Brief summary:
This release introduces access lists which can be used to control
which clients can connect where. There is a maximum of 10 lists,
numbered 0 to 9. By default all lists are empty and permit all
traffic. Rules are added using the penctl interface or more
conveniently using a configuration file (see below).
An access list can be used like this:
no acl 1
acl 1 permit 127.0.0.1
acl 1 permit 10.0.4.0 255.255.255.0
control_acl 1
This allows localhost and anyone on the 10.0.4.0 network to access
the control interface. Others are denied access.
Or like this:
no acl 2
acl 2 permit 10.0.4.0 255.255.255.0
acl 2 deny 10.0.0.0 255.0.0.0
client_acl 2
This allows clients on the 10.0.4.0 network to access the load balancer,
but no other clients on the 10 network. Others are permitted access.
Get it? The default for clients that "fall through" the list is the
opposite of the last rule.
Another example:
no acl 3
acl 3 permit 217.151.192.0 255.255.255.0
no acl 4
acl 4 deny 217.151.192.0 255.255.255.0
server 0 acl 3
server 1 acl 4
Here, everyone coming from the same network as ye olde siag.nu gets to see
server 0, while everyone else sees server 1. Why would anybody do that?
Beats me.
Now, this is way too verbose to put on the command line and a bit
inconvenient to do even with penctl, so a new command line option (yes!
another one) was added to name a configuration file. So instead of this:
/usr/local/bin/pen -u pen -j $PENHOME \
-w /penstats.html -p /pen.pid \
-C localhost:10000 -l alphabob:10000 \
siag:www siag-eth0-0:www alphabob:www
you can use this:
/usr/local/bin/pen -u pen -j $PENHOME \
-w /penstats.html -p /pen.pid \
-C localhost:10000 -l alphabob:10000 \
siag:www -F /pen.cfg
where /home/pen/pen.cfg looks like this:
no acl 1
acl 1 permit 127.0.0.1
control_acl 1
server 0 address siag-eth0-0 port 80
server 1 address alphabob port 80
Another benefit from putting the configuration in a file is that it is
automatically reread every time a HUP signal is received. This is somewhat
more secure than using penctl to update the configuration if ip based
access control isn't practical (for example, if there are untrusted
users).
The full story on Pen is, as always, at http://siag.nu/pen/.
Ulric
This archive was generated by hypermail 2.1.2 : Tue Sep 23 2003 - 00:16:43 CEST