Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
documentation:2.1:writingrulesand_headers [2019/01/15 15:55]
127.0.0.1 external edit
documentation:2.1:writingrulesand_headers [2020/05/08 22:29] (current)
cmaudoux [Rules]
Line 18: Line 18:
  
 See also [[extendedfunctions|extended functions]]. See also [[extendedfunctions|extended functions]].
- 
 ===== Rules ===== ===== Rules =====
  
Line 32: Line 31:
 | Deny access to /config/ directory ​ |  <​nowiki>​^/​config/</​nowiki> ​ |  deny  | | Deny access to /config/ directory ​ |  <​nowiki>​^/​config/</​nowiki> ​ |  deny  |
 | Do not restrict /​public/ ​ |  <​nowiki>​^/​public/</​nowiki> ​ |  skip  | | Do not restrict /​public/ ​ |  <​nowiki>​^/​public/</​nowiki> ​ |  skip  |
 +| Do not restrict /skip/ and restrict other to authenticated users  |  <​nowiki>​^/​skip/</​nowiki> ​ | $ENV{REQUEST_URI} =~ /skip/ ? skip : 1 |
 | Makes authentication optional, but authenticated users are seen as such (that is, user data are sent to the app through HTTP headers) ​ |  <​nowiki>​^/​forum/</​nowiki> ​ |  unprotect ​ | | Makes authentication optional, but authenticated users are seen as such (that is, user data are sent to the app through HTTP headers) ​ |  <​nowiki>​^/​forum/</​nowiki> ​ |  unprotect ​ |
 | Restrict access to the whole site to users that have the LDAP description field set to "LDAP administrator"​ (must be set in exported variables) ​ |  default ​ |  <​html>​$description&​nbsp;​eq&​nbsp;"​LDAP&​nbsp;​administrator"</​html> ​ | | Restrict access to the whole site to users that have the LDAP description field set to "LDAP administrator"​ (must be set in exported variables) ​ |  default ​ |  <​html>​$description&​nbsp;​eq&​nbsp;"​LDAP&​nbsp;​administrator"</​html> ​ |
  
 The "​**default**"​ access rule is used if no other access rule match the current URL. The "​**default**"​ access rule is used if no other access rule match the current URL.
 +
 +<note tip>
 +See [[rules_examples|the rules examples page]] for a few common use cases
 +</​note>​
  
 <note tip> <note tip>
Line 55: Line 59:
 <note important>​Only current application is concerned by logout_app* targets. Be careful with some applications which doesn'​t verify Lemonldap::​NG headers after having created their own cookies. If so, you can redirect users to a HTML page that explain that it is safe to close browser after disconnect.</​note>​ <note important>​Only current application is concerned by logout_app* targets. Be careful with some applications which doesn'​t verify Lemonldap::​NG headers after having created their own cookies. If so, you can redirect users to a HTML page that explain that it is safe to close browser after disconnect.</​note>​
  
-==== Rules on authentication level ====+==== Rules based on authentication level ====
  
-LLNG set an "​authentication level" during authentication process. This level is the value of the authentication backend used for this user. Default values are:+LLNG set an "​authentication level" during authentication process. This level depends on authentication backend used by this user. Default values are:
   * 0 for [[authnull|Null]]   * 0 for [[authnull|Null]]
   * 1 for [[authcas|CAS]],​ [[authopenid|old OpenID-2]], [[authfacebook|Facebook]],​…   * 1 for [[authcas|CAS]],​ [[authopenid|old OpenID-2]], [[authfacebook|Facebook]],​…
Line 65: Line 69:
   * 5 for [[authssl|SSL]]   * 5 for [[authssl|SSL]]
  
-There are two way to impose users to have high authentication level: +There are three ways to impose users a higher ​authentication level: 
-  * writing a rule based en authentication level: ''​$authenticationLevel > 3''​ +  * writing a rule based on authentication level: ''​$authenticationLevel > 3''​ 
-  * since 2.0, set a minimum level in virtual host options+  * set a minimum level in virtual host options ​(default value for ALL access rules) 
 +  * a minimum authentication level can be set for each URI access rule. Useful if URI are protected by different types of handler (AuthBasic -> level 2, Main -> level set by authentication backend). 
 + 
 +<note tip>​Instead of returning a 403 code, "​minimum level" returns user to a form that explain that a higher level is required and propose to reauthenticate himself.</​note>​ 
 + 
 +==== Using regexp capture in rules ==== 
 + 
 +If URL regexp captures something //(using parenthesis)//,​ you can use them in the corresponding rule using ''​$_rulematch[1]''​. Example: only user can access to its personal area: 
 +  * Regexp: ''/​^public_html/​(\w+)(/​.*)?​$''​ 
 +  * Rule: ''​$uid eq $_rulematch[1]''​
  
-<note tip>​Instead of returning a 403 code, "​minimum level" returns user to a form that explain that a higher level is required and propose to user to reauthenticate itself.</​note>​+$_rulematch is an array that contains all captured strings. First index is 1.
  
 +<note warning>​This feature requires Perl ≥ 5.25.7</​note>​
 ===== Headers ===== ===== Headers =====
  
Line 105: Line 119:
 ===== Wildcards in hostnames ===== ===== Wildcards in hostnames =====
  
-{{..:​new.png?​direct&​35|}} ​Since 2.0, a wildcard can be used in virtualhost name (not in aliases !): ''​*.example.com''​ matches all hostnames that belong to ''​example.com''​ domain.+Since 2.0, a wildcard can be used in virtualhost name (not in aliases !): ''​*.example.com''​ matches all hostnames that belong to ''​example.com''​ domain. Version 2.0.9 improves this and allows better wildcards such as ''​test-*.example.com''​ or ''​test-%.example.com''​. The ''​%''​ wilcard doesn'​t match subdomains.
  
-Even if a wildcard exists, if a virtualhost is explicitly declared, this rule is applied. Example with precedence order:+Even if a wildcard exists, if a virtualhost is explicitly declared, this rule is applied. Example with precedence order for test.sub.example.com:
   - test.sub.example.com   - test.sub.example.com
 +  - test%.sub.example.com
 +  - test*.sub.example.com
 +  - %.sub.example.com
   - *.sub.example.com   - *.sub.example.com
-  - test.example.com +  - *.example.com ​//​(''​%.example.com''​ does not match test.sub.example.com)//
-  - *.example.com+