Examples of Restricting Access

This section describes some common examples for restricting access to a Web server and its contents. Some of these examples assume you set up the default ACL to deny anyone access to the server. You can also add a deny all line as the first rule to each of these examples, as done in the example for the entire server.

Restricting Access to the Entire Server

This example allows access to users in a group called Employees, who access the server from computers in a sub-domain. There are no access control rules for other resources on the server. You might use this example if you have a server for a department and you only want users to access the server from computers in a specific subdomain of your network.

1. From the Web Manager home page, click Enterprise Web Server servername > Server Preferences > Restrict Access.

2. In the section called Pick a Resource, select the entire server from the Editing drop-down list.

   The resource must be selected.

3. Click Edit Access Control.

4. Click New Line.

5. Click New Line again to create a second rule.

6. Click Deny in the second rule.

7. In the bottom form that appears, select Allow > click Update.

8. Click Anyone in the second rule.

9. In the bottom form, type the group that you want to have access to the server.

   For this example, type Employees in the Group field.

   HINT:  Note that the two options, Authenticated People Only and Only the Following People, are checked automatically.

10. Click Update.

11. Click Anyplace in the second rule.

12. In the bottom form, type a wildcard pattern for the hostnames of the computers you want to allow.

    For example, type *.emp.mozilla.com in the Host Names field.

13. Click Update.

14. Uncheck the Continue box in the second rule of the top frame > click Submit.

15. Click Save and Apply.

Be sure to restart the server for the changes to take effect. The following text is the ACL file for this example:

Restricting Access to a Directory (Path)

This example lets users in a group called Executives have read access to a directory and its subdirectories and files on the server. The user called CEO has full permissions to the directory.

You might use this example if you have a directory on your server that one person owns (he or she publishes to this directory) and you want one group of users to read the files. For example, you might have a project owner who publishes status information for the project team to review.

1. From the Web Manager home page, click Enterprise Web Server servername > Server Preferences > Restrict Access.

2. In the section called Pick a Resource, click Browse.

3. In the form that appears, click the link for the directory you want to restrict.

   HINT:  If you want to view all files in your server root, click Options on the Choose a Part of Your Server form > check the List Files As Well As Directories checkbox > click OK.

4. Click Edit Access Control.

5. Click New Line twice to create two rules.

   IMPORTANT:  Don't edit the default values for the first rule. These values deny all access to the directory. You'll edit the second rule to allow read access to the Executives group.

6. Click Deny in the second rule.

7. In the bottom form that appears, select Allow > click Update.

8. Click Anyone in the second rule.

9. In the bottom form, type the group you want to have access to the server.

   For this example, type Executives in the Group field.

10. Click Update.

11. Click All in the top frame.

12. Uncheck the Write and Delete access rights.

13. Click Update.

14. Click New Line to create a rule for the CEO user.

15. Select Allow.

16. Click Anyone in the third rule.

17. In the bottom form, type CEO in the User field > click Update.

18. Uncheck Continue for both the second and the third rules.

    This means that the server ignores any ACLs for directories or files under the directory you specified above.

19. Click Submit > Save and Apply.

The entry in the GENERATED.HTTPS-serverid.ACL file for this example looks like this:

Restricting Access to a URI (Path)

This example uses a URI to control access to a single user's content on the Web server. URIs are paths and files relative to the server's document root directory. Using URIs is an easy way to manage your server's content if you frequently rename or move all or part of it, for example, for disk space. It's also a good way to handle access control if you have additional document roots.

This example gives anyone read access to files and directories in the path specified by the URI /MY_DIRECTORY. Only one user (yourself in this example) has full access to the directories and files.

You might use this example if you have several users who publish their content on your server. The users want to have write access to their content, and they want anyone to have read/execute access.

1. From the Web Manager home page, click Enterprise Web Server servername > Server Preferences > Restrict Access.

2. In the section called Type In the ACL Name, type the URI you want to control.

   For example, type URI=/my_directory. Click Edit Access Control. The two-frame forms appear.

