Access Control

To View or Modify Access Control Properties

1. In the Advanced Proxy Cache Configuration page, click Access Control.

   The Access Control page is displayed, as shown in Figure 4-7.

   Figure 4-7 Access Control Properties

   
   

2. Under the Access Control heading, enter or accept values for the properties listed below.

   Enter access control definitions one to a line. To edit an entry, click the entry in the table, then make any changes you want.

Access List Definition

Access lists enable you to control access to the functions of the Netra Proxy Cache Server based on characteristics of a request. To create an access list, you create a name (an arbitrary string), specify the type of access list (types are described below), and specify an argument that is used to match against the request. After creating an access list, you can specify that list for the following properties:

• Client Access Control

• Access to Cache via ICP

• ACLs for Cache Host

• URL Redirection

These properties are described below.

Access list definitions have the following form:

---

<name> <type> <argument>

---

Access list types are as follows:

• src Matches on the source address in a request. It takes an argument of the form: <ip address>/<netmask>. You can specify multiple pairings of IP address and netmask.

• domainMatches on the domain specified in a URL. It takes an argument of the form: .<domain name>. You can specify multiple domain names.

• timeMatches on a time period specified in a URL. It takes an argument of the form: <day of the week> <start time>-<end time>. The variable <day of the week> is expressed as one of the following abbreviations:

Table 4-1 Day-of-Week Abbreviations

S	Sunday
M	Monday
T	Tuesday
W	Wednesday
H	Thursday
F	Friday
A	Saturday

The <start time>-<end time> variables are expressed as <hour>:<minutes>, using a 24-hour clock. So for example, to express a period in the mid-afternoon, you specify 14:15-16:30, meaning from 2:15 PM to 4:30 PM.

• patternMatches on a pattern specified in a URL. It takes an argument of the form: <pattern to be matched>. You can specify multiple patterns.

• portMatches on a port number specified in a URL. It takes an argument of the form: <port number>. You can specify multiple port numbers.

• protoMatches on a protocol specified in a URL. It takes an argument of the form: <protocol> (HTTP, FTP, Gopher, or WAIS). You can specify multiple protocols.

• methodMatches on a method (CONNECT, HEAD, POST, or GET) specified in a URL. It takes an argument of the form: <method name>. You can specify multiple methods.

• serviceMatches on the service specified in a request. It takes an argument of the form: <ip address>/<netmask>. "Service," in this context, is an instance of a service on a host in a Netra Proxy Cache Array, as identified by a service address and netmask.

---

Note -

If you have multiple access lists of the same type, the Netra Proxy Cache Server, when determining which list a URL is in, works from top to bottom and stops after the first match.

---

An example of an access list:

---

adults domain sex.com

---

The preceding example creates an access list named adults of type domain. This list includes all URLs containing a destination domain of sex.com. In the HTTP Access property (described below), you can, for example, deny access to the adults list.

The defaults for Access List Definition are shown in Figure 4-7.

Client Access Control

An entry of the form:

---

allow (or deny) <access list> . . .

---

This and the following properties are used in conjunction with the access lists you create. For a given access list, you can allow or deny access to the HTTP port on the Netra Proxy Cache Server.

The defaults for Client Access Control are shown in Figure 4-7.

Access to Cache via ICP

An entry of the form:

---

allow (or deny) <access list> . . .

---

This and the following property are used in conjunction with the access lists you create. For a given access list, you can allow or deny access to the ICP port on the Netra Proxy Cache Server.

The defaults for Access to Cache via ICP is to allow all accesses.

ACLs for the Cache Host

An entry of the form:

---

<cache server> <access list> . . .

---

Enables you to limit the ICP queries sent to a given host (sibling or ICP-capable parent), based on the content of an access list. If you specify multiple access lists, the Netra Proxy Cache Server applies the first list that matches for a given URL.

URL Redirection

An entry of the form:

---

<access list> . . . : HOST <hostname> PATH <path>

---

Enables you to redirect a URL to a specified host and path. The access lists must be of types domain, service, or pattern. For example, the entry

---

adults : HOST restricted.acme.com PATH /forbidden.html

---

:

...redirects a URL that matches the adults access list to:

---

http://restricted.acme.com/forbidden.html

---

1. To create a URL Redirection entry, enter:

   • The name of one or more access lists, followed by a colon

   • The word HOST and a fully-qualified hostname

   • The word PATH and an absolute pathname