Kenji Arisawa
E-mail: arisawa@aichi-u.ac.jp
Aichi University
Kurozasa 370, Miyoshi-cho
Aichi, Japan

2002/02/01
Powered by Pegasus 
Access control on IP

NAME
	allow

LOACTION
	/etc/allow

DESCRIPTION
	File `allow' controls accesses from the clients using the IP of clients.
	This file must be located in
	/etc
	in service space.
	Users and virtual hosts are permitted to have a directory for their own web root, 
	and the directory 'etc' under the web root is seen as /etc in service space.

	The bellow is an example:

	#
	#       This file restricts access by IP
	#       The restriction is effective to all subtrees.
	#
	#       We can use shell style wild card.
	#       Pegasus extension:
	#               a symbol `~' at the beginning means negation
	#               se, we don't need deny file
	#
	/test/authtest/private/room1
			*.*.*.*[13579]
	/test/authtest/private/room2
			~*.*.*.*[13579]
	/test/authtest/private/room1/more1
			*.*.*[0-4].*
	/test/authtest/private/room1/more2
			*.*.*[5-9].*
	/test/authtest/private/room2/more1
			*.*.*[0-4].*
	/test/authtest/private/room2/more2
			*.*.*[5-9].*

	The contents of `allow' are assemble of path names and IP address patterns.
	Path name must be the absolute path and must start from the first column.
	IP pattern must follow spaces and we can write more than one
	IP patterns for each path. IP patterns in a line must be separated by spaces
	and these IP patterns can continue to next lines.

	Path restricts access to the directories bellow that path. In this meaning the path
	may be called `path pattern'.
	On the other hands IP patterns are the list of IP's that are allowed to access
	to these directories.

	Therefore if there is no path pattern that restricts the request, the request is permitted.
	If there are more than one path pattern that restricts the request, the request will be
	rejected unless the client IP is allowed for all these path patterns.


	For example, in order to enter 
	/test/authtest/private/room1/more1
	the IP address of the client must match not only to
	*.*.*.*[13579]
	but also
	*.*.*[0-4].*

	IP patterns can be expressed  using shell style pattern matching.
	There is an extension to this rule:
	A symbol `~' in the beginning of IP pattern means negation.
	Using this symbol we can reject IPs of some pattern.
	For example a pattern ~* rejects all IPs.
	(therefore we need not another `deny' file.)

	The path comparison is performed after all URI redirection.
	Therefore we can assume that the requested path ends with a file name.