Previous Next Up FAQ Table of Contents

5.3 Access Control

The VolanoChat server uses the same powerful access control directives used by popular Web servers such as the Apache HTTP Server. These directives allow you to control precisely who connects to your VolanoChat server and through which Web pages those connections may be made. The server reads its access control information from the four files defined in your properties.txt file:

Directives

There are two types of directives in the access control files:

Comments in the file are preceded by the pound character ("#"). In all cases mentioned below, the most specific match wins. If there is a tie between a URL or IP address in both the deny and allow files, the 'allow' directive takes precedence.

Host Access Directives

The host access directives let you specify which client host computers or network blocks may access your VolanoChat server. Since each person connecting to your server is identified by a unique Internet Protocol (IP) address, this control lets you grant or deny chat access for individual visitors to your Web site. The host directive files will only accept an IP address. You cannot use hostnames in these files. A comment can be added to the end of any IP address by using the equals sign as a marker:

192.168.1.0=my local network

Full and partial IP addresses are compared from right to left, with trailing zeros being interpreted as wildcards. So 172.231.0.0 would match any IP address on that subnetwork (from 172.231.0.1 through 172.231.255.254), such as "172.231.5.51".

To indicate all IP addresses, you would use 0.0.0.0. This is useful when you want to allow access to everyone by adding it to the hosts-allow.txt file, and then deny specific addresses in hosts-deny.txt. Or conversely, if you wanted a very secure system you might put 0.0.0.0 in hosts-deny.txt, then only allow access to certain IP addresses or groups of IP addresses in the hosts-allow.txt file.

Referrer Access Directives

The referrer access directives let you specify which Web pages may provide an entry point to your VolanoChat server. Since each Web page is identified by a unique Uniform Resource Locator (URL), this control lets you grant or deny chat access through Web pages on your own site or other sites on the Web. You should specify referrers with a full or partial URL.

URL comparisons are from right to left, so you must specify full host names or full IP addresses in the URL. You can, however, specify a partial URL, as long as the sub-components of the URL are complete. For example, if I wanted to only allow access to a subdirectory on Volano's server, I could specify the following line in the referrers-allow.txt file:

  http\://www.volano.com/chat

This would allow chat entrances to only be placed on pages within the /chat subdirectory. You can also specify a specific webpage, like this:

  http\://www.volano.com/chat/entrance.html
Tip: Some people have figured out a way to get around referrer restrictions by specifying the codebase as an FTP site. To prevent this, simply add ftp\:// to your referrers-deny.txt file. For even greater security, we recommend denying all forms of entry by default:
  file\:=No access using local file
  ftp\:=No access through FTP
  http\:=Deny all Web referrers by default

Then put yourself as the only entry in the referrers-allow.txt file. Because a tie gives precedence to allow, any entrances on your own website will work, while all others should not.


Hint: Omitting the trailing slash at the end of a directory will slightly speed up access control, because it requires the server to perform one less check against your access files.

Important note! Because the referrer access control can be rather easily defeated by imposter VolanoChat applets, you should consider using the new room.nodynamic server property if you need to prevent the creation of dynamic chat rooms from other Web sites. The Apache Web server does not support referrer-based access control, and even the older NSCA HTTPd server states that, "Note: This is not perfect. There is nothing to prevent a user from accessing the directory if they are able to modify the Referrer: header that is sent with their browser."

Examples

Most VolanoChat customers want to run their VolanoChat server in one of two general Web access modes:

The first mode brings together a global community of related Web sites, while the second adds chat to the pages of a single Web site.

In the first instance, you can allow anyone to access your chat server by specifying 0.0.0.0 in your hosts-allow.txt file. Then you can permanently ban problem users or groups of users by specifying those IPs in your hosts-deny.txt file.

Hint: To prevent yourself from getting accidentally banned, you might want to put your own computer's IP address in the hosts-allow.txt file. Since a tie grants access, even a specific ban on your IP will be overridden and you will still be allowed access.

To allow anyone to put an entrance to your chat server on their webpage, specify this in your referrer-allow.txt file:

  http\://

If, on the other hand, you want to allow anyone to access your chat server, but only allow chat entrances to reside on your own website, you would specify this in your hosts-allow.txt file:

  http\://www.mysite.com

where www.mysite.com is the domain name of your own website.

Note: The Chat server will treat the following URLs differently.
  http://www.mysite.com/chat.html
  http://mysite.com/chat.html

If you use both ways of specifying your site in your HTML, or if people commonly omit the www. to access your site, you should put both domain names in your referrers-allow.txt file, like this:

  http\://www.mysite.com
  http\://mysite.com

The host access is usually used either to:

The former case was shown above. If you want to restrict host access to a particular domain, as in the latter case, you can do so by specifying your company's range of IP addresses in the host-allow.txt file.

192.168.1.0
Note: You can only specify an IP range to within a specific octet. So you should choose the next highest order of octet that will fully encompass your company's IPs. Contact your network admin if you have any questions regarding this.

Then deny all other hosts by putting this in your hosts-deny.txt:

0.0.0.0

In this case, we've allowed only the hosts 192.168.1.1 through 192.168.1.254 to access the chat server.


Previous Next Up FAQ XHTML 1.0 Table of Contents

2014-07-11 — An updated version of the VOLANO chat server that supports the latest Java 8 Plug-in is now available. More…

The VOLANO® chat software for the Java™ platform lets you build on-line communities and add real-time social networking to your Web site. More…

John Neffenger <john@status6.com>
More…

A PROJECT OF STATUS:6®