Topic: WWW

[NOTE: The WWW interface to listmanager was not complete at the time of
 writing of this file.  The information contained here may not be current.]

Listmanager has a WWW interface to allow queries and a limited set of
its functions to be accessed using web browsers.  This includes subscribing
and unsubscribing, getting help, requesting new lists, and setting list or
member options.

In its default state, only query-type (e.g. read-only) requests are
permitted, but it is possible for list owners to enable certain updates to
their lists via this method.  There are two methods by whicih this
restriction is controlled.

The first is the "allow-web-subs" list flag which permits people to
use the WWW interface to subscribe to or unsubscribe from your list.
It is strongly recommended that you also use the "sub-confirm" list flag
if you enable this, but it is not required.  Doing so prevents (or at least
inhibits) malicious users from subscribing others without the permission of
that third party.

The second method is the use of a WWW ACL (access control list), set by the
"set webacl" command.  This establishes a list of places from which list
owners and members may connect to configure their list or membership options.
The format of the WWW ACL is slightly different than a regular ACL in that
no userid is used to authenticate, only an IP address or domain name.
For example, a WWW ACL of:

	*.hookup.net

would allow WWW-based list configurations to take place from any "hookup.net"
address.  On the other hand,

	!*.pbi.net

would allow configuration requests via the WWW from anywhere except any
"pbi.net" address.  Also, as with regular ACLs, the WWW ACL's first entry
has a special meaning; see the "ACLs" help file for more information.

Note that the web server invoking listmanager may not be able to translate
the client's IP address to a name, due to DNS difficulties or a variety
of other reasons.  In that case, you may need to expressly permit or restrict
IP blocks as well as domain names.

Matching is permitted on userid as well.  If you want to block all requests
from clients running an "ident" server (see RFC1913) that identify themselves
as root, you could use an entry like this:

	!root@*

Listmanager will substitute the keyword "UNKNOWN" in either the userid or
host field (or both) if the corresponding data could not be obtained from
the web server calling it.  You could therefore block all web requests from
clients that aren't running "ident" at all using an entry like this:

	!UNKNOWN@*

See also: ACLs allow-web-subs no select set show
