Allow/Deny

WebSTAR can also limit access to your entire server or to selected realms according to a browser's host name, domain name or IP address. That way, you can allow in browsers residing on machines in your company, or outside contractors, but keep everyone else out.

A domain name refers to the whole company ("starnine.com"). A host name ("me.domain.com") refers to a particular machine (even if it's not a server).

Global Access Control

When you are creating Allow/Deny entries, you can choose the Global item from the Realm popup menu. While "Global" is not a realm, you can use it in arranging your Allow/Deny entries. It applies to the entire web server, and is not limited to any single realm.

Global access control is limited to Allow/Deny: you cannot create User name and password entries for denied machines.

If you make any Allow or Deny entries in the Global access section, all other machines will be denied. To allow all other machines, you must make an Allow * entry.

Realms Access Control

WebSTAR allows you to specify who can and can't see a specific security realm. As the name implies, an Allow entry for a realm means that browser requests for data in that realm will be accepted if they come from a machine with that domain name, host name or IP address. All requests from other machines will be allowed to enter a User Name and Password, and allowed to see the realm if they match one of your Web Users and Passwords entries.

A Deny entry for a realm means that all browser requests for data in that realm will be rejected if they come from a machine with that domain name, host name or IP address. If you enter any Allow or Deny entries for a realm, you must specifically Allow other machines to access that realm [you can use an asterisk (*) to Allow all other domain names].

Note that machines which use dialup Internet access do not have static host names or IP addresses, so you can't create Allow entries for them. You can set up Web Users and Passwords to supplement the Allow/Deny entries. You can combine the two forms of access control to make the least intrusion, while still allowing access while co-workers are on the road, or from dialup connections at home.

For example, you could Allow the computers in your company to access the human resources information in the "HUMRES" realm. If machines on which interns work all have "intern" in the host name, you could Deny access to all machines in your domain starting with "intern". For more examples, see Allow/Deny Examples .

When you start WebSTAR for the first time, there are no Allow or Deny entries.

See also WebSTAR URL Security Processing .

Editing Allow/Deny Entries

When you create an Allow/Deny entry, you enter data about the browser machine's IP address or host name, and designate either the Global section or the realm name.

About Address Matching

You can specify host names, domain names, subnets or IP addresses in the Address field. If you want to use names, makes sure you've checked the box to Caching .

To find a machine's IP address or host name, no matter where they are, have them access your site once. Then look at the WebSTAR Status Window or Log file. It will show you the IP address. If you have selected Use DNS, the transaction entry will also display the host name.

The Address can be any substring: it does not have to be complete host names or IP addresses. To match a specific domain name, IP address or subnet, use a trailing period (a period at the end of the Address field).

198.211.3
all machines which include these numbers in the site in all subnets that begin with the number 3.
198.211.33.
the trailing period makes the system only match the machines in the 33 subnet.
198.211.33.4.

refers to the single machine with that exact IP address (the trailing period means that machines ending in "40" would not be matched).

starnine.com
all machines which include the text "starnine.com" anywhere in their host name.
starnine.com.
the trailing period makes the system only match those machines which have "starnine.com" at the end of the host name.
*
An asterisk by itself refers to all domains. This is usually used when you want to allow all but one or a few domains, as described in Using Deny Entries .

WebSTAR Admin Allow/Deny List

Choose the Allow/Deny item in the WebSTAR Admin Settings window to open the Allow/Deny List. The first time you open the panel, you'll see an empty list, with just the Administration and Logs realms in the popup menu. Once you add a number of entries, it will look like this:

The WebSTAR Admin Allow/Deny list is controlled by the Realm popup menu. The list for each realm will appear when you chose the realm from the menu.

For more instructions, see Working With Admin Lists .

To make a new Allow/Deny entry, decide where you want it to be in the list. In general, you don't have to worry about order, unless you are Denying a host name or subnet and Allowing others in the same domain or IP class. To specify the insertion row, select the entry before the new entry, and click the New button. Select the correct realm from the Realms popup menu, and follow the instructions above to fill in the Address field.

