 |
Service Catalog
Service Levels
Quick Links
Web Services and Resources
UCSC | Campus Safety
|
|
|
Restricting access Home  ITS Services Web Services Restricting access
Give your pages password protection, or restrict access by IP
addresses or domains.
Access restriction is at the directory level; you cannot restrict access
to a single file (except by putting the file in a directory and restrict
access to the directory). This documentation assumes a basic understanding
of UNIX filestructure and command execution.
You can restrict access to your web pages by domain, a name/password
combination, or both. In either case you create a file called
.htaccess in the directory you wish to protect. Instructions
for what to put in this file follow.
Restricting by IP domains
-
Create a file called .htaccess in the directory you want to protect.
Don't forget the dot at the beginning of the name. For example, to protect
your home directory and your entire web site, use the following commands:
% cd public_html
% edit .htaccess
-
Insert the following lines in your .htaccess file to restrict
the directory to the UCSC network:
<Limit GET POST>
order deny,allow
deny from all
allow from ucsc.edu
</Limit>
Write the file, and try to access it from a machine not located on the
UCSC network.
Restricting by password
-
To create a password protected directory, you need to know 4 items:
-
The location of the htpasswd file: A file called
htpasswd will be created by a command you will run in
Step #4. However, you need to know its location, or complete path,
before it is created. So think of a good location for it; preferably,
htpasswd should be located in its own directory, and should be neither
in your home directory nor your public_html directory.
For example, a user named alicet wants to put the
htpasswd file in a directory called .private
in her home directory. She learns the complete path of her home
directory with the pwd command after login in to the
unix.ucsc.edu server:
% pwd
/afs/cats.ucsc.edu/users/x/alicet
therefore the location of the htpasswd file will be:
/afs/cats.ucsc.edu/users/x/alicet/.private/htpasswd
-
AuthName: Users will see a pop-up window when they first try to
access your protected pages. The pop-up contains the sentence Enter
password for AuthName. You need to devise a sensible
AuthName. Examples might be Development
or Staff Only Area, or My Photos. If you want to put
spaces in the project name, make sure you retain the quotation marks.
(See below).
-
Username: The public part of the login/password pair.
This username has nothing to do with your existing CruzID, and should
not match any existing CruzID.
-
Password: The secret word that will be the password. This
password should be different from any other password you may be using,
and it should not match any CruzID password, you or others may be using.
-
Create a file called .htaccess in the web directory you want to
protect. Don't forget the dot at the beginning of the name. For example,
if alicet wanted to protect a directory called myphotos
in her public_html directory, she would run these commands:
% cd public_html/myphotos
% edit .htaccess
-
Type the following lines in your .htaccess file. Change the
AuthName, the location_of_htpasswd_file,
and the Username with the items you set up in step #1.
AuthName "AUTHNAME"
AuthType Basic
AuthUserFile location_of_htpasswd_file
<Limit GET POST>
require user Username
</Limit>
Write the file and quit the text editor.
-
Finally, you will create the htpasswd file that contains the
name and encrypted password. Please note the following before running
the htpasswd command:
-
It is with this command that you name the htpasswd file. You
can have more than one username/password in a single htpasswd
file protecting one or more directories. If you create more than
one htpasswd, either locate them in different directories,
or give them different names.
-
Use the -c flag to create a brand new
htpasswd file. If the file already exists, and you want to
add new usernames and/or modify existing passwords, do not
use this flag.
-
You can run the htpasswd command from any directory, if you specify
the complete path to the htpasswd file.
-
If you are doing this from unix.ucsc.edu, you may need to
type the full pathname (i.e. /usr/local/bin/htpasswd to run
the htpasswd command.
Now you're ready to run the command that will create the
htpasswd file. The command creates a htpasswd
file in the location devised in Step #1.
% htpasswd -c location_of_htpasswd_file Username
htpasswd responds by prompting for a password twice. The password does
not appear while you are typing it. htpasswd encrypts the password and
adds the encrypted password to the htpasswd file. After running
htpasswd, you can view the htpasswd file with more
or a text editor; we don't recommend changing it, however.
Important Note: the following two steps are true only for
the www2 web server which runs with wwwadmin authentication; the
people web server runs unauthenticated, so you will need to
keep the directories where your .htaccess/htpasswd files
are located readable by system:anyuser (with the lack of AFS
protection that it entails).
-
Restrict AFS access permissions: The first four steps protects
your files from web-based intrusion, but you need to further protect
your files from people who have shell access to the ITS unix timeshare
computers. UCSC account files are protected by AFS permissions, and
you need to protect the directory containing your restricted pages
so that they are accessible only by the web server. Otherwise,
anyone with a UCSC account could access your protected pages via ssh.
% cd /path/to/protected/directory
% fs sa . wwwadmin read
% fs sa . system:anyuser none
% fs sa . system:authuser none
You may also want to check what other permissions you may have granted
in that directory, with:
% fs la .
-
Grant AFS access permission: You need to grant the webserver
read permission to the directory containing your .htpasswd
file, and turn if off for everyone else
% cd directory_to_.htpassword_file
% fs sa . wwwadmin read
% fs sa . system:anyuser none
% fs sa . system:authuser none
For more details on htaccess, check the Mosaic user
authentication tutorial.
|
