Access module

Web Based Access Control

---

Overview
Access Control allows you to restrict access to each virtual server. Restrictions are based on either a username password challenge, IP address or host / domain name, or a combination of both. The Access module provides a simple web interface to configure Access control.

Resources
In order to fully understand the Access module documentation, you should have read the following two associated documents. Access Control Criteria Options outlines the two different methods we can use to enforce access restrictions on the Web. How Rules Work illustrate how rulesets in the Access module are built and interpreted. You should optionally read Using Regular Expression if you intend to use those facilities to match urls, hostnames or IP addresses.

• Access Control Criteria Options
• How Rules Work
• Using Regular Expressions

Tutorials

• Using LDAP to centralize user/group information

Configuration
The Access module uses a series of rules to determine if a restriction should apply to a URL. The rules are based on the following elements :

Host / Domain Names Allow restriction based on DNS host or domain name. IP Addresses Allow restriction based on IP address or IP subnet Users Allow restriction based on a user name and password Groups Allow restriction based on groups of users.

Initially there will be no access restrictions for your virtual server, the Access module page will display No rules defined to highlight this. By default everyone will be able to access your virtual server. If you just wish to restrict access based on Internet hosts or IP address you can click on the link :

However if you wish to take advantage of user based access control you will need to define users and possibly groups before defining rules.

Users and Groups

To make use of user based access restriction you need to define a user list for your virtual server. This is achieved by clicking on the "Configure users" link under the "User Management" heading.

This link will take you to the "User Management" page. From here you can add new users and list existing users. Initially there will be no users defined.

Type the username and password in to the text fields, then click on the "Add" button to add the user to the list.

Existing users are displayed in an alphabetical list under the "Current Users" heading. To edit or delete an existing user, click on the username. This will take you to the "Edit User" page.

To change the users password, type the updated password in the text box and click on the "Set New Password" button. To delete the user, click on the "Delete User" button.

User groups are used to assist administration. Rather than listing all valid users, users can be assigned to logical groups, then the groups referenced in the access restrictions. Groups can be manipulated via the "Configure groups" link :

This link will take you to the "Group Management" page. From here all existing groups will be listed under the "User-Defined Groups" heading along with their members, (initially there will be no groups defined). New groups can be created by entering details under the "Add New Group" button.

To add a new group, type the group name in the text box and click on the "Add Group" button.

You can add and remove users to groups, as well as delete groups, by clicking on the group name in the group list.

Clicking on the link will take to you the "Edit Group" page. A list of all users is shown in a section box which if needed will display scroll bars. Existing group members will be already highlighted.

To update the group list click on the "Update" button, to delete the group click on the "Delete Group" button.

Creating Rules

To create a rule, click on the link :

To edit an existing rule click on rule name in the rule list.

Both of these options will take you to the "Edit Rule" page where you can enter the rule characteristics. The first two options allow you to specify the URL to apply the rule to and the type of rule, ("allow" or "deny"). If prefixed with a ~, the URL is expected to be an extended regular expression.

The next section allows you to specify hosts and IP addresses. Domain names are specified either absolutely by including the machine name, or sub domain by prefixing a "." to the domain name.

IP numbers should be listed, as is Internet convention, by converting each of the four bytes to a decimal representation, and separating each byte with a "."s. IP subnets are specified by only listing the most significant bytes, plus a trailing ".".

Alternatively IP numbers and DNS names can be specified using extended regular expressions. Regular expressions allow sophisticated pattern matching to be used for host matching, but need to be constructed carefully to avoid security holes. See the associated document Using Regular Expression for more information.

The final section allows you to specify users and groups.

To submit the rule to the ruleset click on the "Update" button. To remove the rule from the rule set click the "Update" button.

Managing Rules

The order of each rule in the ruleset has a considerable bearing on the final security policy. You may add a new rule which needs to be evaluated earlier in the ruleset sequence, this can be achieved by clicking on the "^" link in the rule list. This will swap the rule with the rule above it, resulting in it being evaluated one stage easier in the ruleset.

Because rulesets can become complicated it may be difficult at times to see exactly who may be allowed into which areas of the document tree. You can enable 'Verbose mode' to help debug access control rules. Verbose mode will log trace information to the webserver error log file (generally /usr/local/zeus/web/log/errors) and will describe how each rule-set is being applied to each request to show whether & why a particular request is allowed or denied.