Access module
Web Based Access Control
Overview
Access Control allows you to restrict access to each virtual server. Restrictions are based on either a username password challenge, IP address or host / domain name, or a combination of both. The Access module provides a simple HTML Forms based interface to configure Access control.
Configuration
The Access module uses a series of rules to determine if a restriction should apply to a URL. The rules are based the following elements :
Host / Domain Names Allow restriction based on DNS host or domain name. IP Addresses Allow restriction based on IP address or IP subnet Users Allow restriction based on a user name and password Groups Allow restriction based on groups of users. Initially there will be no access restrictions for your virtual server, the Access Module page will display No rules defined to highlight this. If you just wish to restrict access based on Internet hosts or IP address you can click on the link :
However if you wish to take advantage of user based access control you will need to define users and possibly groups before defining rules.
Users and Groups
To make use of user based access restriction you need to define a user list for your virtual server. This is achieved by clicking on the "Configure users" link under the "User Management" heading.
This link will take you to the "User Management" page. From here you can add new users and list existing users. Initially there will be no users defined.
Type the username and password in to the text fields, then click on the "Add" button to add the user to the list.
Existing users are display in an alphabetical list under the "Current Users" heading. To edit or delete an existing user, click on the username. This will take you to the "Edit User" page.
To change the users password, type the updated password in the text box and click on the "Set New Password" button. To delete the user, click on the "Delete User" button.
User groups are used to assist administration. Rather than listing all valid users, users can be assigned to logical groups, then the groups referenced in the access restrictions. Groups can be manipulated via the "Configure groups" link :
This link will take you to the "Group Management" page. From here all existing groups will be listed under the "User-Defined Groups" heading along with their members, (initially there will be no groups defined). New groups can be created by entering details under the "Add New Group" button.
To add a new group, type the group name in the text box and click on the "Add Group" button.
You can add and remove users to groups, as well as delete groups, by clicking on the group name in the group list.
Clicking on the link will take to you the "Edit Group" page. A list of all users is shown in a section box which if needed will display scroll bars. Existing group members will be already highlighted. Using Netscape Navigator You can select users from this list to include in the group by holding the shift button while clicking on the names you wish to include.
To update the group list click on the "Update" button, to delete the group click on the "Delete Group" Button.
Creating Rules
Access restriction rules are applied in a predefined numbered order. The first rule you create will be rule "0", the next rule will be assigned "1", the next "2" and so on. There is no limit to the number of rules you can create, although a large number of rules may become difficult to manage and you should consider subdividing your site into additional virtual servers, or using dynamic configuration files for access restriction.When a request is made to the web server each rule is applied in turn through the ruleset. For the request to succeed the most significant rule (the one with the highest number) must evaluate to true. This allows a sophisticated ruleset to be built to cover all restriction options.
There two different types of restriction rules, "deny" and "allow". The "deny" rules restrict access to specific areas of the document tree for specified clients. The "allow" rules grant access to specified areas of the document tree for specified clients. Each rule overrides the less significant rules (those with lower numbers), allowing you to create rule hierarchies.
Application server concerns itself with "What? Where? Who?" when evaluating rules.
What to do? Allow access or deny access? Where to apply the rule? The location in the document tree to apply the rule. Rules are recursive and will be applied to any document below this location, unless overridden by more significant rules. Should be a full pathname from the document root. Who to apply the rule to? The identity of the client whom the rule applies to. This can be IP address / hostname based, username / password based, or use both. If both restriction methods are used, the rule is evaluated from left to right, as displayed in the ruleset list. If any of the "Who" fields are blank they evaluate to true, and are passed.
- Firstly if a host or domain name is specified it is evaluated (to use DNS names in your access restrictions you have to enable reverse DNS lookup in the server configuration). If this fails the rule is discarded and the next rule tested.
- Next any absolute IP address are evaluated. If this fails the rule is discarded and the next rule tested.
- Finally the user and group lists are evaluated. If this fails the rule is discarded and the next rule tested. If this succeeds then the rule has succeeded and the rule is applied.
To create a rule, click on the link :
This will take you to the "Edit Rule" page where you can enter the rule characteristics. To edit an existing rule click on rule name in the rule list.