Access module
Web Based Access Control
Overview
Access Control allows you to restrict access to each virtual server. Restrictions are based on either a username password challenge, IP address or host / domain name, or a combination of both. The Access module provides a simple web interface to configure Access control.Resources
In order to fully understand the Access module documentation, you should have read the following two associated documents. Access Control Criteria Options outlines the two different methods we can use to enforce access restrictions on the Web. How Rules Work illustrate how rulesets in the Access module are built and interpreted. You should optionally read Using Regular Expression if you intend to use those facilities to match URLs, hostnames or IP addresses.Configuration
The Access module uses a series of rules to determine which URLs on your web site should be accessible to which visitors. The rules may be based on:
- The URL accessed
- The host name and IP address of the visitor
- Any password-authenticated identity of the visitor
- Any groups to which such an identity belongs
To use IP-based or hostname-based restrictions, you must configure your web server to look up DNS entries (General Configuration: check the `Perform DNS lookup' toggle and Update). Restrictions on URL, host name and IP address can be specified using regular expressions. A restriction based on host name or IP address can exploit the relevant hierarchy of DNS.
Initially there will be no access restrictions for your Virtual Server: the Access module page will display No rules defined to highlight this. By default everyone will be able to access your Virtual Server.
To limit access to your Virtual Server, activate the access module and, either from the module configuration page or via the `Access control' button on the `Edit Server' page, visit the `Access Rules' page. This comprises the `Current Rules' form, the `User Management' form and the `Verbose mode' form.
The `Current Rules' form lists all rules currently limiting access to your Virtual Server. If you just wish to restrict access based on Internet hosts or IP address, go to the Access Control page and click on the link:
However if you wish to take advantage of user-based access control you will need to define users and possibly groups before defining rules.![]()
Users and Groups
To make use of user-based access restriction you need to define a user list for your Virtual Server. This is achieved by clicking on the `Configure users' link under the `User Management' heading.This link will take you to the `Edit Users' page. This comprises the `Add User' form and the `Current Users' list. Initially there will be no users defined.![]()
To add a user, type the username and password in to the text fields, then click on the `Update' button to add the user to the list.
Existing users are displayed in alphabetical order in the `Current Users' list. To edit or delete an existing user, click on the username. This will take you to the `Edit User' form.
To change the user's password, type the updated password in the text box; to delete the user, check the `Delete User' toggle. Then click the `Update' button.
User groups are used to assist administration. Rather than listing all users relevant to an access rule, users can be assigned to logical groups, then the groups referenced in the access restrictions. Groups can be manipulated via the `Configure groups' link on the User Management form of the Access Rules page:
This link will take you to the `Group Management' page, comprising the `Create New Group' form and the `Current Groups' list.![]()
To add a new group, type the group name in the text box of the `Create New Group' form and click on the `Update' button.
Under `Current Groups' all groups are listed (initially there will be none), each with a list of its members. Clicking on the name of a group will take you to the `Edit Group' page, which enables you to delete the group, add users to it or remove users from it.
The `Edit Group' page shows a list of all users in a selection box which, if needed, will display scroll bars. Existing group members will already be highlighted.
To delete the group, check the `Delete Group' toggle; to add users to the group, select their names in the list; to delete them unselect their names. When you are satisfied with your changes, click on the `Update' button.
Creating Rules
You can edit the URLs and hostname/IP restrictions of an existing rule, or change its type (allow or deny) by editing the rule's line in the `Current Rules' list and clicking on the list's `Update' button; you can delete a rule by selecting its `delete' toggle (right-most column) and clicking `Update'. Alternatively, you can edit all fields of a rule (but not delete it) by clicking on its entry in either the Users column or the Groups column: this will take you to the `Edit Rule' page, acting on the selected rule instead of a new rule, as in the description below.
To create a new rule, click on the link :
![]()
This will take you to the `Edit Rule' page where you can enter the rule characteristics. The first two options allow you to specify the URL to apply the rule to and the type of rule, (`allow' or `deny'). If prefixed with a ~, the URL is expected to be an extended regular expression.
The next section allows you to specify hosts and IP addresses. As for URLs, if prefixed with a ~, a host name or IP address will be interpreted as a regular expression. Otherwise, a host name is compared against the end of a visitor's machine name; an IP address (fragment) is compared against the start of a visitor's IP address. In any case, if the visitor's host name and IP address both match those given with a rule, the rule applies to the visitor.
(IP numbers should be specified, as is Internet convention, by converting each of the four bytes to a decimal representation, and separating the bytes with `.'s. IP subnets are specified by only listing the most significant bytes - the start of the address.)
Regular expressions allow sophisticated pattern matching to be used for host matching, but need to be constructed carefully to avoid security holes. See the associated document Using Regular Expression for more information.
This section allows you to specify users and groups.
The final section allows you to specify the realm for this rule. The realm is used by web browsers when displaying a password dialog box to the user.
Because the realm is only used when displaying a password box it will not be seen unless you specify at least one user or one group in the rule (if you don't do this then the webserver won't require the client to authenitcate).
The default realm is the path of the directory requested (e.g. /private).
To submit the rule to the ruleset click on the `Update' button.
Managing Rules
The order of each rule in the ruleset has a considerable bearing on the final security policy. You may add a new rule which needs to be evaluated earlier in the ruleset sequence, this can be achieved by clicking on the "^" link in the rule list. This will swap the rule with the rule above it, resulting in it being evaluated one stage earlier in the ruleset.Rulesets are difficult to get correct, and to allow you to experiment with rulesets, you can click on the 'disable rule' link to temporarily stop the web server from using that rule. Any number of rules can be disabled at once. A rule is still loaded by the web server, so the trace logs will still tell you what the web server thinks of the rule, but they will always be skipped without checking against the request. By disabling rules, you can temporarily alter the access rules to your web sites without losing the work you put into configuring the rules in the first place.
Because rulesets can become complicated it may be difficult at times to see exactly who may be allowed into which areas of the document tree. You can enable 'Verbose mode' to help debug access control rules. Verbose mode will log trace information to the web server error log file (generally /usr/local/zeus/web/log/errors) and will describe how each rule-set is being applied to each request to show whether & why a particular request is allowed or denied.