The request system built into FIT handles the loading of external resources from remote systems via HTTP and HTTPS. This has some implications regarding security, since data is transmitted to and from those remote systems. One of the most basic functions of FIT is rewriting URLs, i.e. the modification of links so that clients will load them via the FIT Server. This is achieved by encoding source URLs in FIT URLs. As a consequence, the source URLs can be manipulated by clients. Therefore FIT projects should not allow requests to sources that are unknown or not trustworthy.
FIT uses Access Control Lists (ACLs) to regulate access to remote systems. All outgoing HTTP requests are checked against the ACLs of the site. Requests are allowed exactly if the source is permitted by an
allow rule and not forbidden by a
<acl allow-all="false" deny-all="false"> <allow pattern="|^blog\.example\.com$|" /> <allow url="//example.com/shop" /> <deny url="intranet.example.com:8080"/> <deny pattern="#^192\.168\.#"/> </acl>
aclelement disables the evaluation of
allowrules, while all
denyrules are still applied.
aclelement denies all requests to remote sources, i.e. no
denyrules are processed.
Valid URLs (
url attribute) contain at least the host plus, optionally, port and path, but no query string. The port may be specified explicitly. If no port is defined, the canonical port for the protocol (80 for
http, 443 for
https) is implied. Setting no protocol, (i.e. the host is preceded only by
//) is equivalent to specifying both port 80 and 443.
The regular expressions in the
pattern attributes are checked against the host and the port, but not the path.
Note, that all regular expression checks and all hostname checks are always performed case-insensitively.
While rewriting URLs, FIT uses ACLs to decide whether a URL is to be rewritten to the current FIT site or if it will be left pointing away from FIT.
Aside from the
acl.xml for each individual site, there is a system wide ACL in
/opt/sevenval/fit14/conf/acl.xml. The system administrator can use this system ACL to enforce additional access restrictions.
If you configure an HTTP proxy server for your source, the proxy must be allowed by the ACL, too.
Given the ACLs as specified above you’ll get the following results:
^at the beginning of the pattern.
If a URL contains a path, the last part is treated as a directory, not a string prefix. Example:
<acl> <allow url="example.com/a"/> </acl>