Controlling Web Page Access
Table of Contents
Introduction
Using IU network ID authentication with a Virtual Host Address
Predefined Access Control:
- restricts access to those with an IU Network ID and password
Create a customized .htaccess file to allow access
- to specific IU Network IDs and passwords
- using
username/password combinations you define
how to create the password file - to User Groups you define
how to create the groups file - using Internet Domains or Addresses
- using IU Network IDs as well as usernames/passwords you've assigned
- using either a username/password or an Internet address, or requiring both
Introduction
You can control who is able to view your web pages by using .htaccess files in your www or wwws directories and subdirectories. When using .htaccess controls that require IU network ID authentication, you must use the secure server.By adding an Error Document Directive to your .htaccess file you can provide custom error messages so that users can get in touch with you in case of problems.
When a user tries to access one of your web pages, the web server looks for a .htaccess file in the directory where the file is stored. If there is a .htaccess file present, the user must meet the authentication requirements defined in the file in order to view the page. If there is no .htaccess file present, the web page will be displayed.
The .htaccess file can require that the user meet IP address or domain name specifications, or the user might have to authenticate by entering a username and password (such as an IU network ID/passphrase, or a username and password that you have set up for them).
Note: If there is a problem with the way that the .htaccess file is written, an Internal Server Error page will be displayed.
Using IU network ID authentication with a Virtual Host Address
If you choose to restrict access in a way that requires IU network ID authentication as described in this document, you must store the web content on the secure server (wwws directory). However, doing so means you cannot use your virtual host address. Instead, you will have to use your default web account address. (For example: https://www.indiana.edu/~account).
If you do not want to use your default web address, you can purchase an SSL certificate which will permit you to use your virtual host address for content on the secure server (wwws directory). For more information on purchasing an SSL certificate, see: Secure WWW Server
Another option to permit you to restrict access based on IU network IDs while retaining use of your virtual host address is to programmatically use CAS authentication for the web content in the www directory. See this Knowledge Base document: Information about integrating CAS with a web site
Predefined Access Control
If you wish to restrict access to anyone who has an IU Network ID/passphrase, you may do so by using a predefined access control option available on Webserve. For security reasons, you may only use this in the wwws directory within your account.To activate this option, login into your account on Webserve and move to the wwws directory (if you wish to restrict access only to certain subdirectories, move to the directory you wish to restrict). Type the following command:
iu_auth
Any person with an IU network ID will be able to authenticate while others will receive a 403 Forbidden error message. There is no way to limit access to particular campuses using iu_auth.
Building Your Own Access Control
If your needs go beyond the option described above, you may want to build your own .htaccess file. The access control methods to consider are:
- Access based on specific IU network IDs
- Access based on a username/password combination that you define
- Access based on membership in a user group that you define
- Access by specific Internet domains or addresses that you specify
- Access based on IU network ID or user defined username and password
Each of these options requires you to create an .htaccess file and to place it in the directory that is to have the access control applied to it.
The .htaccess file must be group and world readable. After you have set up the .htaccess file and put it in place in your account, to set the proper permissions type:
chmod 744 .htaccess
A valid .htaccess file contains the following fields that you must define:
| AuthUserFile | The full path to your password file if you are using one or IUauth if you are requiring IU network ID authentication. Otherwise, use /dev/null |
| AuthGroupFile | If you are using access based on membership in a group you define, this is the full path to your group file. Otherwise, use /dev/null |
| AuthName | The text that will appear in the authentication box when the user is asked to provide a username and password. The text must be placed within quotation marks. |
| AuthType | Always set to Basic |
| <Limit GET POST> </Limit>: | A description of the desired access control goes between these two Limit tags. Descriptions include keywords such as order, deny, allow and require coupled with usernames, domains, and IP numbers. |
Using this information, you can see that the following sample .htaccess file restricts access to the usernames and passwords contained in a file called .htpasswd that is stored in the /ip/myaccount/etc/ directory.
AuthUserFile /ip/myaccount/etc/.htpasswd AuthGroupFile /dev/null AuthType Basic AuthName "A Sample Page" <Limit GET POST> require valid-user </Limit>
Now that you understand the basic elements of a .htaccess file, you can begin creating .htaccess files using the access control methods described in the following sections:
- Specific IU Network IDs and Passwords
- Username/Password Combinations You Define
- User Groups You Define
- Specific Internet Domains or Addresses
- IU Network IDs as well as Usernames/Passwords you've assigned
- Either a username/password or an Internet address, or requiring both
Specific IU Network IDs and Passwords
For security reasons, you may only use this in the wwws directory within your account.
To restrict access to certain IU Network IDs, create an .htaccess file that looks something like this:
AuthUserFile IUauth AuthGroupFile /dev/null AuthType Basic AuthName "IU Network ID" <Limit GET POST> require user greg peter bobby sam oliver </Limit>
The AuthUserFile field is defined as IUauth, so web site visitors must use their IU network username/passphrase to authenticate. The require user directive within the Limit tags lists the IU network IDs allowed to access the file(s). In this case, the Network IDs: greg, peter, bobby, sam, and oliver are permitted access. Everyone else will receive an error message if they try to log in.
