|Table of Contents|
5.3 Access Control
The VolanoChat server uses the same powerful access control directives used by popular Web servers such as the Apache HTTP Server. These directives allow you to control precisely who connects to your VolanoChat server and through which Web pages those connections may be made. The server reads its access control information from the four files defined in your properties.txt file:
There are two types of directives in the access control files:
- host access directives (hosts-*.txt), and
- referrer access directives (referrers-*.txt).
Comments in the file are preceded by the pound character
("#"). In all cases mentioned below, the most specific match wins. If there is a tie between a URL or IP address in both the deny and allow files, the 'allow' directive takes precedence.
Host Access Directives
The host access directives let you specify which client host computers or network blocks may access your VolanoChat server. Since each person connecting to your server is identified by a unique Internet Protocol (IP) address, this control lets you grant or deny chat access for individual visitors to your Web site. The host directive files will only accept an IP address. You cannot use hostnames in these files. A comment can be added to the end of any IP address by using the equals sign as a marker:
192.168.1.0=my local network
Full and partial IP addresses are compared from right to left, with trailing zeros being interpreted as wildcards. So
18.104.22.168 would match any IP address on that subnetwork (from 22.214.171.124 through 126.96.36.199), such as
To indicate all IP addresses, you would use
0.0.0.0. This is useful when you want to allow access to everyone by adding it to the hosts-allow.txt file, and then deny specific addresses in hosts-deny.txt. Or conversely, if you wanted a very secure system you might put
0.0.0.0 in hosts-deny.txt, then only allow access to certain IP addresses or groups of IP addresses in the hosts-allow.txt file.
Referrer Access Directives
The referrer access directives let you specify which Web pages may provide an entry point to your VolanoChat server. Since each Web page is identified by a unique Uniform Resource Locator (URL), this control lets you grant or deny chat access through Web pages on your own site or other sites on the Web. You should specify referrers with a full or partial URL.
URL comparisons are from right to left, so you must specify full host names or full IP addresses in the URL. You can, however, specify a partial URL, as long as the sub-components of the URL are complete. For example, if I wanted to only allow access to a subdirectory on Volano's server, I could specify the following line in the referrers-allow.txt file:
This would allow chat entrances to only be placed on pages within the
/chat subdirectory. You can also specify a specific webpage, like this:
ftp\://to your referrers-deny.txt file. For even greater security, we recommend denying all forms of entry by default:
file\:=No access using local file ftp\:=No access through FTP http\:=Deny all Web referrers by default
Then put yourself as the only entry in the referrers-allow.txt file. Because a tie gives precedence to allow, any entrances on your own website will work, while all others should not.
room.nodynamicserver property if you need to prevent the creation of dynamic chat rooms from other Web sites. The Apache Web server does not support referrer-based access control, and even the older NSCA HTTPd server states that, "Note: This is not perfect. There is nothing to prevent a user from accessing the directory if they are able to modify the Referrer: header that is sent with their browser."
Most VolanoChat customers want to run their VolanoChat server in one of two general Web access modes:
- open to the Internet, allowing any Web page to link into the chat server, or
- restricted to their own Web site, allowing only Web pages on their own site to link into the chat server.
The first mode brings together a global community of related Web sites, while the second adds chat to the pages of a single Web site.
In the first instance, you can allow anyone to access your chat server by specifying
0.0.0.0 in your hosts-allow.txt file. Then you can permanently ban problem users or groups of users by specifying those IPs in your hosts-deny.txt file.
To allow anyone to put an entrance to your chat server on their webpage, specify this in your referrer-allow.txt file:
If, on the other hand, you want to allow anyone to access your chat server, but only allow chat entrances to reside on your own website, you would specify this in your hosts-allow.txt file:
www.mysite.com is the domain name of your own website.
If you use both ways of specifying your site in your HTML, or if people commonly omit the
www. to access your site, you should put both domain names in your referrers-allow.txt file, like this:
The host access is usually used either to:
- permanently block certain people from accessing the server, or
- restrict access to those people connecting from computers in a particular domain, such as a company's employees or the dial-up customers of a particular Internet Service Provider.
The former case was shown above. If you want to restrict host access to a particular domain, as in the latter case, you can do so by specifying your company's range of IP addresses in the host-allow.txt file.
Then deny all other hosts by putting this in your hosts-deny.txt:
In this case, we've allowed only the hosts 192.168.1.1 through 192.168.1.254 to access the chat server.
|XHTML 1.0||Table of Contents|