PMDF System Manager's Guide
Previous Contents Index

12.1.2 Access Control

Access to the HTTP server is disabled by default. Access is controlled via the HTTP_ACCESS mapping table. An HTTP_ACCESS mapping table, even one with no entries, allows all access. That is, the line 


HTTP_ACCESS
in your PMDF mappings file is equivalent to 


HTTP_ACCESS 
 
  *|*|*|*|*|*                       $Y

If you want to allow restricted access to services and files offered by the HTTP server, you can use an HTTP_ACCESS mapping table with entries controlling particular sorts of access. If such a mapping table exists in your PMDF mappings file, then on any attempt to connect to the HTTP server port PMDF will probe the table with a probe string of the form 


source-ip|source-port|destination-ip|destination-port|method|path
where source-ip is the source IP address (on the remote browser), source-port is the source port number (on the remote browser), destination-ip is the destination IP address (on the PMDF system), destination-port is the destination port number (on the PMDF system), method is the HTTP method (about which more below), and path is the directory path to the information from the URL. The HTTP method is usually GET, POST, or HEAD: GET is used to retrieve documents or information, HEAD is similar to GET except that only the header information is sent and not the actual contents, POST is often used with forms when submitting information. An asterisk, *, can be used as a wild card in any of the probe string fields.

If the probe string matches a pattern (i.e., the left hand side of an entry in the table), then the resulting output of the mapping is checked. If the output contains any of the metacharacters $Y, $y, $T, or $t, then the access will be permitted. If the mapping output contains any of the metacharacters $N, $n, $F, or $f, then the access will be denied.

For example, to block people from outside the local network (assuming a local network of 192.0.2.*) from viewing PMDF documentation, PMDF monitoring information, or PMDF Service Dispatcher statistics on your server, you could use a mapping table such as: 


HTTP_ACCESS 
 
  $(192.0.2.0/24)|*|*|*|GET|/doc/*         $Y 
  $(192.0.2.0/24)|*|*|*|GET|/monitor/*     $Y 
  $(192.0.2.0/24)|*|*|*|GET|/dispatcher/*  $Y 
  *|*|*|*|GET|*                            $N

The default, if no match is found, allows access to any path configured in the HTTP configuration file.

Previous Next Contents Index