[APACHE DOCUMENTATION]

mod_eaccess: Extended Access control

This module enables Regular Expression on URL, including HTTP method, URI, QUERY_STRING and body content.

Download

Summary

This module is specially designed for Apache server to act as a secure reverse proxy server, filtering access to CGI and their parameters.
Here is an example:

Installation

Extract apache:

Extract mod_eaccess:

Configure apache with mod_eaccess:

Compile:

Directives


EAccessEnable

Syntax: EAccessEnable on | off
Default: EAccessEnable off
Context: server config, virtual host

The RewriteEngine directive enables or disables the runtime extended access control engine.

If it is set to off this module does no runtime processing at all.
If it is set to on this module does runtime processing and then first sets default policy to deny all.


EAccessRule

Syntax: EAccessRule action "pattern" [option]
Default: none
Context: server config, virtual host

The EAccessRule directive is the real extended access control workhorse. The directive can occur more than once. Each directive then defines one single access control rule. The definition order of these rules is important, because this order is used when applying the rules at run-time.

action can be one of permit, deny, warning or auth/{basic|securid}[=n]. For auth/* action, an optional value, n, can be added to set the Time To Live of the authentication. If not set, default TTL is 0.

pattern can be extended regular expression which gets applied to the current URL. If the first character of pattern is !, then the sense of matching is inverted.

option only applies for auth/* action and is optional. When set, it specifies the realm (auth/basic) or the redirection (auth/securid) for this action.

For each requested URL, the module constructs the following string for controls:

Note that both QUERY_STRING and body may be present, so the string is:

Then this string is use by the module to try to match a pattern defined in EAccessRule.

As default policy is set to deny all when extended access control is set to on, the algorithm used for each URL by the module is:

In fact, for auth/* action, if option is set in the rule, we do not trust the web server because authentication is first checked by mod_eaccess.
If option is not set, we do trust the web server and then do not check if an authentication is set in the HTTP header.

Default TTL is 0, which means no timeout.


EAccessLog

Syntax: EAccessLog filename
Default: EAccessLog logs/eaccess_log
Context: server config, virtual host

The EAccessLog directive sets the name of the file to which the server logs any extended access controls it performs. If the name does not begin with a slash ('/') then it is assumed to be relative to the Server Root.

When EAccessLogLevel is set, each action logs a line in the common log format (host, ident, authuser, date), followed by a text, depending upon the action: