		
		
			
ISAPI, Apache and NSAPI plug-in, and HttpClusterServlet


		

	
	
		
			
KeepAliveEnabled


(Does not apply to Apache HTTP Server version 1.3.x)


		
		
			
true (Netscape and Microsoft IIS plug-ins)


ON (Apache plug-in)


		
		
			
Enables pooling of connections between the plug-in and WebLogic Server.


Valid values for the Netscape and Microsoft IIS plug-ins are true and false.


Valid values for the Apache plug-in are ON and OFF.


		
		
			
ISAPI, Apache and NSAPI plug-in, HttpClusterServlet, and HttpProxyServlet


		

	
	
		
			
KeepAliveSecs


(Does not apply to Apache HTTP Server version 1.3.x)


		
		
			
20


		
		
			
The length of time after which an inactive connection between the plug-in and WebLogic Server is closed. You must set KeepAliveEnabled to true (ON when using the Apache plug-in) for this parameter to be effective.


The value of this parameter must be less than or equal to the value of the Duration field set in the Administration Console on the Server/HTTP tab, or the value set on the server Mbean with the KeepAliveSecs attribute.


		
		
			
ISAPI, Apache and NSAPI plug-in, HttpClusterServlet, and HttpProxyServlet


		

	
	
		
			
MatchExpression


		
		
			
none


		
		
			
When proxying by MIME type, set the filename pattern inside of an IfModule block using the MatchExpression parameter. 


Example when proxying by MIME type:


<IfModule mod_weblogic.c>
  MatchExpression *.jsp    WebLogicHost=myHost|paramName=value
</IfModule>


Example when proxying by path:


<IfModule mod_weblogic.c>
  MatchExpression /weblogic    WebLogicHost=myHost|paramName=value
</IfModule>


It is possible to define a new parameter for MatchExpression using the following syntax:


MatchExpression *.jsp PathPrepend=/test PathTrim=/foo


		
		
			
Apache plug-in


		

	
	
		
			
MaxPostSize


		
		
			
-1


		
		
			
Maximum allowable size of POST data, in bytes. If the content-length exceeds MaxPostSize, the plug-in returns an error message. If set to -1, the size of POST data is not checked. This is useful for preventing denial-of-service attacks that attempt to overload the server with POST data.


		
		
			
ISAPI, Apache and NSAPI plug-in, HttpClusterServlet, and HttpProxyServlet


		

	
	
		
			
MaxSkipTime


		
		
			
10


		
		
			
If a WebLogic Server instance listed in either the WebLogicCluster parameter or a dynamic cluster list returned from WebLogic Server fails, the failed server is marked as "bad" and the plug-in attempts to connect to the next server in the list.


MaxSkipTime sets the amount of time after which the plug-in will retry the server marked as "bad." The plug-in attempts to connect to a new server in the list each time a unique request is received (that is, a request without a cookie).

Note:	 The MaxSkips parameter has been deprecated as the MaxSkipTime parameter. 

		
		
			
ISAPI, Apache and NSAPI plug-in, and HttpClusterServlet,


		

	
	
		
			
PathPrepend


		
		
			
null


		
		
			
As per the RFC specification, generic syntax for URL is


[PROTOCOL]://[HOSTNAME]:{PORT}/{PATH}/{FILENAME};{PATH_PARAMS}/{QUERY_STRING}....


PathPrepend specifies the path that the plug-in prepends to the {PATH} portion of the original URL, after PathTrim is trimmed and before the request is forwarded to WebLogic Server.


Note that if you need to append File Name, use DefaultFileName plug-in parameter instead of PathPrepend.


		
		
			
ISAPI, Apache and NSAPI plug-in, HttpClusterServlet, and HttpProxyServlet


		

	
	
		
			
PathTrim


		
		
			
null


		
		
			
As per the RFC specification, generic syntax for URL is


[PROTOCOL]://[HOSTNAME]:{PORT}/{PATH}/{FILENAME};{PATH_PARAMS}/{QUERY_STRING}....


PathTrim specifies the string trimmed by the plug-in from the {PATH}/{FILENAME} portion of the original URL, before the request is forwarded to WebLogic Server. For example, if the URL


http://myWeb.server.com/weblogic/foo


is passed to the plug-in for parsing and if PathTrim has been set to strip off /weblogic before handing the URL to WebLogic Server, the URL forwarded to WebLogic Server is: 


http://myWeb.server.com:7001/foo


Note that if you are newly converting an existing third-party server to proxy requests to WebLogic Server using the plug-in, you will need to change application paths to /foo to include weblogic/foo. You can use PathTrim and PathPrepend in combination to change this path.


		
		
			
ISAPI, Apache and NSAPI plug-in, HttpClusterServlet, and HttpProxyServlet


		

	
	
		
			
QueryFromRequest


		
		
			
OFF


		
		
			
When set to ON, specifies that the Apache plug-in use 
(request_rec *)r->the request 
to pass the query string to WebLogic Server. (For more information, see your Apache documentation.) This behavior is desirable in the following situations:

When a Netscape version 4.x browser makes requests that contain spaces in the query string
If you are using Raven Apache 1.5.2 on HP

When set to OFF, the Apache plug-in uses
(request_rec *)r->args to pass the query string to WebLogic Server.


