White list based input validation for URL path
You can specify the URL paths mapped to a back-end server within the "URL path definitions" of the mapping (see the chapter Alternative path definitions). Only these URLs are allowed by the client to be accessed. You should never map the root location /
to a back-end server.
In addition to this, a white list of all allowed URLs (path portion) may be generated based on existing access.log files written by nevisProxy. These rules are used to restrict access to known handlers of the application only.
The "URL path, white listing" filter may be used to get assistance by nevisAdmin in creating white lists.
Create a new filter and assign it to the mapping of your application.
nevisAdmin automatically starts to learn from the access log file if the mode is set to "learn", you don't need to deploy the configuration to enable or disable self-learning since the access log file is written anyway.
You may modify the generated rules by adding/removing patterns, e.g., to optimize the rules by providing better patterns.
nevisAdmin stores the list of all relevant (causing a rule update) URLs within a file (accessible via the file manager of the filter). You may modify this file to influence the rule generator, e.g., remove URLs which have been learned by mistake or add new URLs which shall be used for the learning process as well.
You can change the mode to "enforce", commit and deploy your configuration as soon as the learning phase is finished. nevisProxy allows only requests with a URL path matching any of the configured patterns.