Note: if your list of required users is long, make sure that there are
no hard returns in the list of names. Also, if your list exceeds the
number of characters that can be contained in one line your users may receive
an Internal Server Error message instead of getting a login box. The
solution to this problem is to separate your list of users into several
require user statements:
<Limit GET POST> require user greg peter bobby sam oliver james ebenezer harold scott robert require user kate elizabeth sarah jennifer alison susan megan erica leslie </Limit>
The AuthName field contains the text that will be displayed in the login box when someone tries to access your Web pages. Make sure this text is within quotation marks, as shown in the example.
With this type of authentication, users log in with their network usernames and passphrases so you don't have to maintain passwords for them.
Using Username/Password Combinations You Define
If the people you want to see your pages don't have an IU network ID, you'll have to create a file that contains usernames and passwords that they can use to log in. So, to set up this type of protection, you must: create an .htaccess file and create a password file.
Create the .htaccess file
The .htaccess file that you create should look something like this:
AuthUserFile /ip/alice/etc/.htpasswd AuthGroupFile /dev/null AuthType Basic AuthName "My Protected Web Site" <Limit GET POST> require valid-user </Limit>The AuthUserFile field contains the complete path to the password file that you will create in the next step. The password file should not be in your www or wwws directory; the example above shows a password file named .htpasswd in an etc directory in the user alice's home directory.
The require valid-user directive within the Limit tags means that only users who are listed in your password file can successfully log in to see these pages.
The AuthName field contains the text (which must be within quotation marks) that will be displayed in the login box when someone tries to access your Web pages.
Once you have your .htaccess file ready, it's time to create the password file. For explanation purposes, we'll assume you are going to name your password file .htpasswd and that it will be stored in a directory named etc in your home directory (i.e., /ip/account_name/etc/.htpasswd).
The password file is initially created, and later added to, using the htpasswd command. Here's how it works:
- Log into Webserve and type the following command (replace account_name with your web account name and replace username with the username of the first person you want to give access to):
htpasswd -c /ip/account_name/etc/.htpasswd usernameWhen prompted for a password, supply a password for this user and type it again for verification.
Note: If you have more than one .htpasswd file, we recommend that you place a suffix on the end of the password filename to distinguish it from other password files you are using. For example, in the case where an .htpasswd file contains student usernames and passwords for a given class, you might make the suffix the course code or the course code combined with the section number as in: .htpasswd_c202 and .htpasswd_c202_3444 respectively.
- To add more usernames to the password file, use the htpasswd command without the -c flag. For example:
htpasswd /ip/account_name/etc/.htpasswd username2 htpasswd /ip/account_name/etc/.htpasswd username3 htpasswd /ip/account_name/etc/.htpasswd username4With each addition, you will be prompted for a password for the user. When you enter the password (and type it again for verification), the username and an encrypted version of the password will be stored in your password file.
Using User Groups You Define
If you want to allow and deny access based on groups that you define, you will need to create another file with group names and corresponding member lists. So, to set up protection based on groups, you must: create an .htaccess file, create a groups file, and create a password file (unless you are going to use IU Network IDs).Create the .htaccess file
The .htaccess file that you create should look something like this if you want users to authenticate using their IU Network IDs:
AuthUserFile IUauth AuthGroupFile /ip/alice/etc/.htgroup AuthType Basic AuthName "My Protected Web Site" <Limit GET POST> require group my_bunch </Limit> It will look like this (note the change to the AuthUserFile field) if you want users to authenticate with usernames and passwords that you've set up for them.
AuthUserFile /ip/alice/etc/.htpasswd AuthGroupFile /ip/alice/etc/.htgroup AuthType Basic AuthName "My Protected Web Site" <Limit GET POST> require group my_bunch </Limit> The AuthGroupFile field contains the complete path to the group file you will create in the next step. If you want users to log in using their IU Network IDs, the AuthUserFile field should contain IUauth; if you want users to log in using a username and password that you've set up for them, this field should contain the complete path to the password file that you will create below. The group file and the password file (if you create your own instead of using IU Network IDs) should not be in your www or wwws directory; the example above shows a group file named .htgroup and a password file named .htpasswd, both in an etc directory in the user alice's home directory. If you use IUAuth you must place the .htaccess file on the secure server (the wwws directory of your account).
The require group my_bunch directive within the Limit tags means that users who are listed as members of the my_bunch group in the .htgroup file will be granted access if they successfully authenticate using their username and password defined in the AuthUserFile (either your password file or their IU Network ID).
The AuthName field contains the text that will be displayed in the login box when someone tries to access your Web pages. Note: this text must appear within quotation marks.