		
		
			
Apache plug-in


		

	
	
		
			
StatPath


		
		
			
false


		
		
			
If set to true, the plug-in checks the existence and permissions of the translated path ("Proxy-Path-Translated") of the request before forwarding the request to WebLogic Server.


If the file does not exist, an HTTP 404 File Not Found response is returned to the client. If the file exists but is not world-readable, an HTTP 403/Forbidden response is returned to the client. In either case, the default mechanism for the Web server to handle these responses fulfills the body of the response. This option is useful if both the WebLogic Server Web Application and the Web Server have the same document root. 


You can customize the error response by using the ErrorPage parameter.


		
		
			
NSAPI and Apache plug-in 


		

	
	
		
			
WebLogicCluster


(Required when proxying to a cluster of WebLogic Servers, or to multiple non-clustered servers.)


		
		
			
none


		
		
			
List of WebLogic Servers that can be used for load balancing. The server or cluster list is a list of host:port entries. If a mixed set of clusters and unclustered servers is specified, the dynamic list returned for this parameter will return only the clustered servers.


The method of specifying the parameter, and the required format vary by plug-in. See the examples in:

Installing and Configuring the Netscape Enterprise Server Plug-In (NSAPI)
Installing and Configuring the Microsoft Internet Information Server (ISAPI) Plug-In
Installing and Configuring the Apache HTTP Server Plug-In

If you are using SSL between the plug-in and WebLogic Server, set the port number to the SSL listen port (see Configuring the SSL Protocol) and set the SecureProxy parameter to ON.


The plug-in does a simple round-robin between all available servers. The server list specified in this property is a starting point for the dynamic server list that the server and plug-in maintain. WebLogic Server and the plug-in work together to update the server list automatically with new, failed, and recovered cluster members.


You can disable the use of the dynamic cluster list by setting the DynamicServerList parameter to OFF 


The plug-in directs HTTP requests containing a cookie, URL-encoded session, or a session stored in the POST data to the server in the cluster that originally created the cookie. 


		
		
			
ISAPI, Apache and NSAPI plug-in,and HttpClusterServlet


		

	
	
		
			
WebLogicHost


(Required when proxying to a single WebLogic Server.) 


		
		
			
none


		
		
			
WebLogic Server host (or virtual host name as defined in WebLogic Server) to which HTTP requests should be forwarded.


If you are using a WebLogic cluster, use the WebLogicCluster parameter instead of WebLogicHost.


		
		
			
ISAPI, Apache and NSAPI plug-in, HttpClusterServlet, and HttpProxyServlet


		

	
	
		
			
WebLogicPort


(Required when proxying to a single WebLogic Server instance.)


		
		
			
none


		
		
			
Port at which the WebLogic Server host is listening for connection requests from the plug-in (or from other servers). (If you are using SSL between the plug-in and WebLogic Server, set this parameter to the SSL listen port (see Configuring the SSL Protocol) and set the SecureProxy parameter to ON).


If you are using a WebLogic Cluster, use the WebLogicCluster parameter instead of WebLogicPort.


		
		
			
ISAPI, Apache and NSAPI plug-in, HttpClusterServlet, and HttpProxyServlet


		

	
	
		
			
WLDNSRefreshInterval


		
		
			
0 (Lookup once, during startup)


		
		
			
If defined in the proxy configuration, specifies number of seconds interval at which WebLogic Server refreshes DNS name to IP mapping for a server.  This can be used in the event that a WebLogic Server instance is migrated to a different IP address, but the DNS name for that server's IP remains the same.  In this case, at the specified refresh interval the DNS<->IP mapping will be updated.


		
		
			
NSAPI and Apache plug-in


		

	
	
		
			
WLExcludePathOrMimeType


		
		
			
none


		
		
			
This parameter allows you to exclude certain requests, specified by path or MIME type, from proxying.


This parameter can be defined locally at the Location tag level as well as globally. When the property is defined locally, it does not override the global property but defines a union of the two parameters.

Note:	 The MIME types defined by this paramenter should be separated by commas, without any space in between the entries.

		
		
			
NSAPI, ISAPI, and Apache plug-in


		

	
	
		
			
WlForwardPath


		
		
			
null


		
		
			
If WlForwardPath is set to "/" all requests are proxied. To forward any requests starting with a particular string, set WlForwardPath to the string. For example, setting WlForwardPath to /weblogic forwards all requests starting with /weblogic to Weblogic Server.


This parameter is required if you are proxying by path. You can set multiple strings by separating the strings with commas. For example: WlForwardPath=/weblogic,/bea.


