This module enables Regular Expression on URL, including HTTP method, URI, QUERY_STRING and body content.
This module is specially designed for Apache server to act as a secure
reverse proxy server, filtering access to CGI and their parameters.
Here is an example:
# Deny all EAccessEnable on # Log grants and denies to logs/eaccess_log EAccessLogLevel 1 # Allow cgi toto, called by GET, without any QUERY_STRING. EAccessRule permit "^GET /cgi-bin/toto$" # Allow cgi titi, called by GET, with a QUERY_STRING starting with the text # "field1=". EAccessRule permit "^GET /cgi-bin/titi\?field1=" # The same, called by POST. EAccessRule permit "^POST /cgi-bin/titi\|field1=" # Allow cgi tata, called by GET, with a QUERY_STRING matching a sequence # of 0 through 5 {letter, number or %encoded character}. EAccessRule permit "^GET /cgi-bin/tata\?([0-9a-zA-Z]|%[A-E0-9][A-E0-9]){0,5}$" # Deny all others cgi EAccessRule deny "^GET /cgi-bin/.*$" EAccessRule deny "^GET /.*\.cgi.*$" # Allow all others URL, called by GET EAccessRule permit "^GET /.*$" |
Extract apache:
% tar zxf apache_1.x.y.tar.gz |
Extract mod_eaccess:
% tar zxf mod_eaccess-x.y.tar.gz |
Configure apache with mod_eaccess:
% cd apache_1.x.y % ./configure --add-module=../mod_eaccess-x.y/mod_eaccess.c ... |
Compile:
% make |
on
| off
EAccessEnable off
The RewriteEngine directive enables or disables the runtime extended access control engine.
If it is set to off
this module does no runtime processing at
all.
If it is set to on
this module does runtime processing and
then first sets default policy to deny all.
The EAccessRule
directive is the real extended access control workhorse. The directive can occur more than once. Each directive then defines one single access control rule. The definition order of these rules is important, because this order is used when applying the rules at run-time.
action can be one of permit
, deny
,
warning
or
auth/
{basic
|securid
}[=
n].
For auth/*
action, an optional value, n, can be added to set the Time To Live of the authentication. If not set, default TTL is 0.
pattern can be extended regular expression which gets applied to the current URL.
If the first character of pattern is !
, then the sense of matching is inverted.
option only applies for auth/*
action and is optional. When set, it specifies the realm (auth/basic
) or
the redirection (auth/securid
) for this action.
For each requested URL, the module constructs the following string for controls:
?
:
|
:
Then this string is use by the module to try to match a pattern defined in EAccessRule
.
As default policy is set to deny all when extended access control is set to on, the algorithm used for each URL by the module is:
EAccessRule
directive:
!
pattern), then:
permit
action: access is granted and loop stops,
deny
action: access is denied (404) and loop stops,
warning
action: a ** WARNING **
is logged,
auth/*
action:
auth/basic
: access is denied (error 401
with the realm set in the option is returned) and loop
stops,
auth/securid
: access is redirected (error
302 with the location set in the option is returned)
and loop stops,
auth/basic
: access is denied (error
401 with the realm set in the option is returned) and
loop stops,
auth/securid
: access is redirected
(error 302 with the location set in the option is
returned) and loop stops,
In fact, for auth/*
action, if option is set in the rule, we do not trust the web server because authentication is first checked by mod_eaccess.
If option is not set, we do trust the web server and then do not check if an authentication is set in the HTTP header.
Default TTL is 0, which means no timeout.
EAccessLog logs/eaccess_log
The EAccessLog
directive sets the name of the file to which the server logs any extended access controls it performs. If the name does not begin with a slash ('/') then it is assumed to be relative to the Server Root.
When EAccessLogLevel
is set, each action logs a line in the common log format (host, ident, authuser, date), followed by a text, depending upon the action:
RE #nnn grants access to '
METHOD URI[?args[|data]]'
RE #nnn denies access to '
METHOD URI[?args[|data]]'
default denies access to '
METHOD URI[?args[|data]]'
RE #nnn *** WARNING! *** '
METHOD URI[?args[|data]]'
RE #nnn AUTH not needed '
METHOD URI[?args[|data]]'
EAccessRule auth/*
,
and no auth HTTP header is present,
RE #nnn AUTH starting on '
METHOD URI[?args[|data]]'
RE #nnn AUTH unTTLed for '
METHOD URI[?args[|data]]'
RE #nnn AUTH not expired '
METHOD URI[?args[|data]]'
RE #nnn AUTH too old for '
METHOD URI[?args[|data]]'
EAccessRule auth/*
, and auth HTTP header is expired (error 401 for auth/basic or 302 for auth/securid is returned),
RE #nnn AUTH removed for '
METHOD URI[?args[|data]]'
EAccessRule auth/*
, and auth HTTP header is expired (this header is then removed),
RE #nnn AUTH err 401 for '
METHOD URI[?args[|data]]'
EAccessRule auth/basic
, and no Authenticate:
HTTP header is present,
RE #nnn AUTH err 302 for '
METHOD URI[?args[|data]]'
EAccessRule auth/securid
, and no Cookie: AceHandle
HTTP header is present,
Notice: To disable the logging, it is not recommended to set filename to /dev/null
, because although the module does not create output to a logfile it still creates the logfile output internally. This will slow down the server! To disable logging use EAccessLogLevel 0
.
EAccessLogLevel 0
The EAccessLogLevel
directive set the verbosity level of the extended access control logfile.
Level 0 means no logging.
Level 1 logs which EAccessRule
grants or denies access to URL.
Level > 1 is for debugging.
EAccessCache logs/eaccess_auth
The EAccessCache
directive sets the name of the file to which the server caches user authentication when auth/* is used in EAccessRule
. If the name does not begin with a slash ('/') then it is assumed to be relative to the Server Root.
Notice: To avoid dump of the cache, MD5 digest of the authentications is stored...
Only the beginning of the body can be checked (based on DEFAULT_BUFSIZE, defined in buff.c).