Next: Server password files Up: CERN server access Previous: CERN server access

Protection set-ups

Protection set-ups define sets of files that are protected in a common way. Set-ups can be defined or embedded in-line in the server configuration file, or can be defined in separate, external files which are named in the server configuration file. The Protect and DefProt configuration directives are used to set up associations between protection set-ups and sets of files to be protected.

The DefProt directive associates a default protection set-up with a file template, but does not activate protection. The syntax is:

    DefProt template setup [user.group]

The Protect directive associates a protection set-up with a file template and activates protection. The syntax is:

    Protect template [setup [user.group]]

If a file matches the template of a Protect directive that does not specify a protection set-up, the server regards the file as protected and searches the configuration rules for a match between the filename and a DefProt directive template.

The user and group parameters specify the UNIX user ID and group ID with which the server process should run when serving files that match the protection rule. This allows the UNIX file protection mechanism to be used to restrict access. If these parameters are omitted, they default to nobody and nogroup.

In the following example all files in the /restricted directory hierarchy are potentially protected by the DefProt directive. The first Protect directive will be matched by files within the confidential subdirectory and cause them to be protected. The third line explicitly associates a different protection set-up file with files in the /system directory.

  DefProt /restricted/*   /usr/local/etc/WWW/restricted  WWW.sys
  Protect /restricted/confidential/*
  Protect /system/*       /usr/local/etc/WWW/system

A protection set-up can be the name of a separate protection set-up file containing protection information or can refer to a Protection directive earlier in the configuration file. Protection set-up files are simple text files and can be edited with any text editor. The following directives may be used in a protection set-up:

AuthType

The authentication mechanism - currently only Basic authentication is supported.

ServerID

A logical server identifier that is used to distinguish between different security realms on a server that uses a number of different password files.

PasswdFile

The path of the password file to be used for this protection set-up.

GroupFile

The path of the group file to be used for this protection set-up.

GetMask

List of groups or users allowed to make HTTP GET requests.

PutMask

List of groups or users allowed to make HTTP PUT requests.

PostMask

List of groups or users allowed to make HTTP POST requests.

Mask

General list of groups or users allowed to make HTTP requests not covered by the specific masks.

ACLOverride

Controls whether ACL files override the masks in the protection set-up.

UserID

The UNIX user ID to which the server process should change when serving the request (only valid in the server configuration file).

GroupID

The UNIX group ID to which the server process should change when serving the request (only valid in the server configuration file).

For example, a protection set-up file might contain the following information:

  PasswdFile  /usr/local/etc/WWW/passwd.restricted
  GroupFile   /usr/local/etc/WWW/group.restricted
  GetMask     authors
  ServerID    restricted
  AuthType    Basic

This specifies a set-up allowing access to users in the group authors, as defined by the specified group and password files, and assigns the set-up the logical identifier, restricted.

Starting with version 3.0 of the CERN server, protection set-ups can be defined in the server configuration file using the Protection directive or can be included in-line in Protect and DefProt directives. Protection set-up names must be defined before they are used. The syntax is:  

  Protection setup-name { 
      directives 
      ...
  }

This defines a protection set-up named setup-name. Protection directives are enclosed within braces, as shown in the following example:

  Protection AUTHORS-ONLY {
      UserID      WWW
      GroupID     sys
      AuthType    Basic
      ServerID    restricted
      PasswdFile  /usr/local/etc/WWW/passwd.restricted
      GroupFile   /usr/local/etc/WWW/group.restricted
      GetMask     authors
  }

  Protect /contrib/misc/* AUTHORS-ONLY

The user and group specified in the server configuration file in protection set-ups using UserID and GroupID, and in DefProt and Protection directives, are the IDs that the server process should change to before serving the file; they default to nobody and nogroup respectively. The UserID and GroupID protection directives cannot be used in separate protection set-up files as these files may be outside the control of the Web server administrator.

Protection set-ups can also be included in-line in DefProt and protect directives. The previous example could also be written:

  Protect /contrib/misc/* {
      UserID      WWW
      GroupID     sys
      AuthType    Basic
      ServerID    restricted
      PasswdFile  /usr/local/etc/WWW/passwd.restricted
      GroupFile   /usr/local/etc/WWW/group.restricted
      GetMask     authors
  }

The protection set-up mechanism can be used for restricting access to proxy servers. For example if an internal network is given the IP mask: 192.168.0.0, the following lines in the server configuration file on the proxy server restrict access to that server to browsers on hosts on the internal network:

  Protection internal-hosts {
      Mask    @192.168.*.*
  }

  Protect http:*      internal-hosts
  Protect gopher:*    internal-hosts
  Protect ftp:*       internal-hosts
  Protect news:*      internal-hosts
  Protect wais:*      internal-hosts

Spinning the Web by Andrew Ford
© 1995 International Thomson Publishing
© 2002 Andrew Ford and Ford & Mason Ltd
Note: this HTML document was generated in December 1994 directly from the LaTeX source files using LaTeX2HTML. It was formatted into our standard page layout using the Template Toolkit. The document is mainly of historical interest as obviously many of the sites mentioned have long since disappeared.