		
		
			
ISAPI plug-in


		

	
	
		
			
WLIOTimeoutSecs (new name for HungServerRecoverSecs)


		
		
			
300


		
		
			
Defines the amount of time the plug-in waits for a response to a request from WebLogic Server. The plug-in waits for HungServerRecoverSecs for the server to respond and then declares that server dead, and fails over to the next server. The value should be set to a very large value. If the value is less than the time the servlets take to process, then you may see unexpected results.   


Minimum value: 10
Maximum value: Unlimited


		
		
			
NSAPI, ISAPI, and Apache plug-in


		

	
	
		
			
WLLocalIP


		
		
			
none


		
		
			
Defines the IP address to bind to when the plug-in connects to a WebLogic Server instance running on a multihomed machine.


If WLLocalIP is not set, a random IP address on the multi-homed machine is used.


		
		
			
NSAPI, ISAPI, and Apache plug-in


		

	
	
		
			
WLLogFile


		
		
			
See the Debug parameter


		
		
			
Specifies path and file name for the log file that is generated when the Debug parameter is set to ON. You must create this directory before setting this parameter.


		
		
			
NSAPI, ISAPI, and Apache plug-in, HttpClusterServlet, and HttpProxyServlet


		

	
	
		
			
WLProxySSL


		
		
			
OFF


		
		
			
Set this parameter to ON to maintain SSL communication between the plug-in and WebLogic Server when the following conditions exist:

 An HTTP client request specifies the HTTPS protocol 
 The request is passed through one or more proxy servers (including the WebLogic Server proxy plug-ins)
The connection between the plug-in and WebLogic Server uses the HTTP protocol

When WLProxySSL is set to ON, the location header returned to the client from WebLogic Server specifies the HTTPS protocol.


		
		
			
NSAPI, ISAPI, and Apache plug-in, HttpClusterServlet, and HttpProxyServlet


		

	
	
		
			
WLSendHdrSeparately


		
		
			
ON


		
		
			
When this parameter is set to ON, header and body of the response are sent in separate packets.

Note:	 If you need to send the header and body of the response in two calls, for example, in cases where you have other ISAPI filters or programmatic clients, that expect the headers before the body, set this parameter to ON.

		
		
			
ISAPI plug-in


		

	
	
		
			
WLSocketTimeoutSecs


		
		
			
2 (must be greater than 0)


		
		
			
Set the timeout for the socket while connecting, in seconds. 


		
		
			
NSAPI, ISAPI, and Apache plug-in


		

	
	
		
			
WLTempDir


		
		
			
See the Debug parameter


		
		
			
Specifies the directory where a wlproxy.log will be created. If the location fails, the Plug-In resorts to creating the log file under C:/temp in Windows and /tmp in all Unix platforms.


Also specifies the location of the _wl_proxy directory for post data files. 


When both WLTempDir and WLLogFile are set, WLLogFile will override as to the location of wlproxy.log. WLTempDir will still determine the location of _wl_proxy directory.


		
		
