[Rspamd-Users] read and write access for web interface

Casper Gielen cgielen+rspamd at uvt.nl
Mon Sep 2 09:41:34 UTC 2019 

Op 31-08-2019 om 19:10 schreef Kai Schaetzl:
> I have a short question about the read access for the web interface.
> Background: I would like a client to not be able to change the 
> configuration, but I would like them to be able to submit mails for spam 
> learning.
> Is this possible with read access or does this disallow *any* submission?

Hi Kai,
I was wondering the same just a few days ago, and came up with a
possible solution.
My solution uses Apache to protect certain URLs.
Carefull, this has not been tested properly yet.
I would love to hear if it fits the bill.

Notes.
1. We use CAS for authentication, you probably use something else.
2. I don't know the difference between "scan" and "check".
3. "History" seems to be required for all other pages, but it reveals
   a lot of private information that my not be appropriate to share
   with regular users.
4. The exact groups and permissions probably need to be improved and
   adjusted to your environment.
5. "LocationMatch" is slightly more complicated that required, a normal
   "Location" would probably suffice.    I do it this way because this
server also acts as a proxy to other
   rspamd instances. This way all rspamd instances are matched.
   (ie https://mail.example.com/server3/#scan)
6. THIS HAS NOT BEEN TESTED.

  Define admins       "user1 user2"
  Define servicedesk  "user3 user4"
  Define bosses       "user8"


  # 0. Require all users to be logged in.
  #    Replace with your own authentication method.
  #    Regular users can only see "status"
  <Location />
          AuthType CAS
          CASScope /
          Require valid-user
  </Location>

  # 1. Monitoring & stats (read only)
  <LocationMatch /*/(scan|check|graph|pie|stat|counters|history)>
	  Require user ${admins} ${servicedesk} ${bosses}
  </LocationMatch>

  # 2. Spam/Ham training
  <LocationMatch /*/(learnspam|learnham)>
	  Require user ${admins} ${servicedesk}	
  </LocationMatch>

  # 3. Advanced command's that may change the configuration.
  <LocationMatch
/*/(historyreset|saveactions|savesymbols|savemap|statreset)>
          Require user ${admins}
  </LocationMatch>



-- 
Casper Gielen <cgielen at uvt.nl> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981  63B8 2214 083C F80E 4AF7

Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 231 | http://www.uvt.nl





-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <https://lists.rspamd.com/pipermail/users/attachments/20190902/c9c0193e/attachment.bin>

More information about the Users mailing list