Overriding MSIE’s Friendly Error Message screens

IE overrides several HTTP error status pages but it has a size threshold. Only if the error page send by the server has a large enough body then IE decides it’s meaningful and displays it.

Usually to be safe you should make error pages that are larger then 512 bytes. The threshold varies per HTTP status code. You can look at what your thresholds are currently set to. In IE 5 and greater the settings are stored in the registry under [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\ErrorThresholds]

Err Size(bytes):

  • 400 512
  • 403 256
  • 404 512
  • 405 256
  • 406 512
  • 408 512
  • 409 512
  • 410 256
  • 500 512
  • 501 512
  • 505 512

REFERENCES:

Do Not Track (DNT) HTTP Header

Over the past year there have been many capabilities added to web browsers to allow users to indicate their willingness to be tracked across various sites for web advertisements. While the implementation by individual hosts is optional, the user can sent the request to identify their personal preference. Tracking can be relevant to allow for more “targeted” ads tailored to each user.

Firefox 4.0 betas added an "X-Do-Not-Track:1" HTTP Header. Later implemented Firefox 5.0 betas as "DNT:1". Safari and MSIE9 have also added support. Recently Firefox 9.0 exposed this attribute to JavaScript as navigator.doNotTrack, with a value of “yes” when set.

REFERENCES:

HTTP ETag Header

These are useful for some advanced caching behavior, but there are cases where you might find them unnecessary for static files (in particular). Most network analysis tools will call attention to this header value, and while it seems like a trivial amount of bandwidth to send from the server to the client, the real reason for the negative score is more likely related to the behaviors that it causes in the client.

It should be noted that the default value used for the ETag is based upon the ‘inode’ of the file, as such it’s IS problematic in clustered server environments. I’ve shown the correction for this below.

Adding the following to your Apache http.conf file is a start:


# Change ETag to remove the iNode (for multi-server environments)
FileETag MTime Size

#Remove ETag from all static content, this could be done globally without the FilesMatch, but we want better control.
<FilesMatch "\.(html|htm|js|css|gif|jpe?g|png|pdf|txt|zip|7z|gz|jar|war|tar|ear|java|pac)$">
<IfModule header_module>
Header unset ETag
</IfModule>
</FilesMatch>

REFERENCES:

Cheers.

HTTP Cookie Header

Obviously “Cookies” have a lot of advantages in web applications to maintain “state”, unfortunately using standard server configurations leads to even static content serving them up un-necessarily wasting some (minimal) bandwidth.

Adding the following to the Apache httpd.conf file is a start:
#Remove Cookie from all static content (except HTML as javascript could use it)
<FilesMatch "\.(html|htm|js|css|gif|jpe?g|png|pdf|txt|zip|7z|gz|jar|war|tar|ear|java|pac)$">
<IfModule header_module>
Header unset Cookie
</IfModule>
</FilesMatch>

REFERENCES:

Cheers!

Web Proxy Autodiscovery Protocol (WPAD)

If you take a close look at your logs you may occasionally see requests for a file named wpad.dat. This file is related to automatic proxy configuration in many browsers.

To provide this capability to your users and website,

  1. DNS:

    Default behavior is to traverse the domain in reverse, looking for one with a file named /wpad.dat

    Example (using my domain for example):
    wpad.www.giantgeek.com
    wpad.giantgeek.com
    wpad.com

  2. Then in httpd.conf, set the MIME type:
    AddType application/x-ns-proxy-autoconfig .pac
  3. Also in httpd.conf, add a redirect to the actual file you wish to use.
    Redirect permanent /wpad.dat http://www.giantgeek.com/proxy.pac
  4. In the new file, add the following default contents, modify if you use a proxy:

    /* 'proxy.pac' - This is the main function called by any browser
    NOTE: there is NO proxy!
    */
    function FindProxyForURL(url, host)
    {
    return “DIRECT”;
    } // End function FindProxyForUrl

REFERENCES:

HTML5 offline appcache manifest

In my testing, you don’t need to fully embrace HTML5 markup to take advantage of the “offline” functionality, you simply need to add the attribute and related files to your existing website/page. Any modern browser that supports HTML5 should automatically recognize the offline content and use it when appropriate, unfortunately no version of MSIE yet supports this.

<html manifest="/offline.appcache">

In that file, you must then specify the offline behavior, something like this is a good start:

CACHE MANIFEST
#This is to provide minimal HTML5 offline capabilities
#MIME mapping must be 'appcache=text/cache-manifest'
#Reference to this file is per page, you can have different ones in an app.
#Common image files and css may be 'cached'
CACHE:
/index.html
/css/offline.css
NETWORK:
*
FALLBACK:
/ /offline.html

On the server side, you’ll have to serve up that file with the appropriate MIME type (text/cache-manifest, for ApacheHTTPD you simply need to add one line to httpd.conf:

AddType text/cache-manifest .appcache

REFERENCES:

Accessing VirtualBox client from host

Assuming that you are a developer on Windows that run a VirtualBox instance for a server, you might find it difficult to browse/access the “virtual” server that are running as a client. Here’s an example of the config required for standard HTTP, HTTPS and SSH, you can easily expand for other services as needed. Example assumes that your client is named “Ubuntu64”, you need to change appropriately for each client.

