diff --git a/admin_manual/enterprise_firewall/file_firewall.rst b/admin_manual/enterprise_firewall/file_firewall.rst index 4875268b3..6274eb4e5 100644 --- a/admin_manual/enterprise_firewall/file_firewall.rst +++ b/admin_manual/enterprise_firewall/file_firewall.rst @@ -11,12 +11,11 @@ expressions. Each rule consists of one or more conditions. A request matches a rule if all conditions evaluate to true. If a request matches at least one of the -defined rules, the request is blocked. +defined rules, the request is blocked and the file content can not be read or +written. -Administrators are excluded from the firewall when they -access the instance via the WebUI, to allow admins to modify the rules. -Otherwise they could potentially be locked out. Public share links and syncing -via WebDAV are subject to firewall rules for all users all the time. +.. note:: + As of ownCloud 9.0, the File Firewall app cannot lock out administrators from the Web interface when rules are misconfigured. Figure 1 shows an empty firewall configuration panel. Set your logging level to **Failures Only** for debugging, and create a new ruleset by clicking the **Add @@ -52,7 +51,7 @@ User Agent The User-Agent of the request (matches|does not match) the given string. User Device - A shortcut for matching all known (``android``|``ios``|``desktop``) sync clients by + A shortcut for matching all known (``android`` | ``ios`` | ``desktop``) sync clients by their User Agent string. Request Time @@ -80,6 +79,10 @@ File Mimetype Upload When a file is uploaded the mimetype (is|is not|begins with|does not begin with|ends with|does not end with) the given string. +System File Tag + One of the parent folders or the file itself (is|is not) tagged with a System + tag. + Regular Expression The File Firewall supports regular expressions, allowing you to create custom rules using the following conditions: @@ -107,54 +110,21 @@ and a single typo will break all of your rules. Controlling Access to Folders ----------------------------- -These examples show how to use regular expressions to control access to folders. -It is quite important to note that WebDAV and WebUI require two different URL -matches in 8.2, and are therefore split into 2 rules. +The easiest way to block access to a folder, starting with ownCloud 9.0, is to use a +system tag. A new rule type was added which allows you to block access to +files and folders, where at least one of the parents has a given tag. Now you +just need to add the tag to the folder or file, and then block the tag with the +File Firewall. -This example blocks access to any folder with "Secure" in the name. +This example blocks access to any folder with the tag "Confidential". -Block Web UI:: +Block by System Tag:: - Request Type: Other - Request IP: 127.0.0.1/24 - Regex: Request URL: apps\/files\/ - Regex: Request URL: dir\=(.*)\%2FSecure(\%2F(.*)|$|&(.*)) - -Block WebDAV:: + System file tag: is "Confidential" + Subnet IPv4: is not "255.255.255.0/24" - Request Type: WebDAV - Request IP: 127.0.0.1/24 - Regex: Request URL: remote\.php\/webdav(\/(.*))*\/Secure(\/(.*)|$) - -This example blocks only the root folder named Secure. - -Block Web UI:: - - Request Type: Other - Request IP: 127.0.0.1/24 - Regex: Request URL: apps\/files\/ - Regex: Request URL: dir\=(\%2F)+Secure(\%2F(.*)|$|&(.*)) - -Block Webdav:: - - Request Type: WebDAV - Request IP: 127.0.0.1/24 - Regex: Request URL: remote\.php\/webdav(\/)+Secure(\/(.*)|$) - -Blocking multiple folders isn't much more complicated. These examples block the folders named Secure and Secret. - -Block Web UI:: - - Request Type: Other - Request IP: 127.0.0.1/24 - Regex: Request URL: apps\/files\/ - Regex: Request URL: dir\=(.*)\%2F(Secure|Secret)(\%2F(.*)|$|&(.*)) - -Block Webdav:: - - Request Type: WebDAV - Request IP: 127.0.0.1/24 - Regex: Request URL: remote\.php\/webdav(\/(.*))*\/(Secure|Secret)(\/(.*)|$) +.. figure:: images/firewall-3.png + :alt: Protecting files tagged with "Confidential" from outside access Custom Configuration for Branded Clients ---------------------------------------- diff --git a/admin_manual/enterprise_firewall/images/firewall-3.png b/admin_manual/enterprise_firewall/images/firewall-3.png new file mode 100644 index 000000000..742a9dda9 Binary files /dev/null and b/admin_manual/enterprise_firewall/images/firewall-3.png differ