|
|
2003/01/02
Pegasus reject request from client when files outside of document root or files that begins with period "." is requested. These files can be accessed only through CGI program.
Beside these general rule, Pegasus have two types of access control file. One is for password and another is for IP.
Access control of Pegasus is designed so that they are managed by the person who owns web document.
Let $web be a web root, then files for access control is placed in
$web/etc this directory is
/etc in service space.
Plan 9 supports basic authentication that is defined in HTTP/1.0.
The merit of basic authentication is simply that it is widely supported because of its simplicity of the mechanism.
On the other hands, basic authentication is weak in network snooping because raw password is transmitted over network.
More secure authentication mechanism, challenge/response, is defined in HTTP/1.1. However it is not supported yet even by major browsers.
Therefore Pegasus does not support challenge/response.
For basic authentication, Pegasus uses authentication server or a file in CPU server. In latter case, Pegasus use MD5 digest.
Related file: passwd
You can control accesses by IP address. The control file is
$web/etc/allow Related file: /etc/allow