14.2.1.General purpose ACLs
The system table
DB.DBA.HTTP_ACL is used to persist ACL
definitions, which can be managed with simple INSERT/UPDATE/DELETE
statements. The table has the following layout:
Columns for DB.DBA.HTTP_ACL:
|HA_LIST - ACL name|
|HA_ORDER - Position in the list|
|HA_OBJECT - Object ID (applicable to news groups also)|
|HA_CLIENT_IP - *PATTERN*|
|HA_FLAG - Allow/Deny flag, 0 - allow, 1 - deny|
|HA_RW - Read/Write flag, 0 - read, 1 - post|
|HA_DEST_IP - Destination IP/Host (applicable to the proxy also)|
|HA_RATE - Rate Limit|
The primary key covers columns HA_LIST, HA_ORDER, HA_CLIENT_IP and HA_FLAG.
The full schema is listed in the Appendix under System Tables .
HA_LIST (required). Name of the ACL, This is a label to designate a group of rules applicable to a specific service. There are three pre-defined groups which are: HTTP, NEWS, PROXY. Please note that name of group is treated as case-insensitive string. In other words we can think about HA_LIST as domain of the ACL. Developers can use that table to add their own ACLs , and use them with API functions which are discussed in the next section.
HA_ORDER (required). Ordinal number of the rule within its list. This number should be unique within a specific group to have a well defined order of rule matching. Please note that if order is equal the one with allow flag equal to zero (HA_FLAG value see below) takes precedence. The order for applying rules for particular list is in ascending order i.e. first will be applied the rule with the smallest value of HA_ORDER.
HA_CLIENT_IP (required). A pattern to designate separate IP address or group of addresses. This is a string value as for 'LIKE' operator. Some example is: 192.168.*; will match all hosts from local private network.
HA_FLAG (required). A boolean; zero or positive number designating a rule to be applied for matching address/host. The default option is zero (false) for allowed action; positive (true) for denied action. So application may use it in reverse; but in that case it needs to take in account the order precedence (see HA_ORDER).
HA_OBJECT (optional). An integer designating an ID used in predefined ACL for Internet News groups to designate ID of the group. This can be used also in other applications where one desires to apply different rules for different objects. We can think of it as a sub list inside an ACL.
HA_RW (optional). An integer designating a action to be restricted (read/write); used in predefined Internet News groups ACL.
HA_DEST_IP (optional). A string containing pattern to match another IP number; this is used in Web Proxy server ACL. This can also be used in custom application logic.
HA_RATE (optional). An float for Rate Limit. The filter calculates hit rate average and compares with limit for http acl rule. If it is larger then will drop connection. Once per day the statistics will be reset.
Regular expressions are not supported.
Can be used patterns, for ex:
-- like '%something' or -- something*
The Rate Limit UI can be configured from Conductor->System Admin->Security->Access Control where:
Rate limit is hits/per second from one IP address.
For search engine optimization statistics, for example can be set rate limit 10 (or even 100 so to start to collect statistics), and then to check with http_acl_stats () what values are returned.