XRPi Home

Documentation Index
Alphabetic Index

XRPi Documentation - System Files

HTTP.ACL

Name

HTTP.ACL -- HTTP Proxy Egress Control File (Optional).

Description

The optional HTTP.ACL file contains "rules" to control which destinations are allowed to be accessed via the HTTP proxy/tunnel.

The rules allow you to specify which destination IP addresses and TCP ports may be accessed by specified source IP ranges.

If the file is not present, or contains no valid rules, all destinations are blocked, and the "403 Forbidden" error page is returned to anyone who tries to use the proxy or tunnel.

Egress control is vital to prevent miscreants using your HTTP server as a proxy to hide their IP address.

Format

The format of the entries in HTTP.ACL is the same as other .ACL (Access Control List) files.

Each "rule" is specified on a separate line. Blank lines, or lines beginning with ';' or '#' are ignored. The maximum line length is 255 characters.

Within each rule, fields must be separated by one or more spaces or tabs. The fields are as follows: 

        <action> <src_ip>[/mask] <dst_ip>[/mask] <port(s)>

The fields have the following meaning: 

        <action>   PERMIT  Allow egress
                   DENY    Prevent egress

        <src_ip>   Source IP address (uplinked user).

        <dst_ip>   Destination IP address (target system).

        [mask]     Optional field.
                   Either: No. of bits (0-32) of address to
                           match from left to right,
                   Or:     Subnet mask in form n.n.n.n

        <port(s)>  One or more TCP service numbers (0-65535) on
                   the target system.  Allowed formats are "n",
                   "n,n,n", "n-n" or combination thereof.

In the <src_ip> and <dst_ip> fields, 0.0.0.0/0 specifies "all addresses".

Note

Rule testing stops at the *first* matching "permit" or "deny" statement, so it is vital that the list is ordered correctly. For instance, to allow Internet users to access all LAN ports except 513 it would be ok to use: 

	deny	0.0.0.0/0  192.168.0.0/24  513
	permit	0.0.0.0/0  192.168.0.0/24  1-65535

but if the entries were reversed, the "permit" rule would match every case and the "deny" rule wouldn't be actioned.

Examples

; Allow LAN users to tunnel to anyone:
PERMIT 192.168.0.0/24  0.0.0.0/0  0-65535
;
; Allow Internet users to tunnel only to certain
; ports on the node machine:
PERMIT 0.0.0.0/0  192.168.0.245  23,87,1448,3600
;
; Allow Internet users to tunnel only to ports 23
; and 80 on the BBS machine:
PERMIT 0.0.0.0/0  192.168.0.4  80,23
;
; Allow Amprnet users to access any Amprnet destination
PERMIT 44.0.0.0/8  44.0.0.0/8  0-65535

Files

If required, HTTP.ACL must be located in the same directory as XRPi.EXE.

See also

HTTP.SYS(8) -- HTTP Rewrite / Proxy Control File
SOCKS.ACL(8) -- SOCKS Proxy Egress Control File
TELPROXY.ACL(8) -- Telnet Proxy Egress Control File