3. Click New Line to create the first rule that allows all users read access.

4. Click Deny.

5. In the bottom form that appears, select Allow > click Update.

6. Click All.

7. Uncheck the Write and Delete access rights.

   This means users can't add or remove files, but they can view them and run any applications in the directories.

8. Click Update.

9. Click New Line to create a rule for the owner of the directory > select Allow for the second rule.

10. Click Anyone.

11. In the bottom form, type ME in the User field > click Update.

12. Uncheck Continue for both the first and second rules.

    This means that the server ignores any ACLs for other URIs, directories, or files under the URI you specified above.

13. Click Submit > Save and Apply.

The entry in the GENERATED.HTTPS-serverid.ACL file for this example looks like this:

Restricting Access to a File Type

This example controls write and delete access to all files with the extension .CGI. You might use this example if you only want specific users to create programs that run on your server. In this example, anyone can run the programs, but only users in the Programmers group can create or delete them.

1. From the Web Manager home page, click Enterprise Web Server servername > Server Preferences > Restrict Access.

2. In the section called Pick a Resource, click Wildcard.

3. In the prompt that appears, type *.CGI > click OK.

   This wildcard pattern matches any request that contains a file or directory with the .CGI extension.

4. Click Edit Access Control.

5. Click New Line to create the first rule that will allow all users read access.

6. Click Deny.

7. In the bottom form that appears, select Allow > click Update.

8. Click All > uncheck the Write and Delete access rights.

   This means users can't add or remove files or directories with the .CGI extension.

9. Click Update.

10. Click New Line to create a rule that allows write and delete access to the Programmers group.

11. Select Allow for the second rule.

12. Click Anyone.

13. In the bottom form, type Programmers in the Group field.

14. Click Update > Submit > Save and Apply.

In this example, both Continue boxes are checked. This means that if a file is requested, the server will first look at the ACL for the file type, and then it will continue to look for another ACL that matches, for example, an ACL on the URI or the path. The server checks ACLs in the following order:

1. Pathcheck Functions in OBJ.CONF: For example, these could be wildcard patterns for files or directories. The entry in the ACL file would appear as follows: acl "*.cgi";
2. URIs: For example, a path relative to the document root. The entry in the ACL file would appear as follows: acl ""uri=/my_directory";
3. Pathnames: For example, an absolute path to a file or directory. The entry in the ACL file would appear as follows: acl "path=d:\novonyx\suitespot\docroot1\sales/";

The entry in the GENERATED.HTTPS-serverid.ACL file for this example looks like this:

Restricting Access Based on Time of Day

This example restricts write and delete access to the server during working hours. You might use this example if you don't want people publishing documents at times when people might be accessing the files. This example allows users to publish during the evening hours of the week (between 6:00 p.m. and 6:00a.m., Monday through Friday) and all times during the weekend.

1. From the Web Manager home page, click Enterprise Web Server servername > Server Preferences > Restrict Access.

2. In the section called Pick a Resource, select the entire server from the Editing drop-down list > click Edit Access Control.

3. Click New Line.

4. Click Deny.

5. In the bottom form that appears, select Allow > click Update.

6. Click All > uncheck the Write and Delete access rights.

   This means that if a user wants to add, update, or delete a file or directory, this rule won't apply and the server will search for another rule that matches.

7. Click Update.

8. Click New Line to create a rule that restricts the write and delete methods.

9. Select Allow for the second rule.

10. Click the X link to create a customized expression.

11. In the bottom field, edit the existing lines to include the following:

    user = "anyone" anddayofweek = "sat,sun" or(timeofday >= 1800 andtimeofday <= 600)

12. You might want to select the entire text element and copy it to memory; if there are errors, you'll have to re-enter the text.

13. Click Update.

    The top form will display unrecognized expressions in the Users/Groups and From Host columns, because you created a custom expression.

14. Click Submit.

    If you made any errors in the custom expression, you'll get a JavaScript alert. Correct any changes > click Submit again.

15. Click Save and Apply.

16. Restart your server for the changes to take effect.