Once you have your .htaccess file ready, it's time to create the groups file. For explanation purposes, we'll assume you are going to name your groups file .htgroup and that it will be stored in a directory named etc in your home directory (i.e., /ip/username/etc/.htgroup).Create the password fileUse a text editor to create the .htgroup file. Each line of the group file contains a group name followed by a colon, followed by the member usernames separated by spaces. For example:
my_bunch: mike carol marsha jan cindy greg peter bobby group_2: ward june wally theodoreThis sample group file defines two groups: my_bunch and group_2. The first contains eight users and the second contains four. Looking back to our .htaccess file, you can see that it limits access to the my_bunch group. Because AuthUserFile is defined as a path name (rather than IUauth), the users in this group must log in using the password that is defined for them in the .htpasswd file. If AuthUserFile was set to IUauth, these users would have to log in using their IU Network passwords.
If you choose to use your own password file instead of using IU Network IDs, you'll have to create the password file now. For explanation purposes, we'll assume you are going to name your password file .htpasswd and that it will be stored in a directory named etc in your home directory (i.e., /ip/username/etc/.htpasswd).
The password file is initially created, and later added to, using the htpasswd program. Here's how it works:
- Log into Webserve and type the following command (replace account_name with your web account name and replace username with the username of the first person to whom you want to give access):
htpasswd -c /ip/account_name/etc/.htpasswd usernameWhen prompted for a password, supply a password for this user.Note: If you have more than one .htpasswd file, we recommend that you place a suffix on the end of the password filename to distinguish it from other password files you are using. For example, in the case where an .htpasswd file contains student usernames and passwords for a given class, you might make the suffix the course code or the course code combined with the section number as in: .htpasswd_c202 and .htpasswd_c202_3444 respectively.
- To add more usernames to the password file, you use the htpasswd command without the -c flag from your Webserve account. For example:
htpasswd /ip/account_name/etc/.htpasswd username2 htpasswd /ip/account_name/etc/.htpasswd username3 htpasswd /ip/account_name/etc/.htpasswd username4With each addition, you will be prompted for a password for the user. When you enter the password (and type it again for verification), the username and an encrypted version of the password will be stored in your password file.
Using Internet Domains or Addresses
If you want to allow and deny access based on IP numbers or hostnames, you will need to make some additions to the .htaccess file. Your .htaccess file should look something like this:AuthUserFile /dev/null AuthGroupFile /dev/null AuthType Basic AuthName "ExampleAllowFrom" <Limit GET POST> order deny,allow deny from all allow from .indiana.edu allow from .iupui.edu allow from idsnews.com </Limit>
Since no password or group files are being used, the AuthUserFile and AuthGroupFile fields are set to /dev/null.
Here's an explanation of the commands within the Limit tags:
| order deny,allow | Process all "deny" entries below, then process the "allow" entries. |
| deny from all | First, deny access from all Internet addresses . . . |
| allow from .indiana.edu | . . . then allow access from computers that are part of the indiana.edu domain . . . |
| allow from idsnews.com | . . . and also allow access from this IP address. |
Using IU Network IDs as well as Usernames/Passwords you've assigned
In 2011, upgrades on Webserve will make the option of combining these two types of authentication no longer possible. If you need to restrict content using IU network IDs as well as usernames/passwords you've assigned, you should create two directories with the same content. In one directory, you can restrict the content to IU network IDs and in the other directory you can restrict content to usernames/passwords you've defined.
Using Either a Username/Password or an Internet Address, or Requiring Both
If you'd like to enable your users to gain access based on either their Internet address or a username and password, you can use the satisfy any parameter within your .htaccess file. In this example, the user will be granted access if they either pass the Internet host address restriction or enter a valid username and password.
Users from the specified Internet address (such as an IU campus domain like .indiana.edu or .iupui.edu) will be able to access the site without being prompted for their username and password, making the authentication process less obtrusive. If the user is not at a computer possessing the allowed Internet address -- for example, if the user comes in from home through an Internet Service Provider -- s/he can still get in if s/he passes the "require user" test.
If you'd like to restrict access to a particular area by both username/password and client host address, you can use the satisfy all directive. In this case the default behavior ("all") requires that the user passes the address access restriction and also enters a valid username and password.
You can use either IU Network IDs and passwords (using IUAuth, as shown here) or you can define your own usernames and passwords, as discussed in the section on Using Username/Password Combinations You Define.
AuthUserFile IUauth AuthGroupFile /dev/null AuthType Basic AuthName "IU Network ID" <Limit GET> allow from .indiana.edu require user greg peter bobby sam oliver satisfy any </Limit>
This example will allow anyone from a computer with an address in the .indiana.edu domain to access the Web pages in the .htaccess-protected directory.
In this example, if the Internet address of the user's computer is not within the .indiana.edu domain, he or she can still access the page by logging in with his or her IU Network ID and password and passing the "require user" test.
Note that many machines at IU (someone connecting from a dorm room, for example) will not be registered in the Domain Name Server as part of the .indiana.edu domain, so you may need to specify additional allowable domains or IP numbers in order to grant access to these users without requiring them to login with their Network ID and password.
