Control web page access to Sitehost
On this page:
- Overview
- Register your site's URLs with IU Login
- Allow all IU users
- Restrict to specific IU users
- Use .htaccess for authentication
- Restrict to specific ADS groups
- Access the username variable
Overview
You can control who is able to view your web pages by using .htaccess
files in your web
directory and subdirectories.
By adding an Error Document Directive
to your
.htaccess
file, you can provide custom error messages so that users can contact you in case of problems.
When a user tries to access one of your web pages, the web server looks for a .htaccess
file in the directory where the file is stored. If there is a .htaccess
file present, the user must meet the authentication requirements defined in the file in order to view the page. If there is no .htaccess
file present, the web page will be displayed.
- If there is a problem with the way the
.htaccess
file is written, an Internal Server Error page will be displayed. - To control access by a method other than the
.htaccess
file, see Connect to IU Login with the CAS protocol.
Register your site's URLs with IU Login
In order to control web page access using IU Login, you must register your website's URLs via the CAS Protocol Integration Request form. The form will ask for pre-production and production URLs. As (one of) the pre-production URLs, enter account.sitehost-test.iu.edu
. For the production URLs, enter account.sitehost.iu.edu
and any virtual host URLs your website uses. Once you submit the form, your URLs should be registered within five business days.
To verify registration, visit:
https://idp.login.iu.edu/idp/profile/cas/login?service=your site's url
https://idp-stg.login.iu.edu/idp/profile/cas/login?service=your site's test url
If registration is not complete, you will see an "Error - Unsupported Request" message. Otherwise, you will be successfully redirected to your site.
Use .htaccess for authentication
The authentication methods mentioned here rely on using an .htaccess
file. These files interact with the web server in a specific way that can allow entire websites to require authentication (that is, IU Login), restrict access for only specific section(s) of the website, or even exclude portions of the website from requiring authentication.
Require IU Login for the entire website
Create an .htaccess
file in the web
directory by following the instructions below for restricting access with IU Login. This file will dictate how the server treats your content in the web
directory and all subdirectories of web
. This behavior can be overridden by having additional .htaccess
files in subdirectories.
Require IU Login for specific sections of the website
Create an .htaccess
file in only the subdirectory that should be restricted with the IU Login. For example, a .htaccess
in the subdirectory intranet
that has the IU Login directives would require users to log in when going to the intranet section of the website (https://example.iu.edu/intranet
).
Exclude a single page from IU Login
You can use Apache's If
directive to exclude a single page from IU Login:
<If "%{REQUEST_URI} == '/path/to/page'">
Require all granted
</If>
This directive should appear before any Limit
directives.
For more on If
directives, see the Apache HTTP Server documentation.
Exclude directories from IU Login
There might be cases where you wish to exclude one or more directories from the access restrictions of a parent folder. For example, it is common practice to exclude directories containing a website's CSS and JavaScript files.
To do so, you can override the main .htaccess
file by creating an .htaccess
file in the directory to exclude with the following content:
Require all granted
- Links from the excluded directory to other resources in access-restricted directories will still fail to load if the user is not logged in. The exclusion only applies to pages and files within the excluded directory.
- Authentication implemented with
If
statements can only be overridden by using the sameIf
statements.
Allow all IU users
If you wish to restrict access to anyone who has a University account, you may do so by using a predefined access control option within the web
directory within your account.
To activate this option, log into your account and move to the web
directory. (To restrict access to only certain subdirectories, move to the directory you wish to restrict.) Type the following command:
iu_cas
Any person with an IU username and passphrase will be able to authenticate; others will receive a "403 Forbidden" error message.
To implement this manually, create an .htaccess
file with the following content:
AuthGroupFile /dev/null
AuthType CAS
AuthName "IU Network ID"
require valid-user
.htaccess
file.
Restrict to specific IU users
To restrict access to certain individuals with a University account, create or modify a
.htaccess
file to look something like this:
AuthGroupFile /dev/null
AuthType CAS
AuthName "IU Network ID"
require user greg peter bobby sam oliver
The "AuthType" field is defined as CAS
, so website visitors will be directed to the IU Login screen, and must use their IU Network usernames and passphrases to authenticate. The require user
directive within the Limit
tags lists the IU Network usernames allowed to access the files in this directory. In this case, the network usernames greg
, peter
, bobby
, sam
, and oliver
are permitted access. Everyone else will receive an error message if they try to log in.
If your list of required users is long, make sure there are no line breaks in the list of names. If your list exceeds the number of characters that can be contained in one line, your users may receive an "Internal Server Error" message instead of a login box. The solution is to separate your list of users into several require user
statements, as shown:
<RequireAny>
require user greg peter bobby sam oliver james ebenezer harold scott robert
require user kate elizabeth sarah jennifer alison susan megan erica leslie
</RequireAny>
With this type of authentication, users log in with their network usernames and passphrases, so you don't have to maintain passwords for them.
Restrict to specific ADS groups
The following shows how to use LDAP in the .htaccess
file to restrict access based on ADS groups. This method also uses IU Login to initially authenticate the user.
Put the following in your .htaccess
file:
AuthType CAS
AuthName "LOGIN"
AuthUserFile /dev/null
AuthBasicProvider ldap
AuthLDAPURL "ldaps://ads.iu.edu/ou=Accounts,dc=ads,dc=iu,dc=edu?cn"
AuthLDAPBindDN "cn=<user to bind to ldap>,ou=accounts,dc=ads,dc=iu,dc=edu"
AuthLDAPBindPassword "exec:<path to password script>"
#To restrict based on group membership:
Require ldap-group <ldap-group path>
#To restrict based on user:
Require ldap-user <ldap user>
<ldap-group path>
is the full Distinguished Name of the LDAP group. For example, the group of all UITS employees would be:CN=IU-UITS-MANAGED-DEPT-UA-VPIT,OU=Department,OU=Groups,OU=Managed,DC=ads,DC=iu,DC=edu
- For the
<user to bind to ldap>
, UITS strongly recommends that you request a separate group account that will only be used for this purpose. Do not use a personal account for this purpose.
In order to secure your LDAP account password, do the following:
- Create a directory in the home directory of your account and set the permissions as follows:
mkdir /groups/<account>/.ldap chmod 6711 .ldap
The directory permissions should look like this:
drws--s--x 2 <account> sitehost-groups 2048 Jul 26 09:47 .ldap
- Create a script in this directory with the following code. For purposes of this example, we'll call it
ldap.sh
.#!/bin/sh echo "<ldap_password>"
Note:Certain special characters will cause a passphrase to not work in this script. To test your passphrase, execute the script:
.ldap/ldap.sh
If your passphrase displays correctly, the script is fine. If there is an error, escape the problematic characters with a
\
. For example, to fix123$456`789
, escape the$
and`
characters like so:123\$456\`789
- Set the following permissions on your password script:
chmod 700 ldap.sh ; setfacl -m www-data:r-x ldap.sh
The file permissions should look like this:
-rwxr-x---+ 1 <account> sitehost-groups 37 Jul 26 09:47 ldap.sh
- In this example, the relevant line in the
.htaccess
file would look like:AuthLDAPBindPassword "exec:/groups/<account>/.ldap/ldap.sh"
Access the username variable
You can access the username variable by using $_ENV['REMOTE_USER']
in PHP. This will dynamically display the username of the user currently logged into the site with their IU Account.
This is document aylu in the Knowledge Base.
Last modified on 2023-06-28 15:43:40.