			
NSAPI, ISAPI, and Apache plug-in

Parameter	Default	Description	Applicable to
`ConnectRetrySecs`	`2`	Interval in seconds that the plug-in should sleep between attempts to connect to the WebLogic Server host. Make this number less than the `ConnectTimeoutSecs`. The number of times the plug-in tries to connect before returning an `HTTP 503/Service Unavailable` response to the client is calculated by dividing ConnectTimeoutSecs by `ConnectRetrySecs`. To specify no retries, set `ConnectRetrySecs` equal to `ConnectTimeoutSecs`. However, the plug-in attempts to connect at least twice. You can customize the error response by using the ErrorPage parameter.	NSAPI, ISAPI, and Apache plug-in, and HttpClusterServlet
`ConnectTimeoutSecs`	`10`	Maximum time in seconds that the plug-in should attempt to connect to the WebLogic Server host. Make the value greater than ConnectRetrySecs. If `ConnectTimeoutSecs` expires without a successful connection, even after the appropriate retries (see `ConnectRetrySecs`), an `HTTP 503/Service Unavailable` response is sent to the client. You can customize the error response by using the ErrorPage parameter.	NSAPI, ISAPI, and Apache plug-in, and HttpClusterServlet
`CookieName`	`JSESSIONID`	If you change the name of the WebLogic Server session cookie in the WebLogic Server Web application, you need to change the `CookieName` parameter in the plug-in to the same value. The name of the WebLogic session cookie is set in the WebLogic-specific deployment descriptor, in the <session-descriptor>element. Note: The `CookieName` parameter has been renamed as `WLCookieName`. A warning message is issued if you continue to use the old parameter name.	NSAPI, ISAPI, and Apache plug-in, HttpClusterServlet, and HttpProxyServlet
`Debug`	`OFF`	Sets the type of logging performed for debugging operations. The debugging information is written to the `/tmp/wlproxy.log` file on UNIX systems and to the `c:\TEMP\wlproxy.log` file on Windows NT/2000 systems. Override this location and filename by setting the WLLogFile parameter to a different directory and file. Ensure that the tmp or TEMP directory has write permission assigned to the user who is logged in to the server. Set any of the following logging options (`HFC,HTW,HFW,` and `HTC` options may be set in combination by entering them separated by commas, for example "`HFC,HTW`"): `ON` The plug-in logs informational and error messages. `OFF` No debugging information is logged. `HFC` The plug-in logs headers from the client, informational, and error messages. `HTW` The plug-in logs headers sent to WebLogic Server, and informational and error messages. `HFW` The plug-in logs headers sent from WebLogic Server, and informational and error messages.	NSAPI, ISAPI, and Apache plug-in, HttpClusterServlet, and HttpProxyServlet
`Debug` (contd)		`HTC` The plug-in logs headers sent to the client, informational messages, and error messages. `ERR` Prints only the error messages in the plug-in. `ALL` The plug-in logs headers sent to and from the client, headers sent to and from WebLogic Server, information messages, and error messages.
`DebugConfigInfo`	`OFF`	Enables the special query parameter "`__WebLogicBridgeConfig`". Use it to get details about configuration parameters from the plug-in. For example, if you enable "`__WebLogicBridgeConfig`" by setting `DebugConfigInfo` and then send a request that includes the query string `?__WebLogicBridgeConfig`, then the plug-in gathers the configuration information and run-time statistics and returns the information to the browser. The plug-in does not connect to WebLogic Server in this case. This parameter is strictly for debugging and the format of the output message can change with releases. For security purposes, keep this parameter turned OFF in production systems.	NSAPI, ISAPI, and Apache plug-in, HttpClusterServlet, and HttpProxyServlet
`DefaultFileName`	`none`	If the URI is "`/`" then the plug-in performs the following steps: 1. Trims the path specified with the PathTrim parameter. 2. Appends the value of `DefaultFileName`. 3. Prepends the value specified with PathPrepend. This procedure prevents redirects from WebLogic Server. Set the `DefaultFileName` to the default welcome page of the Web Application in WebLogic Server to which requests are being proxied. For example, If the `DefaultFileName` is set to `welcome.html`, an HTTP request like "`http://somehost/weblogic`" becomes "`http://somehost/weblogic/welcome.html`". For this parameter to function, the same file must be specified as a welcome file in all the Web Applications to which requests are directed. For more information, see "Configuring Welcome Pages". Note for Apache users: If you are using Stronghold or Raven versions, define this parameter inside of a `Location` block, and not in an `IfModule` block.	NSAPI, ISAPI, and Apache plug-in, HttpClusterServlet, and HttpProxyServlet
`DynamicServerList`	ON	When set to `OFF`, the plug-in ignores the dynamic cluster list used for load balancing requests proxied from the plug-in and only uses the static list specified with the WebLogicCluster parameter. Normally this parameter should remain set to `ON`. There are some implications for setting this parameter to `OFF`: If one or more servers in the static list fails, the plug-in could waste time trying to connect to a dead server, resulting in decreased performance. If you add a new server to the cluster, the plug-in cannot proxy requests to the new server unless you redefine this parameter. WebLogic Server automatically adds new servers to the dynamic server list when they become part of the cluster.	NSAPI, ISAPI, and Apache plug-in, and HttpClusterServlet
`ErrorPage`	`none`	You can create your own error page that is redirected to, when your Web server is unable to forward requests to WebLogic Server. The plug-in redirects to an error page when the back-end server returns an HTTP 503/Service Unavailable response and there are no servers for failover.	ISAPI, Apache, and NSAPI plug-in
