Restrict Access to Your Pages
From Campus Web Server Help
Contents |
Overview
Some may want to restrict access to documents or entire sites. The Apache Auth HowTo offers the most complete information. Below are a few examples of how to restrict access to your content.
Access restriction by domain allows you to restrict part (or all) of your website to visitors from a particular Internet domain (e.g., .uga.edu). By requiring user authentication, you restrict access to part (or all) of your website to a set of users which must enter a correct name and password. Each type of access restriction is described following.
Important Notes Regarding Access Restriction Set-Up
Prerequisite Knowledge About Hidden Files and SSH
SSH Required
In the following examples, you will be instructed to create files which reside in your WWW space on www.uga.edu. You will also be instructed to run the command htpasswd to create a password file required for user authentication.
However, the htpasswd file is just a list of usernames and encrypted passwords separated by a colon, with one user per line. You may use one of many available online tools to generate a user/password pair and insert it into your htpasswd file. One such tool is provided by 4WebHelp, though we don't endorse any third party tool nor guarantee the security of such.
File Names Beginning with '.' (period)
The names of the files you will be instructed to create each begin with a '.' (period). Files that begin with a '.' will not show up in your list of files if you use telnet or dial-up services to connect and use the ls command to list your files. To see 'all' files, including those which begin with a '.', use the command ls -a.
If you view your files using ftp, the files which begin with a '.' will be visible.
Note Regarding Scope
All subdirectories and files are implicitly restricted using the examples below. You must explicitly exempt or include files if this behavior is not desired.
Access Restriction by Domain
To restrict access to a section of your website to a domain (computers whose addresses all end in the same thing), create the file ".htaccess" in the directory in which you want to restrict access. The file should look like this:
<Limit GET> order deny,allow deny from all allow from .uga.edu </Limit>
You can copy this file just as it is to restrict access to all of UGA within the '.uga.edu' domain. To restrict access to a different domain, change .uga.edu to something else. For example:
allow from .gactr.uga.edu #(Georgia Center domain at UGA)
Access Restriction by User Authentication
Of course, the webserver supports countless ways to authenticate a user. A couple are outlined below.
Using htpasswd files
To require someone to enter a name and password to access a section of your website, you will need to create two files. The first one is called ".htaccess", and it must reside in the directory in which you want to require a name and password for access. This file should look something like this:
AuthUserFile /usr/www/login_name/.htpasswd AuthGroupFile /dev/null AuthName "Description of Restricted Area" AuthType Basic <Limit GET> require user user1 require user user2 </Limit>
There are several items you will need to change here:
- Change AuthUserFile to the name of the password file that you will create using htpasswd (described following). The path to this file will be the actual location of the file (not some form of URL). A good place for your password file is the directory just "above" public_html.
- Change AuthName to whatever you want as a description for the restricted files. Be sure to place quotes around the name, as shown in the example.
- Change user1 and the other users for require user to names that will actually be used. You can have several of these, or as few as one. You will use the htpasswd command to associate passwords with these users.
To place the password file in your home directory, type the command:
htpasswd -c ~/.htpasswd name_of_user
This will create a new file (the -c option) called .htpasswd in your home directory for the name you supply for name_of_user. After typing the command, press ENTER and you will be prompted for a password. Type in a new password, press ENTER, and type in the new password again when prompted. To add additional users to a password file that has already been created, use the htpasswd command without the -c option:
htpasswd ~/.htpasswd name_of_user
htpasswd Usage Examples
To create a new password file in your home directory called .htpasswd for the user tom:
htpasswd -c ~/.htpasswd tom
To add a new user Mary to the same password file:
htpasswd ~/.htpasswd mary
Using MyID
To require MyID credentials, you must use SSL. Virtual hosting clients provisioned prior to November 2008 were not configured for SSL. Call the EITS Help Desk if you would like to have your virtual host reconfigured.
To allow a list of MyIDs, simply add the following to a file named ".htaccess" in the directory that you would like to protect. The entire directory and any subdirectories will be protected.
SSLRequireSSL ErrorDocument 403 https://www.uga.edu/yourpath AuthType Basic AuthName "Enter your MyID credentials" Require user bob sue jill
Note: you must change "yourpath" to reflect the URI path of the directory you would like to protect. Virtual hosting customers should also change the domain name (from www.uga.edu). Replace the list of users with those you would like to allow.
Note for UGA Webhosting Standard Edition users: You will need to use Require ldap-user instead of Require user when authenticating individual MyID users.
To allow all MyID holders to authenticate, replace the "Require" line with the following:
Require valid-user