See also: About Address Matching .

Browser Admin Allow/Deny Editing

The WebSTAR Browser Admin pages also allow you to work with the Allow/Deny List. Go to the Administration main page, and choose Settings > Allow/Deny.

Warning: When you're editing Allow/Deny entries in the Browser Administration pages, be sure to select your realm in the popup menu, then press the Change Realm button . If you do not change the realm explicitly, you will appear to edit a specific realm, but in fact you will be editing the "Global" access section.

It's fairly easy to deny yourself access, so be sure that you always change the realm before you edit the entries.

To make a new Allow/Deny entry, decide where you want it to be in the list. In general, you don't have to worry about order, unless you are Denying a host name or subnet and Allowing others in the same domain or IP class. To specify the insertion row, enter an Order number so that the new Allow/Deny entry will be numerically placed within the list. Select the correct realm from the Realms popup menu, and change realms, then follow the instructions above for the Match String (Address) field, and press the Add New Entry button.

For more on Address match strings, see About Address Matching .

To edit an Allow/Deny entry, click on the Select radio button for that entry, and then press the Edit Selection button. You can rearrange the order by changing the number in the Order field. When you're done with your changes, press the Replace Selection button, and your changes will be saved.

To copy an entry, click on the Select radio button for that entry, and then click the Edit Selection button. When you're done with changes, press the Add New Entry button.

To delete an entry, click on the Select radio button for that field and press the Delete Selection button.

Allow/Deny Examples

These examples show how you can set up Allow and Deny access to specific folders, and limit access to those folders.

See also WebSTAR URL Security Processing .

Allow One Machine

1 Create a folder in your WebSTAR folder named mytest , and make a little HTML file named default.html .
2 Open the WebSTAR Admin application and connect to your server, then choose Server Settings from the Options menu.
3 Choose realms from the options list at the left and create a realm named "My_Test" with a Match String of mytest . Be sure to click the Save button to send the information back to WebSTAR.
4 Open the Allow/Deny panel and click the New button.
5 Select My_Test from the Realms popup menu.
6 Enter your IP address into the Address field.
7 Press the Save button to send the changes back to the server.
8 Test that you are allowed to see the realm by opening a browser and trying the URL for the default file.

 
http://www.domain.com/mytest/default.html

9 Test the security by trying to access the same URL from another machine. It should be denied.

Allow An Entire Site

1 Open the Allow/Deny panel and click the New button.
2 Select My_Test from the Realms popup menu.
3 Enter your domain name into the Match String field.
4 Click the Save button.
5 Test that you are allowed to see the realm by using the example above.
6 Test that you can see it from another machine in the same domain.
7 Ask a friend to try to access the URL from another domain. They should see a user name and password dialog, even if you have not entered a user for that realm. Check your log or web monitor pane to see the "PRIV" error entry.

Using Deny Entries

Deny entries are most useful to block out problem visitors, and to limit access for some machines within a site.

When you deny any site, WebSTAR's default behavior is to deny all sites which don't have a specific Allow entry. You can counteract this by specifying an Allow * entry.

Deny A Subnet

1 Open the Allow/Deny panel and create a new entry.
2 Select My_Test from the Realms popup menu.
3 Click on the Deny radio button.
4 Make the Match String deny the appropriate subnet:
5 Make another new entry, select My_Test and enter an asterisk ("*") in the Address field. This allows everyone to access this realm, unless their IP address is matched above.
6 Choose the Users panel and make a new User and Password entry.
7 Set the User Name to "test" and the password to "test".
8 Save the results to your WebSTAR server.
9 Test the results by trying to access the realm from a machine in this subnet.
10 You should see the User Name and Password dialog: enter "test" and "test", and see if you can view the default page.
11 Make sure you can still access the realm from another machine in a different subnet without a password.

You can deny access to domains or specific host names as well, but don't forget to enter Allow * as the last entry, so that everyone else can get to the site.