`FileCaching`	`ON`	When set to ON, and the size of the POST data in a request is greater than 2048 bytes, the POST data is first read into a temporary file on disk and then forwarded to the WebLogic Server in chunks of 8192 bytes. This preserves the POST data during failover, allowing all necessary data to be repeated to the secondary if the primary goes down. Note that when FileCaching is ON, any client that tracks the progress of the POST will see that the transfer has completed even though the data is still being transferred between the WebServer and WebLogic. So, if you want the progress bar displayed by a browser during the upload to reflect when the data is actually available on the WebLogic Server, you might not want to have FileCaching ON. When set to OFF and the size of the POST data in a request is greater than 2048 bytes, the reading of the POST data is postponed until a WebLogic Server cluster member is identified to serve the request. Then the Plugin reads and immediately sends the POST data to the WebLogic Server in chunks of 8192 bytes. Note that turning FileCaching OFF limits failover. If the WebLogic Server primary server goes down while processing the request, the POST data already sent to the primary cannot be repeated to the secondary. Finally, regardless of how FileCaching is set, if the size of the POST data is 2048 bytes or less the plugin will read the data into memory and use it if needed during failover to repeat to the secondary.	ISAPI, Apache and NSAPI plug-in, and HttpClusterServlet
`FilterPriorityLevel`	2	The values for this parameter are 0 (low), 1 (medium), and 2 (high). The default value is 2. This priority should be put in `iisforward.ini` file. This property is used to set the priority level for the `iisforward.dll` filter in IIS. Priority level is used by IIS to decide which filter will be invoked first, in case multiple filters match the incoming request.	ISAPI plug-in
`Idempotent`	`ON`	When set to `ON` and if the servers do not respond within WLIOTimeoutSecs (new name for HungServerRecoverSecs), the plug-ins fail over. If set to "`OFF`" the plug-ins do not fail over. If you are using the Netscape Enterprise Server Plug-In, or Apache HTTP Server you can set this parameter differently for different URLs or MIME types.	ISAPI, Apache and NSAPI plug-in, and HttpClusterServlet
`KeepAliveEnabled` (Does not apply to Apache HTTP Server version 1.3.x)	`true` (Netscape and Microsoft IIS plug-ins) `ON` (Apache plug-in)	Enables pooling of connections between the plug-in and WebLogic Server. Valid values for the Netscape and Microsoft IIS plug-ins are `true` and `false`. Valid values for the Apache plug-in are `ON` and `OFF`.	ISAPI, Apache and NSAPI plug-in, HttpClusterServlet, and HttpProxyServlet
`KeepAliveSecs` (Does not apply to Apache HTTP Server version 1.3.x)	`20`	The length of time after which an inactive connection between the plug-in and WebLogic Server is closed. You must set `KeepAliveEnabled` to `true` (`ON` when using the Apache plug-in) for this parameter to be effective. The value of this parameter must be less than or equal to the value of the Duration field set in the Administration Console on the Server/HTTP tab, or the value set on the `server` Mbean with the `KeepAliveSecs` attribute.	ISAPI, Apache and NSAPI plug-in, HttpClusterServlet, and HttpProxyServlet
`MatchExpression`	`none`	When proxying by MIME type, set the filename pattern inside of an `IfModule` block using the `MatchExpression` parameter. Example when proxying by MIME type: `<IfModule mod_weblogic.c> MatchExpression .jsp WebLogicHost=myHost\|paramName=value </IfModule>` Example when proxying by path: `<IfModule mod_weblogic.c> MatchExpression /weblogic WebLogicHost=myHost\|paramName=value </IfModule>` It is possible to define a new parameter for MatchExpression using the following syntax: `MatchExpression .jsp PathPrepend=/test PathTrim=/foo`	Apache plug-in
`MaxPostSize`	`-1`	Maximum allowable size of POST data, in bytes. If the content-length exceeds `MaxPostSize`, the plug-in returns an error message. If set to `-1`, the size of POST data is not checked. This is useful for preventing denial-of-service attacks that attempt to overload the server with POST data.	ISAPI, Apache and NSAPI plug-in, HttpClusterServlet, and HttpProxyServlet
`MaxSkipTime`	10	If a WebLogic Server instance listed in either the WebLogicCluster parameter or a dynamic cluster list returned from WebLogic Server fails, the failed server is marked as "bad" and the plug-in attempts to connect to the next server in the list. `MaxSkipTime` sets the amount of time after which the plug-in will retry the server marked as "bad." The plug-in attempts to connect to a new server in the list each time a unique request is received (that is, a request without a cookie). Note: The MaxSkips parameter has been deprecated as the MaxSkipTime parameter.	ISAPI, Apache and NSAPI plug-in, and HttpClusterServlet,
`PathPrepend`	`null`	As per the RFC specification, generic syntax for URL is `[PROTOCOL]://[HOSTNAME]:{PORT}/{PATH}/{FILENAME};{PATH_PARAMS}/{QUERY_STRING}...`. `PathPrepend` specifies the path that the plug-in prepends to the `{PATH}` portion of the original URL, after PathTrim is trimmed and before the request is forwarded to WebLogic Server. Note that if you need to append File Name, use DefaultFileName plug-in parameter instead of `PathPrepend`.	ISAPI, Apache and NSAPI plug-in, HttpClusterServlet, and HttpProxyServlet
`PathTrim`	`null`	As per the RFC specification, generic syntax for URL is `[PROTOCOL]://[HOSTNAME]:{PORT}/{PATH}/{FILENAME};{PATH_PARAMS}/{QUERY_STRING}...`. `PathTrim` specifies the string trimmed by the plug-in from the `{PATH}/{FILENAME}` portion of the original URL, before the request is forwarded to WebLogic Server. For example, if the URL `http://myWeb.server.com/weblogic/foo` is passed to the plug-in for parsing and if `PathTrim` has been set to strip off `/weblogic` before handing the URL to WebLogic Server, the URL forwarded to WebLogic Server is: `http://myWeb.server.com:7001/foo` Note that if you are newly converting an existing third-party server to proxy requests to WebLogic Server using the plug-in, you will need to change application paths to `/foo` to include `weblogic/foo`. You can use `PathTrim` and PathPrepend in combination to change this path.	ISAPI, Apache and NSAPI plug-in, HttpClusterServlet, and HttpProxyServlet
`QueryFromRequest`	`OFF`	When set to `ON`, specifies that the Apache plug-in use `(request_rec )r->the request` to pass the query string to WebLogic Server. (For more information, see your Apache documentation.) This behavior is desirable in the following situations: When a Netscape version 4.x browser makes requests that contain spaces in the query string If you are using Raven Apache 1.5.2 on HP When set to `OFF`, the Apache plug-in uses `(request_rec )r->args` to pass the query string to WebLogic Server.	Apache plug-in
`StatPath`	`false`	If set to `true`, the plug-in checks the existence and permissions of the translated path ("Proxy-Path-Translated") of the request before forwarding the request to WebLogic Server. If the file does not exist, an `HTTP 404 File Not Found` response is returned to the client. If the file exists but is not world-readable, an `HTTP 403/Forbidden` response is returned to the client. In either case, the default mechanism for the Web server to handle these responses fulfills the body of the response. This option is useful if both the WebLogic Server Web Application and the Web Server have the same document root. You can customize the error response by using the ErrorPage parameter.	NSAPI and Apache plug-in
