Quid Pro Quo offers two methods of security: password protection based on "realms" and denial of connections based on the network address of the client. To deny access to your entire site, you should use the Allow/Deny feature of Quid Pro Quo. This allows you to specify a domain name, IP address, or a range of addresses that will be turned away when they try to access your site. This section describes the Allow/Deny capabilities of Quid Pro Quo. To learn how to use realms, see the section Creating and Using Realms.

The Configure Allow/Deny Dialog

To configure your sites Allow/Deny access control, choose "Configure Server..." from the Control menu. In the configure dialog, select the Allow/Deny icon. This will bring up a list of sites that are currently subject to access control. When Quid Pro Quo is first installed, this list is empty. To add an address to this list, click on the "New" button. This brings up a dialog box that allows you to enter an address and choose whether to allow or deny users connecting from that address. If no addresses are entered in the Allow/Deny list, Quid Pro Quo will allow all clients to connect. However, if you specify even a single address to allow, Quid Pro Quo will deny all clients except those specifically allowed to connect. For instance, if your contains only:

Allow 192.160.31.16

all clients will be denied access to your site, except for the machine with the IP address 192.160.31.16. If your list is:

Deny 192.160.31.16

All clients will be allowed to access your site, with the exception of 192.160.31.16. Quid Pro Quo also works with domain names. To specify a range of addresses to allow or deny, you can enter a regular expression (modeled after the UNIX command grep) as the address. The entry:

Allow .*.edu

will deny all clients except those with addresses in the .edu domain. The .* notation tells Quid Pro Quo to match everything leading up the .edu. Similarly, the entry

Allow 192.160.31..*

allows on those clients whose IP address begins with 192.160.31. Note that the asterisk character (*) is preceded by a period. In a regular expression, the period tells Quid Pro Quo to match any character, while the asterisk indicates to match multiple occurrences of the character. Entering an address without any qualifying characters forces Quid Pro Quo to match the exact address you specify. The regular expression allows for powerful pattern matching in your addresses. Typically, you will only use Quid Pro Quo's basic pattern matching capabilities.

The security offered by the Allow/Deny feature of Quid Pro Quo should not be considered very strong. Quid Pro Quo can only deny access based on the apparent address of the client. Someone wanting access to your system can work around this restriction relatively easily. Using a technique called IP spoofing, an intruder fakes the IP address of the computer they are using, fooling others on the network into believing they are using an allowable address. Quid Pro Quo (like all web servers) is susceptible to this kind of attack, as is any server that relies on the client address as a means of providing access security. You should use the Allow/Deny feature to provide basic access control, such as limiting the amount of traffic on your site by allowing only .edu clients to connect. Do not rely on Allow/Deny to protect sensitive documents.


Send questions and comments to me, Chris Hawk

Welcome | Contents | Glossary