How do I limit access to my World Wide Web pages?

Note: This information applies primarily to Apache and NCSA HTTPd web servers; at Indiana University, Apache runs on Mypage and Webserve. It also assumes you are using a Unix-based text editor from inside your Unix account.

Note: At Indiana University South Bend, the Mypage service is different from the Mypage service mentioned in this document. For more information, see IUSB's Web Publishing: Mypage page.

An easy way to control access to web pages on your site is to use .htaccess files. These can be used to password-protect an entire directory, but not individual files within the directory.

The .htaccess file, which resides inside the restricted directory, alerts the web browser of the restriction and determines if a given username is authorized to view the directory. If the username is correct, it passes the authorized user on to the password file.

For detailed information about using .htaccess files, including advanced options not covered in this document, visit NCSA's .htaccess tutorial.

The following instructions outline the setup of a simple user authentication .htaccess file. This process is for a typical Unix account. Depending on which Unix shell you are using and the way your local server is set up, the exact procedure may vary. This simplified process consists of three parts: setting up the directory you wish to restrict, setting up the .htaccess file, and setting up the password file.

Note: At IU Bloomington, your Mypage web page actually resides on a particular volume of the HPNFS server. If you do not list your file paths correctly, you will not be able to set up your .htaccess file.

Setting up the restricted directory

To restrict access to your files, you must first move them all to a single subdirectory of your www directory (e.g., www/restricted). Once you have created this subdirectory and moved your files to it, be sure to set the permissions so that the files are executable and readable from your web browser. To set permissions for directories, in the parent directory of the directory you want to change, enter:

Replace directoryname with the name of the directory whose permissions you want to set.

To set permissions for files, in the directory containing the files, enter:

Replace filename with the name of the file whose permissions you want to set.

Setting up the .htaccess file

To set up your .htaccess file, open a text editor (e.g., Emacs, vi, or Pico), and name the new file .htaccess . This file must be in the same directory as the password-protected pages. You must also set the permissions on this file so that it is readable from your web browser. At the command line enter:

Here is a generic example of a simple .htaccess file:

On Mypage accounts at IU, the path to the password file is different from the example given above. It must include the volume of the NFS server that actually serves your Mypage files. A good AuthUserFile line for accounts on Mercury would be:

Replace lskywalker with your username.

What does this mean?

The .htaccess file sets up a path to the password file (.file-password) and tells the computer which users are allowed to access that file.

The first variable, AuthUserFile, references the .htaccess password file location. This password file should not be in a directory accessible by a web browser (that is, it should not be in your www directory or any subdirectory of your www directory). Though you can name the file anything you wish, UITS recommends a file name preceded by a period, such as .file-password .

Because, in this example, you are not using group files, the second variable (AuthGroupFile) should point to:

The specification /dev/null tells Unix that this file does not exist.

The AuthName variable simply refers to the title for the authentication box that pops up when your browser tries to access the contents of the restricted directory. This message can be anything you like, but recent versions of Apache require you to enclose it in quotes. (The quote requirement is a recent change on Mypage and the IU central web servers.) If you leave it blank, the default name will be ByPassword.

The AuthType variable must be set to Basic, since you are using Basic HTTP Authentication.

Set the Limit type to GET POST PUT. The GET is used for most web page accesses. The POST is used almost exclusively for CGI scripts. The PUT is used by CGI scripts and some web editors to upload files using HTTP. In recent versions of Apache, this whole line must be in uppercase (capitals). On Mypage and the IU central web servers, the uppercase requirement is a recent change.

The require user line is simply a list of usernames for people who are authorized to view the restricted directory. In this line, enter the usernames of those users for whom you wish to grant access.

Note: Don't forget to include your username in the list. Otherwise, the password screen will keep you from seeing your own files.

Setting up the password file

Once you have finished editing your .htaccess file, you can create a password file. This file is a plain text file with passwords encrypted using the one way encryption crypt() call. On many Unix systems, the task of setting up the password file is automated with the htpasswd command.

Note: Your password for web pages should not be the same as the password that you use to access your central web and email accounts. Although your password file will be encrypted, it is still very easy to crack passwords using commonly available cracking programs. For this reason, your password should never be a real word or any other password that could be easily guessed. For more information, see Passwords and passphrases.

To set up your password file with htpasswd, follow these steps:

1. Enter cd to exit the subdirectory where you set up your .htaccess file, then enter: htpasswd -c ~/.file-password lskywalker

   Replace lskywalker with your username. When you run this command, htpasswd will automatically generate the .file-password file and will prompt you for a password.

2. The htpasswd program will prompt you to enter a password and will prompt you again to confirm your password. If you set up the password correctly, the password and username will be in your password file.
   
   
3. To add additional users to the password file, run htpasswd without the  -c  flag. For example, to add the username hsolo to the password file, you would enter: htpasswd ~/.file-password hsolo

   When prompted, enter the password for hsolo.

4. Finally, to make your files world readable, enter the following command for each password file: chmod 644 filename

   Replace filename with the name of your password file (e.g., .file-password), and enter the password for your new user when prompted.

Now, when you try to access the restricted directory from a web browser, the browser will bring up a password protection window. Enter a valid username to view the restricted files. If you wish to remove the password restrictions for files in the directory, you must either move the files to another directory or remove the .htaccess file.

Unfortunately, there is no other simple way to restrict access to a directory or to individual files within a directory. If you want to restrict access to a directory without having to enter all of the authorized usernames, create an easily remembered username (such as guest) and password (such as password), and release it to the people whom you want to have access. Be aware that if you do this, you lose some control over who can access your files. If you wish to change access restrictions, you will have to edit your .htaccess file and your password files.

Also see:

• In Unix, how do I change the permissions for a file?
• How do I create customized error messages for my web page?
• What are secure web sites and SSL certificates?
• At IU, how can I find usage statistics for my department's web page?