Restricting Access

Give your pages password protection, or restrict access by IP addresses or domains.

Access restriction is at the directory level; you cannot restrict access to a single file (except by putting the file in a directory and restricting access to the directory). To do so, login (using an ssh client) to the server unix.ucsc.edu. This documentation assumes a basic understanding of UNIX filestructure and command execution.

You can restrict access to your web pages by domain, a name/password combination, or both. In either case, you create a file called .htaccess in the directory you wish to protect. Instructions for what to put in this file follow.


Restricting by IP domains

This applies to all web servers running apache managed by ITS. This includes all units on www2 and individuals using the people.ucsc.edu service

  1. Create a file called .htaccess in the directory you want to protect. Don't forget the dot at the beginning of the name. For example, to protect your home directory and your entire website, use the following commands:

    % cd public_html
    % edit .htaccess
  2. Insert the following lines in your .htaccess file to restrict the directory to the UCSC network:

    <Limit GET POST>
    order deny,allow
    deny from all
    allow from ucsc.edu
    </Limit>

Write the file, and try to access it from a machine not located on the UCSC network.


Restricting by password

There are some subtle variations that depend on the webserver you are using. Please follow the appropriate section:

www2 | people


Instructions for units on www2

  1. To create a password-protected directory, you need to know 4 items:
    1. The location of the .htpasswd file: A file called .htpasswd will be created by a command you will run in Step #4. However, you need to know its location, or complete path, before it is created. The recommended location of the .htpasswd file is in /afs/cats.ucsc.edu/www/unit/prod/private where unit is the short name of your unit, therefore the location of the .htpasswd file will be:
      /afs/cats.ucsc.edu/www/unit/prod/private/.htpasswd 
      This is the location that we will use in the examples below.
    2. Prompt: Users will see a pop-up window when they first try to access your protected pages. The pop-up contains the sentence Enter password for Prompt (the exact text varies from browser to browser). You need to devise a sensible prompt. Examples might be Development, or Staff Only Area, or Project XYZ. If you want to put spaces in the prompt, make sure you retain the quotation marks (see below).
    3. User: The public part of the login/password pair. This user has nothing to do with your existing CruzID, and should not match any existing CruzID.
    4. Password: The secret word that will be the password. This password should be different from any other password you may be using, and it should not match any CruzID password, you or others may be using.

      You will share this user/password with others who are allowed access to your restricted directory.
  2. Create a file called .htaccess in the web directory you want to protect. Don't forget the dot at the beginning of the name. For example, if you wanted to protect a directory called staffonly in your public_html directory, you would run these commands:

    % cd /afs/cats.ucsc.edu/www/unit/prod/public_html/staffonly
    % edit .htaccess
     
  3. Type the following lines in your .htaccess file. Change the Prompt, the unit, and the User with the items you set up in step #1

    AuthName    "Prompt"
    AuthType    Basic
    AuthUserFile    /afs/cats.ucsc.edu/www/unit/prod/private/.htpasswd

    <Limit GET POST>
    require user User
    </Limit>

    Write the file and quit the text editor.

  4. Finally, you will create the .htpasswd file that contains the user and encrypted password. Please note the following before running the htpasswd command:
              * It is with this command that you name the .htpasswd file. You can have more than one user/password in a single .htpasswd file protecting one or more directories. If you create more than one .htpasswd, either locate them in different directories, or give them different names.
              * Use the -c flag to create a brand new .htpasswd file. If the file already exists, and you want to add new users and/or modify existing passwords, do not use this flag.
              * You can run the htpasswd command from any directory, if you specify the complete path to the .htpasswd file.
          Now you're ready to run the command that will create the .htpasswd file. The command creates a .htpasswd file in the location devised in Step #1.

            % cd /afs/cats.ucsc.edu/www/unit/prod/private
            % htpasswd -c .htpasswd User

    htpasswd responds by prompting for a password twice. The password does not appear while you are typing it. htpasswd encrypts the password and adds the encrypted password to the .htpasswd file. After running htpasswd, you can view the .htpasswd file with more or a text editor; we don't recommend changing it, however.

      
  5. Restrict AFS access permissions: The first four steps protects your files from web-based intrusion, but you need to further protect your files from those having access to AFS clients such as the ITS unix timeshare computers. Files on www2 are protected by AFS permissions, and you need to protect the directory containing your restricted pages so that they are accessible only by the web server. Otherwise, anyone with an AFS client could access your protected pages via ssh. Type:

            % cd /afs/cats.ucsc.edu/www/unit/prod/public_html/staffonly
            % fs sa . wwwadmin read
            % fs sa . system:anyuser none
            % fs sa . system:authuser none

          You may also want to check what other permissions you may have granted in that directory (and remove those, if needed), with:

            % fs la .

  6. Grant AFS access permission: You need to grant the webserver read permission to the directory containing your .htpasswd file, and turn if off for everyone else:

            % cd /afs/cats.ucsc.edu/www/unit/prod/private
            % fs sa . wwwadmin read
            % fs sa . system:anyuser none
            % fs sa . system:authuser none

Instructions for individuals on people

  1. To create a password-protected directory, you need to know 4 items:
    1. The location of the .htpasswd file: A file called .htpasswd is created by a command you run in Step #4. However, you need to know its location, or complete path, before it is created. The recommended location of the .htpasswd file is in a private directory within your home directory; it should not be directly in your home directory, nor should it be in your public_html directory.

      Find out the location of your home directory with the command:   

      % pwd

      It will look something like this:

      /afs/cats.ucsc.edu/users/x/mycruzid

      where x is an arbitrary letter and mycruzid is your CruzID; therefore the recommended location for the .htpasswd file is in:
      /afs/cats.ucsc.edu/users/x/mycruzid/private/.htpasswd
    2. Prompt: Users will see a pop-up window when they first try to access your protected pages. The pop-up contains the sentence Enter password for Prompt (the exact text varies from browser to browser). You need to devise a sensible prompt. Examples might be or My Class Project, or My Photos. If you want to put spaces in the prompt, make sure you retain the quotation marks. (See below).
    3. User: The public part of the login/password pair. This user has nothing to do with your existing CruzID, and should not match any existing CruzID.
    4. Password: The secret word that will be the password. This password should be different from any other password you may be using, and it should not match any CruzID password, you or others may be using.

      You will share this user/password with others who are allowed access to your restricted directory.
  2. Create a file called .htaccess in the web directory you want to protect. Don't forget the dot at the beginning of the name. For example, if you wanted to protect a directory called myphotos in your public_html directory, you would run these commands

    % cd ~/public_html/myphotos
    % edit .htaccess
  3. Type the following lines in your .htaccess file. Change the Prompt, adjust the location of your home directory, and the User with the items you set up in step #1

    AuthName    "Prompt"
    AuthType    Basic
    AuthUserFile    /afs/cats.ucsc.edu/users/x/mycruzid/private/.htpasswd

    <Limit GET POST>
    require user User
    </Limit>

    Write the file and quit the text editor.
  4. Finally, you will create the .htpasswd file that contains the user and encrypted password. Please note the following before running the htpasswd command:

    * It is with this command that you name the .htpasswd file. You can have more than one user/password in a single .htpasswd file protecting one or more directories. If you create more than one .htpasswd, either locate them in different directories, or give them different names.

    * Use the -c flag to create a brand new .htpasswd file. If the file already exists, and you want to add new users and/or modify existing passwords, do not use this flag.

    * You can run the htpasswd command from any directory, if you specify the complete path to the .htpasswd file.

    Now you're ready to run the command that will create the .htpasswd file. The command creates a .htpasswd file in the location devised in Step #1.

    % cd ~mycruzid/private
    % htpasswd -c .htpasswd User

    htpasswd responds by prompting for a password twice. The password does not appear while you are typing it. htpasswd encrypts the password and adds the encrypted password to the .htpasswd file. After running htpasswd, you can view the .htpasswd file with more or a text editor; we don't recommend changing it, however.
  5. Restrict AFS access permissions: The first four steps protects your files from web-based intrusion, but you need to further protect your files from those having access to AFS clients such as the ITS unix timeshare computers. Files on people are protected by AFS permissions, and you need to protect the directory containing your restricted pages so that they are accessible only by the web server. Otherwise, anyone with an AFS client could access your protected pages via ssh. Type:

    % cd ~mycruzid/public_html/myphotos
    % fs sa . www3prod read
    % fs sa . system:anyuser none
    % fs sa . system:authuser none

    You may also want to check what other permissions you may have granted in that directory (and remove those, if needed), with:

    % fs la .
  6. Grant AFS access permission: You need to grant the webserver read permission to the directory containing your .htpasswd file, and turn if off for everyone else:

    % cd ~mycruzid/private
    % fs sa . www3prod read
    % fs sa . system:anyuser none
    % fs sa . system:authuser none

Instructions for units on wcms

  1. To create a password protected directory, you need to know 4 items:
    1. The location of the .htpasswd file: In WCMS, the location of the .htpasswd is always /opt/app/home/wcmsuser/publish/unit/private where unit is the short name of your unit, therefore the location of the .htpasswd file will be:

      /opt/app/home/wcmsuser/publish/unit/private/.htpasswd

      This is the location that we use in the examples below.
    2. Prompt: Users will see a pop-up window when they first try to access your protected pages. The pop-up contains the sentence Enter password for Prompt (the exact text varies from browser to browser). You need to devise a sensible prompt. Examples might be Development, or Staff Only Area, or Project XYZ. If you want to put spaces in the prompt, make sure you retain the quotation marks (see below).
    3. User: The public part of the login/password pair. This user has nothing to do with your existing CruzID, and should not match any existing CruzID.
    4. Password: The secret word that will be the password. This password should be different from any other password you may be using, and it should not match any CruzID password, you or others may be using.

      You will share this user/password with others who are allowed access to your restricted directory.
  2. Create a file called .htaccess in the web directory you want to protect in cascade (i.e. login to http://wcms.ucsc.edu/). Don't forget the dot at the beginning of the name. For example, to protect a directory called staffonly:
  3. Type the following lines in your .htaccess file. Change the Prompt, the unit, and the User with the items you set up in step #1.

    AuthName    "Prompt"
    AuthType    Basic
    AuthUserFile    /opt/app/home/wcmsuser/publish/unit/private/.htpasswd

    <Limit GET POST>
    require user User
    </Limit>  
  4. At this time, please file an ITR ticket with the Support Center to create the .htpasswd file. We need to know:
    1. The unit name.
    2. The username.
    3. The password that you plan to use (but do not store the password in the ticket itself; the technician will contact you when it's needed).

    We will contact you when the work is completed.