`WebLogicCluster` (Required when proxying to a cluster of WebLogic Servers, or to multiple non-clustered servers.)	`none`	List of WebLogic Servers that can be used for load balancing. The server or cluster list is a list of host:port entries. If a mixed set of clusters and unclustered servers is specified, the dynamic list returned for this parameter will return only the clustered servers. The method of specifying the parameter, and the required format vary by plug-in. See the examples in: Installing and Configuring the Netscape Enterprise Server Plug-In (NSAPI) Installing and Configuring the Microsoft Internet Information Server (ISAPI) Plug-In Installing and Configuring the Apache HTTP Server Plug-In If you are using SSL between the plug-in and WebLogic Server, set the port number to the SSL listen port (see Configuring the SSL Protocol) and set the SecureProxy parameter to `ON`. The plug-in does a simple round-robin between all available servers. The server list specified in this property is a starting point for the dynamic server list that the server and plug-in maintain. WebLogic Server and the plug-in work together to update the server list automatically with new, failed, and recovered cluster members. You can disable the use of the dynamic cluster list by setting the DynamicServerList parameter to `OFF` The plug-in directs HTTP requests containing a cookie, URL-encoded session, or a session stored in the POST data to the server in the cluster that originally created the cookie.	ISAPI, Apache and NSAPI plug-in,and HttpClusterServlet
`WebLogicHost` (Required when proxying to a single WebLogic Server.)	`none`	WebLogic Server host (or virtual host name as defined in WebLogic Server) to which HTTP requests should be forwarded. If you are using a WebLogic cluster, use the `WebLogicCluster` parameter instead of `WebLogicHost`.	ISAPI, Apache and NSAPI plug-in, HttpClusterServlet, and HttpProxyServlet
`WebLogicPort` (Required when proxying to a single WebLogic Server instance.)	`none`	Port at which the WebLogic Server host is listening for connection requests from the plug-in (or from other servers). (If you are using SSL between the plug-in and WebLogic Server, set this parameter to the SSL listen port (see Configuring the SSL Protocol) and set the SecureProxy parameter to `ON`). If you are using a WebLogic Cluster, use the WebLogicCluster parameter instead of `WebLogicPort`.	ISAPI, Apache and NSAPI plug-in, HttpClusterServlet, and HttpProxyServlet
`WLDNSRefreshInterval`	0 (Lookup once, during startup)	If defined in the proxy configuration, specifies number of seconds interval at which WebLogic Server refreshes DNS name to IP mapping for a server. This can be used in the event that a WebLogic Server instance is migrated to a different IP address, but the DNS name for that server's IP remains the same. In this case, at the specified refresh interval the DNS<->IP mapping will be updated.	NSAPI and Apache plug-in
`WLExcludePathOrMimeType`	none	This parameter allows you to exclude certain requests, specified by path or MIME type, from proxying. This parameter can be defined locally at the Location tag level as well as globally. When the property is defined locally, it does not override the global property but defines a union of the two parameters. Note: The MIME types defined by this paramenter should be separated by commas, without any space in between the entries.	NSAPI, ISAPI, and Apache plug-in
`WlForwardPath`	null	If `WlForwardPath` is set to "/" all requests are proxied. To forward any requests starting with a particular string, set `WlForwardPath` to the string. For example, setting `WlForwardPath` to `/weblogic` forwards all requests starting with `/weblogic` to Weblogic Server. This parameter is required if you are proxying by path. You can set multiple strings by separating the strings with commas. For example: `WlForwardPath=/weblogic,/bea`.	ISAPI plug-in
`WLIOTimeoutSecs (new name for` `HungServerRecoverSecs)`	`300`	Defines the amount of time the plug-in waits for a response to a request from WebLogic Server. The plug-in waits for `HungServerRecoverSecs` for the server to respond and then declares that server dead, and fails over to the next server. The value should be set to a very large value. If the value is less than the time the servlets take to process, then you may see unexpected results. Minimum value: `10`Maximum value: `Unlimited`	NSAPI, ISAPI, and Apache plug-in
`WLLocalIP`	`none`	Defines the IP address to bind to when the plug-in connects to a WebLogic Server instance running on a multihomed machine. If `WLLocalIP` is not set, a random IP address on the multi-homed machine is used.	NSAPI, ISAPI, and Apache plug-in
`WLLogFile`	See the Debug parameter	Specifies path and file name for the log file that is generated when the Debug parameter is set to `ON`. You must create this directory before setting this parameter.	NSAPI, ISAPI, and Apache plug-in, HttpClusterServlet, and HttpProxyServlet
`WLProxySSL`	`OFF`	Set this parameter to `ON` to maintain SSL communication between the plug-in and WebLogic Server when the following conditions exist: An HTTP client request specifies the HTTPS protocol The request is passed through one or more proxy servers (including the WebLogic Server proxy plug-ins) The connection between the plug-in and WebLogic Server uses the HTTP protocol When `WLProxySSL` is set to `ON,` the location header returned to the client from WebLogic Server specifies the HTTPS protocol.	NSAPI, ISAPI, and Apache plug-in, HttpClusterServlet, and HttpProxyServlet
WLSendHdrSeparately	ON	When this parameter is set to `ON`, header and body of the response are sent in separate packets. Note: If you need to send the header and body of the response in two calls, for example, in cases where you have other ISAPI filters or programmatic clients, that expect the headers before the body, set this parameter to `ON`.	ISAPI plug-in
`WLSocketTimeoutSecs`	2 (must be greater than 0)	Set the timeout for the socket while connecting, in seconds.	NSAPI, ISAPI, and Apache plug-in
WLTempDir	See the Debug parameter	Specifies the directory where a `wlproxy.log` will be created. If the location fails, the Plug-In resorts to creating the log file under `C:/temp` in Windows and `/tmp` in all Unix platforms. Also specifies the location of the `_wl_proxy` directory for post data files. When both `WLTempDir` and `WLLogFile` are set, `WLLogFile` will override as to the location of `wlproxy.log`. `WLTempDir` will still determine the location of `_wl_proxy` directory.	NSAPI, ISAPI, and Apache plug-in

