ACL (conf/acl.xml)

The request system built into FIT handles the loading of external resources from remote systems via HTTP and HTTPS. This has some implications regarding security, since data is transmitted to and from those remote systems. One of the most basic functions of FIT is rewriting URLs, i.e. the modification of links so that clients will load them via the FIT Server. This is achieved by encoding source URLs in FIT URLs. As a consequence, the source URLs can be manipulated by clients. Therefore FIT projects should not allow requests to sources that are unknown or not trustworthy.

FIT uses Access Control Lists (ACLs) to regulate access to remote systems. All outgoing HTTP requests are checked against the ACLs of the site. Requests are allowed exactly if the source is permitted by an allow rule and not forbidden by a deny rule.

<acl allow-all="false" deny-all="false">
    <allow pattern="|^blog\.example\.com$|" />
    <allow url="//example.com/shop" />

    <deny url="intranet.example.com:8080"/>
    <deny pattern="#^192\.168\.#"/>
</acl>
  • Setting allow-all="true" on the acl element disables the evaluation of allow rules, while all deny rules are still applied. Use of this option may be prohibited by the fit.ini setting FIT_ALLOW_OPEN_ACL.
  • Setting deny-all="true" on the acl element denies all requests to remote sources, i.e. no allow or deny rules are processed.

Valid URLs (url attribute) contain at least the host plus, optionally, port and path, but no query string. The port may be specified explicitly. If no port is defined, the canonical port for the protocol (80 for http, 443 for https) is implied. Setting no protocol, (i.e. the host is preceded only by //) is equivalent to specifying both port 80 and 443.

The regular expressions in the pattern attributes are checked against the host and the port, but not the path.

Note, that all regular expression checks and all hostname checks are always performed case-insensitively.

While rewriting URLs, FIT uses ACLs to decide whether a URL is to be rewritten to the current FIT site or if it will be left pointing away from FIT.

Aside from the acl.xml for each individual site, there is a system wide ACL in /opt/sevenval/fit14/conf/acl.xml. The system administrator can use this system ACL to enforce additional access restrictions.

If you configure an HTTP proxy server for your source, the proxy must be allowed by the ACL, too.

Example 1

Given the ACLs as specified above you’ll get the following results:

URL Access allowed?
http://blog.example.com/
https://blog.example.com/
http://weblog.example.com/ (1)
http://example.com/ (2)
http://example.com/shop/index.html
https://example.com/shop/cart
http://intranet.example.com:8080/
http://192.168.0.20/
  1. Note the caret ^ at the beginning of the pattern.
  2. Path does not match shop.

Example 2

If a URL contains a path, the last part is treated as a directory, not a string prefix. Example:

<acl>
    <allow url="example.com/a"/>
</acl>

Permits:

Denies: