|
Key
This line was removed.
This word was removed. This word was added.
This line was added.
|
Comment:
Changes (1)
View page history... *Back to [[Book|Administrator's Configuration File Reference#cfr]] [[Topic|Administrator's Configuration File Reference#chap7]]* h2. {{PathCheck}} The {{PathCheck}} directive checks the local file system path that is returned after the {{NameTrans}} step to verify that the client is allowed to access the specified resource. For more information, see [{{PathCheck}}|Flow of Control in obj.conf#path]. The following {{PathCheck}}-class functions are described in detail in this section: * [#{{check-acl}}] * [#{{check-request-limits}}] * [#{{deny-existence}}] * [#{{find-compressed}}] * [#{{find-index}}] * [#{{find-index-j2ee}}] * [#{{find-links}}] * [#{{find-pathinfo}}] * [#{{get-client-cert}}] * [#{{nt-uri-clean}}] * [#{{ntcgicheck}}] * [#{{pcheck-dav}}] * [#{{require-auth}}] * [#{{set-virtual-index}}] * [#{{ssl-check}}] * [#{{ssl-logout}}] * [#{{unix-uri-clean}}] In addition, the following common SAFs are valid for the PathCheck directive: * [{{match-browser}}|Common SAFs across Multiple Directives#saf2] * [{{restart}}|Common SAFs across Multiple Directives#saf6] * [{{set-variable}}|Common SAFs across Multiple Directives#saf8] h3. {{check-acl}} {anchor:path1} The {{check-acl}} function specifies an access control list (ACL) to use to check whether the client is allowed to access the requested resource. An ACL contains information about who is or is not allowed to access a resource, and under what conditions access is allowed. Regardless of the order of {{PathCheck}} directives in the object, {{check-acl}} functions are executed first. They perform user authentication if required by the specified ACL, and also update the access control state. Because the server caches the ACLs returned by the {{check-acl}} function, do not use {{check-acl}} inside a {{Client}}, {{If}}, {{ElseIf}}, or {{Else}} container. h4. Parameters The following table describes parameters for the {{check-acl}} function. Table 7-16 {{check-acl}} Parameters ||Parameter ||Description || |{{acl}} |Name of an access control list. | |{{path}} |(Optional) Wildcard pattern that specifies the path for which the ACL should be applied. | |{{bucket}} |(Optional) Common to all {{obj.conf}} functions. Adds a bucket to monitor performance. For more information, see [The {{bucket}} Parameter|The bucket Parameter#b1]. | h4. Example {code} PathCheck fn="check-acl" acl="*HRonly*" {code} h3. {{check-request-limits}} {anchor:path2} The {{check-request-limits}} function monitors incoming requests matching a given attribute (for example, client IP address) and computes an average requests per second on a configurable time interval. When requests that match the monitored attribute exceed a threshold that you configure, subsequent matching requests are not serviced until the request rate drops. Use this function to detect possible denial-of-service attacks. You must specify either {{max-rps}} or {{max-connections}}, otherwise {{check-request-limits}} does nothing. If you do not enter an attribute or attributes to monitor, the function monitors all requests. By default, the function keeps entries on requests for 300 seconds (five minutes) before purging them. To adjust this time, use the {{init-request-limits}} SAF in {{magnus.conf}}. For more information, see [{{init-request-limits}}|Init SAFs#magi55]. h4. Parameters The following table describes parameters for the {{check-request-limits}} function. Table 7-17 {{check-request-limits}} Parameters ||Parameter ||Description || |{{max-rps}} |(Optional) Threshold for matching requests per second. If this threshold is exceeded subsequent connections matching the criteria are not serviced. Because an acceptable threshold value can vary widely between sites, there is no default value for this parameter. | |{{max-connections}} |(Optional) Maximum number of concurrent matching connections. If the server receives a request that matches the criteria while the number of matching requests currently being processed meets or exceeds this number, the request is denied. Note that this number is the current requests at any time, and is independent of the {{interval}}. parameter. As soon as the number of concurrent requests falls below this limit, new matching requests are processed.Because an acceptable value can vary widely between sites, there is no default value for this parameter. | |{{interval}} |(Optional) In seconds, the time interval during which average requests per second is computed. The {{max-rps}} limit is not applied until the next request rate computation. Because potential attackers can have unlimited requests serviced during this interval, balance the length of this interval against the performance cost of recomputing the maximum requests per second. The default is 30 seconds. | |{{continue}} |(Optional) Determines what condition must be met in order for a blocked request type to become available again for servicing. Valid values are: * {{silence}} – Refused requests must fall to zero in a subsequent interval for service to resume. * {{threshold}} – Refused requests must fall below the {{max-rps}} value for service to resume. \\ The default value is {{threshold}}. | |{{error}} |(Optional) The HTTP status code to use for blocked requests. The default value is {{503}} (the {{Service Unavailable}} error). | |{{monitor}} |(Optional) A request attribute to monitor. Request rates are tracked in a bucket named by the value of this parameter. If the {{monitor}} parameter is not specified, the matching requests are tracked in an unnamed (anonymous) bucket. Note that these buckets are different from the buckets you specify with the standard {{obj.conf}} {{bucket}} parameter. Although the value of the {{monitor}} parameter can be a fixed string, it is most useful when you use predefined variables, for example, {{monitor="$ip"}}. You can also specify multiple variables, separated by a colon. For example, {{monitor="$ip:$uri"}}. For a list of predefined variables, see [Predefined Variables|Variables#appA2]. | |{{bucket}} |(Optional) Common to all {{obj.conf}} functions. Adds a bucket to monitor performance. For more information, see [The {{bucket}} Parameter|The bucket Parameter#b1]. | h4. Example The following example limits a client IP to a maximum request rate of 10 requests per second in the default interval of 30 seconds: {code} PathCheck fn="check-request-limit" monitor="$ip" max-rps="10" {code} The following example limits a client IP to a maximum request rate of 10 requests per second when accessing any Perl CGIs. Other types of requests are unlimited: {code} <If path = "*.pl"> PathCheck fn="check-request-limits" monitor="$ip" max-rps="10" </If> {code} For more information on using the {{If}} tag, see [If, ElseIf, and Else|Objects in obj.conf#conf62]. The following example limits requests globally for Perl CGIs to 10 requests per second. No specific {{monitor}} parameter is specified: {code} <If path = "*.pl"> PathCheck fn="check-request-limits" max-rps="10" </If> {code} The following example limits a client IP from generating more than 10 Perl CGI requests per second, or 5 JSP requests per second. To track the Perl and JSP totals separately, the specified {{monitor}} parameters contain both a fixed string identifier and the client IP variable: {code} <If path = "*.pl"> PathCheck fn="check-request-limits" max-rps="10" monitor="perl:$ip" </If> <If path = "*.jsp"> PathCheck fn="check-request-limits" max-rps="5" monitor="jsp:$ip" </If> {code} The following example limits any one client IP to no more than 5 connections at a given time: {code} PathCheck fn="check-request-limits" max-connections="2" monitor="$ip" {code} h3. {{deny-existence}} {anchor:path3} The {{deny-existence}} function sends a {{404 Not Found}} message when a client tries to access a specified path. h4. Parameters The following table describes parameters for the {{deny-existence}} function. Table 7-18 {{deny-existence}} Parameters ||Parameter ||Description || |{{path}} |(Optional) Wildcard pattern of the file system path to hide. If the path does not match, the function does nothing and returns {{REQ_NOACTION}}. If the path is not provided, it is assumed to match. | |{{bong-file}} |(Optional) Specifies a file to send rather than responding with the {{404 Not Found}} message. The value is a full file system path. | |{{bucket}} |(Optional) Common to all {{obj.conf}} functions. Adds a bucket to monitor performance. For more information, see [The {{bucket}} Parameter|The bucket Parameter#b1]. | h4. Example {code} PathCheck fn="deny-existence" path="/usr/sun/server7/docs/private" PathCheck fn="deny-existence" bong-file="/svr/msg/go-away.html" {code} h3. {{find-compressed}} {anchor:path4} The {{find-compressed}} function checks if a compressed version of the requested file is available. If the following conditions are met, {{find-compressed}} changes the {{path}} to point to the compressed file: * A compressed version is available. * The compressed version is as recent as the non-compressed version. * The client supports compression. \\ Not all clients support compression. The {{find-compressed}} function allows you to use a single URL for both the compressed and non-compressed versions of a file. The version of the file that is selected is based on the individual client's capabilities. \\ A compressed version of a file must have the same file name as the non-compressed version but with a {{.gz}} suffix. For example, the compressed version of a file named {{/httpd/docs/index.html}} would be named {{/httpd/docs/index.html.gz}}. To compress files, you can use the freely available {{gzip}} program. \\ Because compressed files are sent as is to the client, you should not compress files such as SHTML pages, CGI programs, or pages created with JavaServer Pages (JSP) technology that need to be interpreted by the server. To compress the dynamic content generated by these types of files, use the {{http-compression}} filter. \\ The {{find-compressed}} function does nothing if the HTTP method is not {{GET}} or {{HEAD}}. h4. Parameters The following table describes parameters for the {{find-compressed}} function. Table 7-19 {{find-compressed}} Parameters ||Parameter ||Description || |{{check-age}} |(Optional) Specifies whether to check if the compressed version is older than the non-compressed version. The values can be {{yes}} or {{no}}. * If set to {{yes}}, the compressed version will not be selected if it is older than the non-compressed version. * If set to {{no}}, the compressed version is always selected, even if it is older than the non-compressed version. \\ By default, the value is set to {{yes}}. | |{{vary}} |(Optional) Specifies whether to insert a {{Vary: Accept-Encoding}} header. The values can be {{yes}} or {{no}}. * If set to {{yes}}, a {{Vary: Accept-Encoding}} header is always inserted when a compressed version of a file is selected. * If set to {{no}}, a {{Vary: Accept-Encoding}} header is never inserted. By default, the value is set to {{yes}}. | |{{bucket}} |(Optional) Common to all {{obj.conf}} functions. Adds a bucket to monitor performance. For more information, see [The {{bucket}} Parameter|The bucket Parameter#b1]. | h4. Example {code} <Object name="default"> NameTrans fn="assign-name" from="*.html" name="find-compressed" ... </Object> <Object name="find-compressed"> PathCheck fn="find-compressed" </Object> {code} h4. See Also [{{http-compression}}|Output#out2] h3. {{find-index}} {anchor:path5} The {{find-index}} function investigates whether the requested path is a directory. If yes, the function searches for an index file in the directory, and then changes the path to point to the index file. If an index file is not found, the server generates a directory listing. If the {{obj.conf}} file has a {{NameTrans}} directive that calls {{home-page}} and the requested directory is the root directory, the server returns the home page to the client instead of the index page. The {{find-index}} function does nothing if there is a query string, if the HTTP method is not {{GET}}, or if the path is that of a valid file. h4. Parameters The following table describes parameters for the {{find-index}} function. Table 7-20 {{find-index}} Parameters ||Parameter ||Description || |{{index-names}} |Comma-separated list of index file names to look for. Use spaces only if they are part of a file name. Do not include spaces before or after the commas. This list is case-sensitive if the file system is case-sensitive. | |{{bucket}} |(Optional) Common to all {{obj.conf}} functions. Adds a bucket to monitor performance. For more information, see [The {{bucket}} Parameter|The bucket Parameter#b1]. | h4. Example {code} PathCheck fn="find-index" index-names="index.html,home.html" {code} |
h4. See Also |
| * [{{find-index-j2ee}}|PathCheck#path56] |
| * [{{home-page}}|NameTrans#name3] * [{{index-common}}|Service#serv6] |
... * [{{index-simple}}|Service#serv7] h3. {{find-index-j2ee}} {anchor:path6} The {{find-index-j2ee}} function implements {{welcome-file-list}} processing for requests that map to directories in a Java web application. When configuring the server to host Servlet or JSP-technology-based web applications, position the {{find-index-j2ee}} SAF above the {{find-index}} SAF in {{obj.conf}}. This position ensures that {{web.xml}} welcome-file-list ordering takes precedence over the default index file order configured for the {{find-index}} SAF. h4. Parameters The following table describes parameter for the {{find-index-j2ee}} function. Table 7-21 {{find-index-j2ee}} Parameter ||Parameter ||Description || |{{bucket}} |(Optional) Common to all {{obj.conf}} functions. Adds a bucket to monitor performance. For more information, see [The {{bucket}} Parameter|The bucket Parameter#b1]. | h4. Example {code} PathCheck fn="find-index-j2ee" {code} h4. See Also * [#{{find-index}}] * [{{ntrans-j2ee}}|NameTrans#name6] * [{{service-j2ee}}|Service#serv21] * [{{error-j2ee}}|Error#err1] * [{{type-j2ee}}|ObjectType#obj37] h3. {{find-links}} {anchor:path7} (UNIX only) The {{find-links}} function searches the current path for symbolic or hard links to other directories or file systems. If any are found, an error is returned. This function is normally used for directories that are not trusted (such as user home directories). It prevents someone from pointing to information that should not be made public. h4. Parameters The following table describes parameters for the {{find-links}} function. Table 7-22 {{find-links}} Parameters ||Parameter ||Description || |{{disable}} |Character string of links to disable: * {{h}} indicates hard link * {{s}} indicates soft link * {{o}} allows symbolic links only if the target of the link is owned by the user that the server runs as | |{{dir}} |(Optional) Directory to begin checking. If you specify an absolute path, any request to that path and its subdirectories is checked for symbolic links. If you specify a partial path, any request containing that partial path is checked for symbolic links. For example, if you use {{/user/}} and a request comes in for {{some/user/directory}}, then that directory is checked for symbolic links. If you do not specify a {{dir}}, all directories are checked. | |{{checkFileExistence}} |(Optional) Checks linked file for existence and aborts the request with the {{403 Forbidden}} error if the check fails. Controls whether the server checks if the target of the link exists. If set to {{Y}}, the server aborts the request with a {{403 Forbidden}} error if the target of a link does not exist. The default is {{N}}, meaning the server does not check whether the target exists. | |{{bucket}} |(Optional) Common to all {{obj.conf}} functions. Adds a bucket to monitor performance. For more information, see [The {{bucket}} Parameter|The bucket Parameter#b1]. | h4. Example {code} PathCheck fn="find-links" disable="sh" dir="/foreign-dir" PathCheck fn="find-links" disable="so" dir="public_html" {code} h4. See Also [{{unix-home}}|NameTrans#name11] h3. {{find-pathinfo}} {anchor:path8} The {{find-pathinfo}} function finds any extra path information after the file name in the URL and stores it for use in the CGI environment variable {{PATH_INFO}}. h4. Parameters The following table describes parameters for the {{find-pathinfo}} function. Table 7-23 {{find-pathinfo}} Parameter ||Parameter ||Description || |{{bucket}} |(Optional) Common to all {{obj.conf}} functions. Adds a bucket to monitor performance. For more information, see [The {{bucket}} Parameter|The bucket Parameter#b1]. | h4. Example {code} PathCheck fn="find-pathinfo" PathCheck fn="find-pathinfo" find-pathinfo-forward="" {code} h3. {{get-client-cert}} {anchor:path9} The {{get-client-cert}} function gets the authenticated client certificate from the SSL3 session. It can apply to all HTTP methods, or only to those that match a specified pattern. It only works when SSL is enabled on the server. If the certificate is present or obtained from the SSL3 session, the function returns {{REQ_NOACTION}} and allows the request to proceed. Otherwise, it returns {{REQ_ABORTED}} and sets the protocol status to {{403 forbidden}}, causing the request to fail. h4. Parameters The following table describes parameters for the {{get-client-cert}} function. Table 7-24 {{get-client-cert}} Parameters ||Parameter ||Description || |{{dorequest}} |(Optional) Controls whether to actually get the certificate, or just test for its presence. * {{1}} tells the function to redo the SSL3 handshake to get a client certificate, if the server does not already have the client certificate. This typically causes the client to present a dialog box to the user to select a client certificate. The server might already have the client certificate if it was requested on the initial handshake, or if a cached SSL session has been resumed. * {{0}} tells the function not to redo the SSL3 handshake if the server does not already have the client certificate. If a certificate is obtained from the client and verified successfully by the server, the ASCII base 64 encoding of the DER-encoded X.509 certificate is placed in the parameter {{auth-cert}} in the {{Request->vars}} pblock, and the function returns {{REQ_PROCEED}}, allowing the request to proceed. \\ The default value is {{0}}. | |{{require}} |(Optional) Controls whether failure to get a client certificate will abort the HTTP request. * {{1}} tells the function to abort the HTTP request if the client certificate is not present after {{dorequest}} is handled. In this case, the HTTP status is set to {{PROTOCOL_FORBIDDEN}}, and the function returns {{REQ_ABORTED}}. * {{0}} tells the function to return {{REQ_NOACTION}} if the client certificate is not present after {{dorequest}} is handled. \\ The default value is {{1}}. | |{{method}} |(Optional) Specifies a wildcard pattern for the HTTP methods for which the function will be applied. If {{method}} is absent, the function is applied to all requests. | |{{bucket}} |(Optional) Common to all {{obj.conf}} functions. Adds a bucket to monitor performance. For more information, see [The {{bucket}} Parameter|The bucket Parameter#b1]. | h4. Example {code} # Get the client certificate from the session. # If a certificate is not already associated with the session, request one. # The request fails if the client does not present a #valid certificate. PathCheck fn="get-client-cert" dorequest="1" {code} h3. {{nt-uri-clean}} {anchor:path10} (Windows only) The {{nt-uri-clean}} function denies access to any resource whose physical path contains {{\.\, \..}}\ or \ \ (these are potential security problems). h4. Parameters The following table describes parameters for the {{nt-uri-clean}} function. Table 7-25 {{nt-uri-clean}} Parameters ||Parameter ||Description || |{{tildeok}} |(Optional) If present, allows tilde (~) characters in URIs. This is a potential security risk on the Windows platform, where {{longfi~1.htm}} might reference {{longfilename.htm}} but does not go through the proper ACL checking. If present, “{{//}}” sequences are allowed. | |{{dotdirok}} |(Optional) If present, {{/./}} sequences are allowed. | |{{bucket}} |(Optional) Common to all {{obj.conf}} functions. Adds a bucket to monitor performance. For more information, see [The {{bucket}} Parameter|The bucket Parameter#b1]. | h4. Example {code} PathCheck fn="nt-uri-clean" {code} h4. See Also [#{{unix-uri-clean}}] h3. {{ntcgicheck}} {anchor:path11} (Windows only) The {{ntcgicheck}} function specifies the file name extension to be added to any file name that does not have an extension, or to be substituted for any file name that has the extension {{.cgi}}. h4. Parameters The following table describes parameters for the {{ntcgicheck}} function. Table 7-26 {{ntcgicheck}} Parameters ||Parameter ||Description || |{{extension}} |The replacement file extension. | |{{bucket}} |(Optional) Common to all {{obj.conf}} functions. Adds a bucket to monitor performance. For more information, see [The {{bucket}} Parameter|The bucket Parameter#b1]. | h4. Example {code} PathCheck fn="ntcgicheck" extension="pl" {code} h4. See Also * [{{send-cgi}}|Service#serv14] * [{{send-wincgi}}|Service#serv18] * [{{send-shellcgi}}|Service#serv17] h3. {{pcheck-dav}} {anchor:path12} The {{pcheck-dav}} function inserts a DAV-specific service function as the first service function, if the following are true: * The {{Translate:f}} header is present * DAV is enabled for the request URI * A corresponding source URI for the request URI exists During the {{Service}} stage, this inserted service function restarts the request if necessary; otherwise, {{REQ_NOACTION}} is returned. h4. Parameters The following table describes parameters for the {{pcheck-dav}} function. Table 7-27 {{pcheck-dav}} Parameter ||Parameter ||Description || |{{bucket}} |(Optional) Common to all {{obj.conf}} functions. Adds a bucket to monitor performance. For more information, see [The {{bucket}} Parameter|The bucket Parameter#b1]. | h4. See Also * [{{ntrans-dav}}|NameTrans#name5] * [{{service-dav}}|Service#serv19] h3. {{require-auth}} {anchor:path13} The {{require-auth}} function allows access to resources only if the user or group is authorized. Before this function is called, an authorization function (such as {{basic-auth}}) must be called in the {{AuthTrans}} directive. If a user is authorized in the {{AuthTrans}} directive and the {{auth-user}} parameter is provided, the name of the user must match with the {{auth-user}} wildcard value. Also, if the {{auth-group}} parameter is provided, the authorized user must belong to an authorized group, which must match the {{auth-user}} wildcard value. h4. Parameters The following table describes parameters for the {{require-auth}} function. Table 7-28 {{require-auth}} Parameters ||Parameter ||Description || |{{path}} |(Optional) Wildcard local file system path on which this function should operate. If no path is provided, the function applies to all paths. | |{{auth-type}} |Type of HTTP authorization used. Currently, {{basic}} is the only authorization type defined. | |{{realm}} |String sent to the browser indicating the secure area (or realm) for which user name and password are requested. | |{{auth-user}} |(Optional) Specifies a wildcard list of users who are allowed access. If this parameter is not provided, any user authorized by the authorization function is given access. | |{{auth-group}} |(Optional) Specifies a wildcard list of groups that are allowed access. | |{{bucket}} |(Optional) Common to all {{obj.conf}} functions. Adds a bucket to monitor performance. For more information, see [The {{bucket}} Parameter|The bucket Parameter#b1]. | h4. Example {code} PathCheck fn="require-auth" auth-type="basic" realm="Marketing Plans" auth-group="mktg" auth-user="(jdoe|johnd|janed)" {code} h4. See Also * [{{basic-auth}}|AuthTrans#auth1] * [{{basic-ncsa}}|AuthTrans#auth2] h3. {{set-virtual-index}} {anchor:path14} The {{set-virtual-index}} function specifies a virtual index for a directory, which determines the URL forwarding. The index can refer to a LiveWire application, a Servlet in its own namespace, a Sun Java System Application Server, and so on. {{REQ_NOACTION}} is returned if none of the URIs listed in the {{from}} parameter match the current URI. {{REQ_ABORTED}} is returned if the file specified by the {{virtual-index}} parameter is missing, or if the current URI is not found. {{REQ_RESTART}} is returned if the current URI matches any one of the URIs mentioned in the {{from}} parameter, or if the {{from}} parameter is not specified. h4. Parameters The following table describes parameters for the {{set-virtual-index}} function. Table 7-29 {{set-virtual-index}} Parameters ||Parameter ||Description || |{{virtual-index}} |URI of the content generator that acts as an index for the URI that the user enters. | |{{from}} |(Optional) Comma-separated list of URIs for which this {{virtual-index}} is applicable. If {{from}} is not specified, the {{virtual-index}} always applies. | |{{bucket}} |(Optional) Common to all {{obj.conf}} functions. Adds a bucket to monitor performance. For more information, see [The {{bucket}} Parameter|The bucket Parameter#b1]. | h4. Example {code} # MyLWApp is a LiveWire application PathCheck fn="set-virtual-index" virtual-index="MyLWApp" {code} h3. {{ssl-check}} {anchor:path15} The {{ssl-check}} function is used along with a {{Client}} tag to limit access of certain directories to non-exportable browsers. If a restriction is selected that is not consistent with the current cipher settings, this function displays a warning that ciphers with larger secret keysizes must be enabled. The function returns {{REQ_NOACTION}} if SSL is not enabled, or if the {{secret-keysize}} parameter is not specified. If the secret keysize for the current session is less than the specified {{secret-keysize}} and the {{bong-file}} parameter is not specified, the function returns {{REQ_ABORTED}} with a status of {{PROTOCOL_FORBIDDEN}}. If the {{bong-file}} is specified, the function returns {{REQ_PROCEED}}, and the {{path}} variable is set to the {{bong-file}} name. Also, when a keysize restriction is not met, the SSL session cache entry for the current session is invalidated so that a full SSL handshake will occur the next time the same client connects to the server. Requests that use {{ssl-check}} are not cacheable in the accelerator file cache if {{ssl-check}} returns something other than {{REQ_NOACTION}}. h4. Parameters The following table describes parameters for the {{ssl-check}} function. Table 7-30 {{ssl-check}} Parameters ||Parameter ||Description || |{{secret-keysize}} |(Optional) Minimum number of bits required in the secret key. | |{{bong-file}} |(Optional) Name of a file (not a URI) to be served if the restriction is not met. | |{{bucket}} |(Optional) Common to all {{obj.conf}} functions. Adds a bucket to monitor performance. For more information, see [The {{bucket}} Parameter|The bucket Parameter#b1]. | h3. {{ssl-logout}} {anchor:path16} The {{ssl-logout}} function invalidates the current SSL session in the server's SSL session cache. This does not affect the current request, but the next time that the client connects, a new SSL session is created. If SSL is enabled, this function returns {{REQ_PROCEED}} after invalidating the session cache entry. If SSL is not enabled, it returns {{REQ_NOACTION}}. h4. Parameters The following table describes parameters for the {{ssl-logout}} function. Table 7-31 {{ssl-logout}} Parameter ||Parameter ||Description || |{{bucket}} |(Optional) Common to all {{obj.conf}} functions. Adds a bucket to monitor performance. For more information, see [The {{bucket}} Parameter|The bucket Parameter#b1]. | h3. {{unix-uri-clean}} {anchor:path17} (UNIX only) The {{unix-uri-clean}} function denies access to any resource whose physical path contains {{/./}} or {{/../}} or {{//}} (these are potential security problems). h4. Parameters The following table describes parameters for the {{unix-uri-clean}} function. Table 7-32 {{unix-uri-clean}} Parameters ||Parameter ||Description || |{{dotdirok}} |If present, {{/./}} sequences are allowed. | |{{bucket}} |(Optional) Common to all {{obj.conf}} functions. Adds a bucket to monitor performance. For more information, see [The {{bucket}} Parameter|The bucket Parameter#b1]. | h4. Example {code} PathCheck fn="unix-uri-clean" {code} h4. See Also [#{{nt-uri-clean}}] |