SSL Parameters for Web Server Plug-Ins

Server Gated Cryptography certificates are not supported for use with WebLogic Server Proxy Plug-Ins. Non-SGC certificates work appropriately and allow SSL communication between WebLogic Server and the plug-in.

Parameters are case sensitive.


Table 6-2   SSL Parameters for Web Server Plug-Ins





	
		
			
Parameter


		 		
			
Default 


		 		
			
Description


		 		
			
Applicable to


		
	
	
		
			
SecureProxy


		
		
			
OFF


		
		
			
Set this parameter to ON to enable the use of the SSL protocol for all communication between the plug-in and WebLogic Server. Remember to configure a port on the corresponding WebLogic Server for the SSL protocol before defining this parameter. 


This parameter may be set at two levels: in the configuration for the main server and—if you have defined any virtual hosts—in the configuration for the virtual host. The configuration for the virtual host inherits the SSL configuration from the configuration of the main server if the setting is not overridden in the configuration for the virtual host.


		
		
			
ISAPI, NSAPI, and Apache plug-ins, HttpClusterServlet, and HttpProxyServlet 


		

	
	
		
			
TrustedCAFile


		
		
			
none


		
		
			
Name of the file that contains the digital certificates for the trusted certificate authorities for the plug-in. This parameter is required if the SecureProxy parameter is set to ON. 


The filename must include the full directory path of the file.


		
		
			
ISAPI, NSAPI, and Apache plug-ins


		

	
	
		
			
EnforceBasicConstraints


		
		
			
Strong


		
		
			
This parameter closes a security hole which existed with SSL certificate validation where certificate chains with invalid V3 CA certificates would not be properly rejected. This allowed certificate chains with invalid intermediate CA certificates, rooted with a valid CA certificate to be trusted. X509 V3 CA certificates are required to contain the BasicConstraints extension, marked as being a CA, and marked as a critical extension. This checking protects against non-CA certificates masquerading as intermediate CA certificates.


The levels of enforcement are as follows:


OFF 


This level entirely disables enforcement and is not recommended. Most current commercial CA certificates should work under the default STRONG setting.


EnforceBasicConstraints=off


EnforceBasicConstraints=false


STRONG 


Default. The BasicConstraints for V3 CA certificates are checked and the certificates are verified to be CA certificates.


EnforceBasicConstraints=strong


EnforceBasicConstraints=true


STRICT 


This level does the same checking as the STRONG level, but in addition it also strictly enforces IETF RFC 2459 which specifies the BasicConstraints for CA certificates also must be marked as "critical". This is not the default setting because a number of current commercially available CA certificates don't conform to RFC 2459 and don't mark the BasicConstraints as critical. Set this if you want to strict conformance to RFC 2459.


EnforceBasicConstraints=strict


		
		
			
NSAPI, ISAPI, and Apache plug-in 


		

	
	
		
			
RequireSSLHostMatch


		
		
			
true


		
		
			
Determines whether the host name to which the plug-in is connecting must match the Subject Distinguished Name field in the digital certificate of the WebLogic Server to which the proxy plug-in is connecting. 


