Logo address

Access control based on IP

目次

2006/08/24 Update

Location

	$web/etc/allow

Description

File "allow" controls accesses from the clients using the IP of clients.
The following is an example.
#
#       This file restricts access by IP
#       The restriction is effective to all subtrees.
#
#       We can use shell style wild card.
#       Pegasus extention:
#               a symbol `~' at the beginning means negation
#               se, we don't need deny file
#
/test/authtest/private/room1
	*.*.*.*[13579]
/test/authtest/private/room2
	~*.*.*.*[13579]
/test/authtest/private/room1/more1
	*.*.*[0-4].*
/test/authtest/private/room1/more2
	*.*.*[5-9].*
/test/authtest/private/room2/more1
	*.*.*[0-4].*
/test/authtest/private/room2/more2
	*.*.*[5-9].*
The contents of "allow" are assembly of path names and IP address patterns.
Path name must be the absolute path and must start from the first column. IP pattern must follow spaces and we can write more than one IP patterns for each path. IP patterns in a line must be separated by spaces and these IP patterns can continue to next lines.

Path restricts access to the directories deeper than or equal to that path. In this meaning the path may be called "path pattern". On the other hands IP patterns are the list of IP's that are allowed to access to these directories. Therefore if there is no path pattern that restricts the request, the request is permitted.
If there are more than one path pattern that restricts the request, the request will be rejected unless the client IP is allowed for all these path patterns.

For example, in order to enter "/test/authtest/private/room1/more1" the IP address of the client must match not only to

	*.*.*.*[13579]
but also
	*.*.*[0-4].*
IP patterns can be expressed using shell style pattern matching. There is an extension to this rule:
A symbol "~" in the beginning of IP pattern means negation. Using this symbol we can reject IPs of some pattern. For example a pattern "~*" rejects all IPs. (therefore we need not to have another deny file.)
The path comparison is performed after all URI redirection. Therefore we can assume that the requested path ends with a file name.