Loading

• TSC Home
• Services
• Web Pages
• Restricted Access Webpages

Restricted Access Webpages

Introduction

It is often desirable to restrict access to certain information on the World Wide Web. Class-related web pages, Rose-Hulman specific information, and other private documents may be protected by setting passwords for web access. Rose-Hulman's web server provides two methods of access restriction: address filtering and password protection.

General Information

Before delving into the specifics of address filtering and password protection, there are some similarities in both protection mechanisms. Protection in a directory is configured via a file called .htaccess. All files in the directory will be subject to the protections in this file. In addition, all subdirectories of this root directory will be subject to the same protections as the root, unless another .htaccess file exists in a subdirectory.

For example, consider the following directory structure:

In this example, the HTML directory and the insecure directory are both unprotected. The Secure, Dent, Vogon, and Poetry directories are all subject to the protections in the .htaccess file in the Secure directory. The Bottom directory, however, does not use the permissions of that file, since Bottom has its own .htaccess file. If Bottom had any subdirectories, they would use the permissions in Bottom's .htaccess file.

Address Filtering

Pages that need to be restricted to a given network are best protected with address filtering. For example, several internal Rose-Hulman web pages use this method of protection to restrict access to Rose-Hulman computers. Address filtering allows a pag e to be restricted to any range of IP addresses.

To set up address filtering, create a .htaccess file in the directory you wish to protect:

order deny,allow
deny from all
allow from 137.112.

The 137.112. tells the web server to allow connections only from machines which have IP addresses beginning with 137.112. Since all Rose-Hulman addresses fit this description, this .htaccess file will allow connections from Rose-Hulman machines only. To allow connections from other addresses, add additional "allow from" lines below the first. It is also possible to be more restrictive; for example, allow from 137.112.3. will allow only address beginning with 137.112.3.

To create this file you can use any word processor or an application on the AFS/Unix network such as EMACS, vi, or PICO.  You can also create this file using a windows based editor and use ftp to transfer it to the appropriate directory.

Password Protection

Some pages may need to be restricted to a specific user or group of users. Password protection gives the owner of the web page the ability to limit access by usernames and passwords. Note that this method of protection requires that the user's browser support password authentication.

There are two ways to password protect web pages.  First, you can require users to enter a valid Rose-Hulman username and Kerberos password.  The second is to create your own database of user names and passwords.

To restrict access to users with valid usernames and Kerberos passwords, follow these steps:

• Create a .htaccess file in the directory you wish to protect that contains the following:

AuthType KerberosV5
AuthName "Rose-Hulman Kerberos Password"
Require valid-user

You can restrict a page to only certain users by changing the "Require valid-user" line to 

• Require user userid [userid] ...
  Only the named users can access the directory.
• Require group group-name [group-name] ...
  Only users in the named groups can access the directory.
• Require valid-user
  All valid users can access the directory.

To restrict access to users with usernames and passwords that you create, follow these steps:

• Change to the directory you wish to protect.
• Create a .htpasswd file. This file contains usernames and encrypted passwords which may be allowed access. This may be accomplished as follows:
  • Choose one of the following (username is the name of the user to add to the file):
    • If you have already created a .htpasswd file in this directory, enter
      /usr/local/bin/htpasswd .htpasswd username.
    • If this is a new .htpasswd file, enter
      /usr/local/bin/htpasswd -c .htpasswd username.
  • Enter the password for this user. (You'll need to enter it twice.)
  • Repeat the htpasswd command and password entry until all users have been added.

The .htpasswd file can actually live in any directory. Thus, you can use the same file for multiple protected directories. Be sure to use the correct path to the file.

• Create a .htaccess file containing the following:

AuthName "Name of your secure space"
AuthType Basic
AuthUserFile /full path to directory/.htpasswd
AuthGroupFile /dev/null
Require valid-user

Any string (without double-quotes) is valid for the name of the secure space. The full path to directory depends on the webpage location and the directory the .htpasswd file.  Most webpages fall under one of the following paths.

/Users/classXX/username/Public/HTML/.htpasswd
/Users/groups/groupname/Public/HTML/.htpasswd

Example AuthUserFile line in the .htaccess file:
AuthUserFile /Users/class02/wellsgr/Public/HTML/.htpasswd

You can restrict a page to only certain users by changing the "Require valid-user" line to
Require user userid [userid] ...
where userid is a username from your .htpasswd file.