NOTE: if you are using a Linux host, the commands are similar.

cd C:\Program Files\Oracle\VirtualBox
VBoxManage.exe setextradata "Ubuntu64" VBoxInternal/Devices/pcnet/0/LUN#0/Config/ApacheHTTP/HostPort 80
VBoxManage.exe setextradata "Ubuntu64" VBoxInternal/Devices/pcnet/0/LUN#0/Config/ApacheHTTP/GuestPort 80
VBoxManage.exe setextradata "Ubuntu64" VBoxInternal/Devices/pcnet/0/LUN#0/Config/ApacheHTTP/Protocol TCP
VBoxManage.exe setextradata "Ubuntu64" VBoxInternal/Devices/pcnet/0/LUN#0/Config/ApacheHTTPS/HostPort 443
VBoxManage.exe setextradata "Ubuntu64" VBoxInternal/Devices/pcnet/0/LUN#0/Config/ApacheHTTPS/GuestPort 443
VBoxManage.exe setextradata "Ubuntu64" VBoxInternal/Devices/pcnet/0/LUN#0/Config/ApacheHTTPS/Protocol TCP
VBoxManage.exe setextradata "Ubuntu64" VBoxInternal/Devices/pcnet/0/LUN#0/Config/Tomcat/HostPort 8080
VBoxManage.exe setextradata "Ubuntu64" VBoxInternal/Devices/pcnet/0/LUN#0/Config/Tomcat/GuestPort 8080
VBoxManage.exe setextradata "Ubuntu64" VBoxInternal/Devices/pcnet/0/LUN#0/Config/Tomcat/Protocol TCP
VBoxManage.exe setextradata "Ubuntu64" VBoxInternal/Devices/pcnet/0/LUN#0/Config/SSH/HostPort 22
VBoxManage.exe setextradata "Ubuntu64" VBoxInternal/Devices/pcnet/0/LUN#0/Config/SSH/GuestPort 22
VBoxManage.exe setextradata "Ubuntu64" VBoxInternal/Devices/pcnet/0/LUN#0/Config/SSH/Protocol TCP
VBoxManage.exe getextradata "Ubuntu64" enumerate

Sniff for SSL capability of browser

If you run a secure server, you often have some non-secure content prior to authentication of a secure session. To provide a mechanism to show a page prior to authentication, you can “sniff” for the clients capability with a small bit of JavaScript.

First establish a global variable on the page:
<script type="text/javascript">
var sslok = 0;
</script>

Then, include a JavaScript file that is ONLY available via a secure
<script type="text/javascript" src="https://www.giantgeek.com.com/secure/sniff.js"></script>

The ‘sniff.js’ file should contain (at a minimum):
sslok = 1;

Finally, check and act on the value:
<script type="text/javascript">
if (sslok === 1) {
window.location.href = 'https://www.giantgeek.com/secure/';
}
</script>

Done!

Masquerading browser User-Agent strings

As it’s Halloween, it’s only relevant that I share a method of covering your browsers identity.

  • For MSIE, you must modify the registry. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent]
  • For Chrome (on Windows, and I assume other OS’s), you can use a startup parameter.
    C:\Users\{USERID}\AppData\Local\Google\Chrome\Application\chrome.exe --user-agent="Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_7_0; en-us) AppleWebKit/533.21.1 (KHTML, like Gecko) Version/5.0.5 Safari/533.21.1"
  • For Firefox and other Mozilla based browsers, you can mofiy the configuration in (user.js) or use a variety of add-on extensions, such as:

Interested in knowing your current User-Agent, just visit one of the following:

Many robots and spiders that are used by search engines also identify themselves by their User-Agent, if you see this activity in your logs you can often learn more about it at:

REFERENCES:

Happy Halloween!

Custom 404 Page for Tomcat web applications

This is a relatively common problem in JSP based apps as you need to understand the configuration. It’s further complicated if you use Apache HTTPD in front of the Apache Tomcat server to process requests as you need to know where each request is processed.

For this example, we will use the standard 404 error, but you can also intercept other errors for custom pages.

  1. create 404.jsp:

    <% final SimpleDateFormat simpleDate = new SimpleDateFormat("EE MMM dd yyyy hh:mm:ss aa zzz");
    final String dttm = simpleDate.format(new Date()); %>
    <html>
    <title>404 Not Found</title>
    <ul>
    <li>Time: <%= dttm %></li>
    <li>User-Agent: <%= request.getHeader("User-Agent") %></li>
    <li>Server: <%= request.getServerName() %></li>
    <li>Request: <%= request.getRequestURI() %></li>
    <li>Remote: <%= request.getRemoteAddr() %></li>
    <li>Referer: <%= request.getHeader("Referer") %></li>
    </ul>
    </html>
  2. in WEB-INF/web.xml – add the following (NOTE: location within the file is important but outside the scope of this post)

    <error-page>
    <error-code>404</error-code>
    <location>/404.jsp</location>
    </error-page>
  3. You might want to force the HTTP Header to give something other than a ‘404 status’ code, otherwise MSIE will show an unstyled ‘friendly error message’ if the user has not turned off the default setting. Unfortunately, this also means that search engines might index these pages that should not exist.

REF: