Department of PhysicsRestricting Access to your Webspace
Note: In the following examples "username" should be replaced with your department Unix username.
The idea behind HTML documents and the World Wide Web is disseminating ideas, yet there are times when you might want to restrict access to your pages. Two methods for restricting access are available to you. One scheme is based on specific hostnames or whole domains, and the other on username and password pairs. Both schemes rely on the file .htaccess, located in the directory containing the HTML files to be protected.
Restricting by Duke netid
If you want to restrict an area to only persons with a vaild netid, use the following steps:
- Change to the directory containing the HTML files you want restrict access to. For Example: /var/phy/web/users/username/public/restricted
- Create the file .htaccess, using your favorite text editor like "vi" or "nano"
- Make sure the permissions on .htaccess are world readable (Use the UNIX command chmod 644).
The contents of your .htaccess file should be something like this:
AuthType shibboleth
ShibRequireSession On
<Limit GET>
require valid-user
</Limit>
To restrict to a specific user:
AuthType shibboleth
ShibRequireSession On
<Limit GET>
require user jdorff@duke.edu
</Limit>
Restricting by Domain or Hostname
If you have an HTML page that you wish to restrict by a specific hostname or domain, the following steps will put in place those controls.
- Change to the directory containing the HTML files you want restrict access to. For Example: /var/phy/web/users/username/public/restricted
- Create the file .htaccess, using your favorite text editor like "vi" or "nano"
- Make sure the permissions on .htaccess are world readable (Use the UNIX command chmod 644).
The contents of your .htaccess file should be something like this:
<Limit GET>
order deny,allow
deny from all
allow from my_pc.acpub.duke.edu # single host name
allow from phy.duke.edu # an entire domain
</Limit>
At this point, only the computer "my_pc.acpub.duke.edu" or any computer in the domain "phy.duke.edu" can access the HTML pages in this directory.
Restricting by User List
This methods requires more work to setup the .htaccess file, but provides a greater flexibility to the end user, in that they only need to provide a valid username and password to access the HTML page, regardless of the computer your accessing the pages from.
- Change to the directory containing the HTML files that you need to password protect. For Example: /var/phy/web/users/username/public/restrictedbyusername
- Create the file .htaccess, using your favorite text editor.
- Add the following lines to the .htacces file:
AuthUserFile /var/phy/web/users/username/private/password-file
AuthGroupFile /dev/null
AuthName SysAdmin_Docs
AuthType Basic
<Limit GET>
require user web-username
</Limit>
- Make sure the permissions on .htaccess are world readable (Use the UNIX command chmod 644).
- Create the password file, that will contain a list of usernames and passwords, using the following sequence (the password file location should match the path designated in the AuthUserFile line; in our case here /var/phy/web/users/<your username>/private):
- For the first username/password pair, use the command: htpasswd -c password-file web-username. You will then be prompted twice, for the password for the designated username.
- For each subsequent username/password pair, use the command: htpasswd password-file web-username . You will need to list the additional user names on the require user line in the .htaccess file.
Note: The password file should be contained outside the directory tree of your HTML documents, to prevent persons from browsing the file.
The HTML documents are now password protected. To remove a username/password pair, simply edit the password-file file, and delete the appropriate line.
Restricting local access
In general, files on our web server are readable by all local users via NFS. If a file or directory needs to be restricted such that local users cannot read them, we can accomplish this by changing the group of the directory to be apache and restricting read access to just the owner and the apache group.