ARCHIVED: How do I limit access to my web pages?
Note: This information applies primarily to Apache and NCSA HTTPd web servers; at Indiana University, Apache runs on Pages and Webserve. It also assumes you are using a Unix-based text editor from inside your Unix account.
On this page:
- About the
.htaccess
file - Setting up the restricted directory
- Setting up the
.htaccess
file - Setting up the password file
About the .htaccess
file
An easy way to control access to web pages on your site is to use
.htaccess
files. You can use these to password-protect an
entire directory, but not individual files within the directory.
The .htaccess
file, which resides inside the restricted
directory, alerts the web browser of the restriction and determines if
a given username is authorized to view the directory. If the username
is correct, it passes the authorized user on to the password file.
The following instructions outline the setup of a simple user
authentication .htaccess
file. This process is for a
typical Unix account. Depending on which Unix shell you are
using and the way your local server is set up, the exact procedure may
vary. This simplified process consists of three parts: setting up the
directory you wish to restrict, setting up the .htaccess
file, and setting up the password file.
Note: At IU Bloomington, your Pages web page
actually resides on a particular volume of the HPNFS server. If you do
not list your file paths correctly, you will not be able to set up
your .htaccess
file.
Setting up the restricted directory
To restrict access to your files, you must first move them all to a
single subdirectory of your www
directory (e.g.,
www/restricted
). Once you have created this subdirectory
and moved your files to it, be sure to set the permissions so that the
files are executable and readable from your web browser. To set
permissions for directories, in the parent directory of the directory
you want to change, enter:
chmod 755 directoryname
Replace directoryname
with the name of the directory
whose permissions you want to set.
To set permissions for files, in the directory containing the files, enter:
chmod 644 filename
Replace filename
with the name of the file whose
permissions you want to set.
Setting up the .htaccess
file
The .htaccess
file sets up a path to the password file
(.file-password
) and tells the computer which users are
allowed to access that file.
To set up your .htaccess
file, open a text editor (e.g.,
Emacs, vi, or Pico), and name the new
file .htaccess
. This file must be
in the same directory as the password-protected pages. You must also
set the permissions on this file so that it is readable from your web
browser. At the command line enter:
chmod 644 .htaccess
Here is a generic example of a simple .htaccess
file:
AuthUserFile /home/username/.file-password AuthGroupFile /dev/null AuthName "My Protected Directory" AuthType Basic <Limit GET POST PUT> require user lskywalker hsolo owkenobi lorgana </Limit>
On Pages accounts at IU, the path to the password file is different
from the example given above. It must include the
volume of the NFS server that actually serves your Pages
files. A good AuthUserFile
line for accounts on
Mercury would be:
AuthUserFile /fs/lskywalker/.file-password
Replace lskywalker
with your username.
Following is an explanation of each variable of the
.htaccess
file:
Variable | Explanation |
---|---|
AuthUserFile
|
This variable references the .htaccess password file
location. This password file should not be in a directory accessible
by a web browser (that is, it should not be in your
www directory or any subdirectory of your
www directory). Though you can name the file anything you
wish, UITS recommends a file name preceded by a period,
such as .file-password .
|
AuthGroupFile
|
This variable should point to /dev/null , which tells
Unix that this file does not exist.
|
AuthName
|
This variable simply refers to the title for the authentication box
that pops up when your browser tries to access the contents of the
restricted directory. This message can be anything you like, but
recent versions of Apache require you to enclose it in quotes. If you
leave it blank, the default name will be ByPassword .
|
AuthType
|
This variable must be set to Basic , since you are
using Basic HTTP Authentication.
|
Limit
|
Set this variable type to GET POST PUT . The
GET is used for most web page accesses. The
POST is used almost exclusively for CGI
scripts. The PUT is used by CGI scripts and some web
editors to upload files using HTTP. This entire line must
be capitalized.
|
require user
|
This line is a list of usernames for people who are authorized to
view the restricted directory. In this line, enter the usernames of
those users for whom you wish to grant access.
Note: Don't forget to include your username in the list. Otherwise, the password screen will keep you from seeing your own files. |
Setting up the password file
Once you have finished editing your .htaccess
file, you
can create a password file. This file is a plain text file with
passwords encrypted using the one-way encryption crypt()
call. On many Unix systems, the task of setting up the password file
is automated with the htpasswd
command.
Note: Your password for web pages should not be the same as the password you use to access your central web and email accounts. Although your password file will be encrypted, it is still very easy to crack passwords using commonly available cracking programs. For this reason, your password should never be a real word or any other password that could be easily guessed; see Your IU passphrase.
To set up your password file with htpasswd
:
- Enter
cd
to exit the subdirectory where you set up your.htaccess
file, and then enter:htpasswd -c ~/.file-password username
Replace
username
with your username. When you run this command,htpasswd
will automatically generate the.file-password
file and will prompt you for a password. - The
htpasswd
program will then ask you to confirm your password. If you set up the password correctly, the password and username will be in your password file. - To add additional users to the password file, run
htpasswd
without the-c
flag. For example, to add the usernamehsolo
to the password file, you would enter:htpasswd ~/.file-password hsolo
When prompted, enter the password for
hsolo
. - Finally, to make your files world readable, enter the following
command for each password file:
chmod 644 filename
Replace
filename
with the name of your password file (e.g.,.file-password
), and enter the password for your new user when prompted.
Now, when you try to access the restricted directory from a web
browser, the browser will bring up a password protection window. Enter
a valid username to view the restricted files. If you wish to remove
the password restrictions for files in the directory, you must either
move the files to another directory or remove the
.htaccess
file.
Unfortunately, there is no other simple way to restrict access to a
directory or to individual files within a directory. If you want to
restrict access to a directory without having to enter all of the
authorized usernames, create an easily remembered username (such as
guest
) and password (such as password
), and
release it to the people whom you want to have access. Be aware that
if you do this, you lose some control over who can access your files.
If you wish to change access restrictions, you will have to edit your
.htaccess
and password files.
This is document abeq in the Knowledge Base.
Last modified on 2021-09-08 10:17:49.