Access module
How Rules Work
Overview
Understanding the access module ruleset is fundamental to creating usable access restriction policies. The ruleset uses a simple logic hierarchy to allow or deny access to resources. Here we explain how rules are constructed, evaluated and combined together to make up the ruleset.
Rule Types
There two different types of restriction rules, "deny" and "allow". The "deny" rules restrict access to specific areas of the document tree based on specified criteria. The "allow" rules grant access to specified areas of the document tree based on specified criteria.There are two types of criteria used to specify rules, host based, and user based. Host based criteria can be an IP address, IP subnet, Internet hostname or Internet domain name.
Access restriction rules are applied in a predefined numbered order. The first rule you create will be rule "0", the next rule will be assigned "1", the next "2" and so on. There is no limit to the number of rules you can create, although a large number of rules may become difficult to manage and you should consider subdividing your site into additional virtual servers, or using dynamic configuration files for access restriction.
When a request is made to the server, before returning any documents the server will evaluate the request against the ruleset. Each rule which matches the request URL will be applied, starting with the least significant. For the document to be returned it must have passed at least one "allow" rule and then failed each subsequent "deny" rule. (The initial server state is to allow all requests, effectively there is a rule number "-1" which does this). The effect of the rules is cumulative, with more significant rules adding or removing restrictions. This allows you to create sophisticated access control policies by means of rule hierarchies.
To summarise : An access control policy consists of a set of rules. A rule can either be an "allow" or "deny" rule. When a request comes in every rule is processed in order, with the initial state being to allow the request. For each of the rules, if the URL, hostname, and users match, then the rule is applied.
Application server concerns itself with "What? Where? and Who?" when evaluating rules.
What to do?
Allow access or deny access?Where to apply the rule?
The location in the document tree to apply the rule. Rules are recursive and will be applied to any document below this location, unless overridden by more significant rules. Should be a full pathname from the document root.Who to apply the rule to?
The identity of the client who the rule applies to. This can be IP address / hostname based, username / password based, or use both. If both restriction methods are used, the rule is evaluated from left to right, as displayed in the ruleset list.If any of the "Who" fields are blank they evaluate to true, and are passed.
- Firstly if a host or domain name is specified it is evaluated (to use DNS names in your access restrictions you have to enable reverse DNS lookup in the server configuration). If this fails the rule is discarded and the next rule tested.
- Next any absolute IP address are evaluated. If this fails the rule is discarded and the next rule tested.
- Finally the user and group lists are evaluated. If this fails the rule is discarded and the next rule tested. If this succeeds then the rule has succeeded and the rule is applied.