When specifying SecureProxy=ON and RequireSSLHostMatch=true in the plug-in, then the value specified in the ListenAddress property should exactly match the hostname value specified in the certificate.


When using the ExternalDNSName property for WebLogic Server and setting SecureProxy=ON and RequireSSLHostMatch=true in the plug-in, then the value specified in the ExternalDNSName property should exactly match the hostname value specified in the certificate.


		
		
			
ISAPI, NSAPI, and Apache plug-ins


		

	
	
		
			
SSLHostMatchOID


		
		
			
22


		
		
			
The ASN.1 Object ID (OID) that identifies which field in the Subject Distinguished Name of the peer digital certificate is to be used to perform the host match comparison. The default for this parameter corresponds to the CommonName field of the Subject Distinguished Name. Common OID values are: 

Sur Name—23
Common Name—22
Email—13
Organizational Unit—30
Organization—29
Locality—26

		
		
			
ISAPI, NSAPI, and Apache plug-ins

Parameter	Default	Description	Applicable to
`SecureProxy`	`OFF`	Set this parameter to `ON` to enable the use of the SSL protocol for all communication between the plug-in and WebLogic Server. Remember to configure a port on the corresponding WebLogic Server for the SSL protocol before defining this parameter. This parameter may be set at two levels: in the configuration for the main server and—if you have defined any virtual hosts—in the configuration for the virtual host. The configuration for the virtual host inherits the SSL configuration from the configuration of the main server if the setting is not overridden in the configuration for the virtual host.	ISAPI, NSAPI, and Apache plug-ins, HttpClusterServlet, and HttpProxyServlet
`TrustedCAFile`	`none`	Name of the file that contains the digital certificates for the trusted certificate authorities for the plug-in. This parameter is required if the SecureProxy parameter is set to `ON`. The filename must include the full directory path of the file.	ISAPI, NSAPI, and Apache plug-ins
EnforceBasicConstraints	Strong	This parameter closes a security hole which existed with SSL certificate validation where certificate chains with invalid V3 CA certificates would not be properly rejected. This allowed certificate chains with invalid intermediate CA certificates, rooted with a valid CA certificate to be trusted. X509 V3 CA certificates are required to contain the BasicConstraints extension, marked as being a CA, and marked as a critical extension. This checking protects against non-CA certificates masquerading as intermediate CA certificates. The levels of enforcement are as follows: OFF This level entirely disables enforcement and is not recommended. Most current commercial CA certificates should work under the default STRONG setting. `EnforceBasicConstraints=off` `EnforceBasicConstraints=false` STRONG Default. The BasicConstraints for V3 CA certificates are checked and the certificates are verified to be CA certificates. `EnforceBasicConstraints=strong` `EnforceBasicConstraints=true` STRICT This level does the same checking as the STRONG level, but in addition it also strictly enforces IETF RFC 2459 which specifies the BasicConstraints for CA certificates also must be marked as "critical". This is not the default setting because a number of current commercially available CA certificates don't conform to RFC 2459 and don't mark the BasicConstraints as critical. Set this if you want to strict conformance to RFC 2459. `EnforceBasicConstraints=strict`	NSAPI, ISAPI, and Apache plug-in
`RequireSSLHostMatch`	`true`	Determines whether the host name to which the plug-in is connecting must match the Subject Distinguished Name field in the digital certificate of the WebLogic Server to which the proxy plug-in is connecting. When specifying SecureProxy=ON and RequireSSLHostMatch=true in the plug-in, then the value specified in the ListenAddress property should exactly match the hostname value specified in the certificate. When using the ExternalDNSName property for WebLogic Server and setting SecureProxy=ON and RequireSSLHostMatch=true in the plug-in, then the value specified in the ExternalDNSName property should exactly match the hostname value specified in the certificate.	ISAPI, NSAPI, and Apache plug-ins
`SSLHostMatchOID`	`22`	The ASN.1 Object ID (OID) that identifies which field in the Subject Distinguished Name of the peer digital certificate is to be used to perform the host match comparison. The default for this parameter corresponds to the `CommonName` field of the Subject Distinguished Name. Common OID values are: Sur Name—23 Common Name—22 Email—13 Organizational Unit—30 Organization—29 Locality—26	ISAPI, NSAPI, and Apache plug-ins

Configuring Web Applications and Clusters for the Plug-in

Set the following attributes on a cluster or a Web application to configure security for applications accessed via the plug-in.

WeblogicPluginEnabled—If you set this attribute to true for a cluster or a Web application that receives requests from the HttpClusterServlet, the servlet will respond to getRemoteAddr calls with the address of the browser client from the proprietary WL-Proxy-Client-IP header, instead of returning the Web server address.
ClientCertProxy Enabled—If you set this attribute to true for a cluster or a Web application that receives requests from HttpClusterServlet, the plug-in sends client certs to the cluster in the special WL-Proxy-Client-Cert header, allowing user authentication to be performed on the proxy server.