Pen 0.11.0 - access lists, configuration news and more

From: Ulric Eriksson (
Date: Tue Sep 23 2003 - 00:16:10 CEST

Brief summary:

This release introduces access lists which can be used to control
which clients can connect where. There is a maximum of 10 lists,
numbered 0 to 9. By default all lists are empty and permit all
traffic. Rules are added using the penctl interface or more
conveniently using a configuration file (see below).

An access list can be used like this:

no acl 1
acl 1 permit
acl 1 permit
control_acl 1

This allows localhost and anyone on the network to access
the control interface. Others are denied access.

Or like this:

no acl 2
acl 2 permit
acl 2 deny
client_acl 2

This allows clients on the network to access the load balancer,
but no other clients on the 10 network. Others are permitted access.

Get it? The default for clients that "fall through" the list is the
opposite of the last rule.

Another example:

no acl 3
acl 3 permit
no acl 4
acl 4 deny
server 0 acl 3
server 1 acl 4

Here, everyone coming from the same network as ye olde gets to see
server 0, while everyone else sees server 1. Why would anybody do that?
Beats me.

Now, this is way too verbose to put on the command line and a bit
inconvenient to do even with penctl, so a new command line option (yes!
another one) was added to name a configuration file. So instead of this:

       /usr/local/bin/pen -u pen -j $PENHOME \
               -w /penstats.html -p / \
               -C localhost:10000 -l alphabob:10000 \
               siag:www siag-eth0-0:www alphabob:www

you can use this:

        /usr/local/bin/pen -u pen -j $PENHOME \
                -w /penstats.html -p / \
                -C localhost:10000 -l alphabob:10000 \
                siag:www -F /pen.cfg

where /home/pen/pen.cfg looks like this:

no acl 1
acl 1 permit
control_acl 1
server 0 address siag-eth0-0 port 80
server 1 address alphabob port 80

Another benefit from putting the configuration in a file is that it is
automatically reread every time a HUP signal is received. This is somewhat
more secure than using penctl to update the configuration if ip based
access control isn't practical (for example, if there are untrusted

The full story on Pen is, as always, at


This archive was generated by hypermail 2.1.2 : Tue Sep 23 2003 - 00:16:43 CEST