Later versions of Access Manager automatically override error messages sent by origin servers.  Not only does this mask potentially exploitable information about the origin server or application, it provides a consistent look and feel to the end user.  However, did you know that you can customize the types of errors, the page branding, and even the error message that Access Manager displays?  In this article, I will explain how to do all three.

Choosing the types of errors to override

You can tell the proxy which errors you would like to override, and which you would like to be forwarded.  This can be useful if you need to see the message for troubleshooting, or if you need to distinguish between an error generated by Access Manager or by the origin server (e.g. Forbidden or Service Unavailable).  This is accomplished through the global advanced option 'ProxyErrorOverride'.  You can choose either a default 'on' and specify the errors you don't want overriden, or you can choose a default 'off' and specify the errors you do want overriden.  For example, you can set the line:

ProxyErrorOverride on -403

which will tell Access Manager to override all errors except access forbidden.  On the other hand, the line:

ProxyErrorOverride off 500 404

will tell Access Manager to only override internal server error and not found messages.  You can find more details on this option in the Access Gateway Guide under Advanced Access Gateway Options.

Branding the error page

One of the advantages of the error override feature is that the end user is able to see a consistent, simple, and attractive error page.  However, the default Access Manager error page leaves a lot to be desired in terms of UI.  This is easily remedied by modifying the three include files on each MAG under /opt/novell/apache2/share/apache2/error/include.  By modify the content of these three files, you can turn this:



into your own branded error page:



N.B. - These files will be overwritten during an upgrade, but they are backed up into $HOME/nambkup/mag(date)/errormessages/error/include and may be restored from there.

Customizing the error message

By default, Access Manager displays a localized message reflecting the error code as defined in the HTTP specification.  You may also modify this to suit your business needs.  For example, you may want to include instructions on reporting 5xx errors.  You may even wish to add or modify localizations, such as including the number for the local help desk.  This is accomplished by modifying the corresponding file(s) in /opt/novell/apache2/share/apache2/error.

Each file contains a section for each localization.  It is highly recommended to read and understand the HTTP specification for each error before including your own message, so as to avoid possible confusion for the end user.  The status code specifications can be found in Section 10 of RFC 2616.

Keep in mind that these files will also be overwritten during an upgrade, and they are backed up as well.

Conclusion

Access Manager error page override is a powerful feature for preventing information leakage and unifying the look and feel of your site.  By making a few customizations, you can greatly enhance the user interface and guide users in the right direction if they run into a problem.