ARCHIVED: How do I limit access to my web pages?

This content has been archived, and is no longer maintained by Indiana University. Information here may no longer be accurate, and links may no longer be available or reliable.

Note: This information applies primarily to Apache and NCSA HTTPd web servers; at Indiana University, Apache runs on Pages and Webserve. It also assumes you are using a Unix-based text editor from inside your Unix account.

On this page:


About the .htaccess file

An easy way to control access to web pages on your site is to use .htaccess files. You can use these to password-protect an entire directory, but not individual files within the directory.

The .htaccess file, which resides inside the restricted directory, alerts the web browser of the restriction and determines if a given username is authorized to view the directory. If the username is correct, it passes the authorized user on to the password file.

The following instructions outline the setup of a simple user authentication .htaccess file. This process is for a typical Unix account. Depending on which Unix shell you are using and the way your local server is set up, the exact procedure may vary. This simplified process consists of three parts: setting up the directory you wish to restrict, setting up the .htaccess file, and setting up the password file.

Note: At IU Bloomington, your Pages web page actually resides on a particular volume of the HPNFS server. If you do not list your file paths correctly, you will not be able to set up your .htaccess file.

Setting up the restricted directory

To restrict access to your files, you must first move them all to a single subdirectory of your www directory (e.g., www/restricted). Once you have created this subdirectory and moved your files to it, be sure to set the permissions so that the files are executable and readable from your web browser. To set permissions for directories, in the parent directory of the directory you want to change, enter:

  chmod 755 directoryname

Replace directoryname with the name of the directory whose permissions you want to set.

To set permissions for files, in the directory containing the files, enter:

  chmod 644 filename

Replace filename with the name of the file whose permissions you want to set.

Setting up the .htaccess file

The .htaccess file sets up a path to the password file (.file-password) and tells the computer which users are allowed to access that file.

To set up your .htaccess file, open a text editor (e.g., Emacs, vi, or Pico), and name the new file .htaccess. This file must be in the same directory as the password-protected pages. You must also set the permissions on this file so that it is readable from your web browser. At the command line enter:

  chmod 644 .htaccess

Here is a generic example of a simple .htaccess file:

  AuthUserFile /home/username/.file-password
  AuthGroupFile /dev/null
  AuthName "My Protected Directory"
  AuthType Basic
  
  <Limit GET POST PUT>
  require user lskywalker hsolo owkenobi lorgana
  </Limit>

On Pages accounts at IU, the path to the password file is different from the example given above. It must include the volume of the NFS server that actually serves your Pages files. A good AuthUserFile line for accounts on Mercury would be:

  AuthUserFile /fs/lskywalker/.file-password

Replace lskywalker with your username.

Following is an explanation of each variable of the .htaccess file:

Variable Explanation
AuthUserFile
This variable references the .htaccess password file location. This password file should not be in a directory accessible by a web browser (that is, it should not be in your www directory or any subdirectory of your www directory). Though you can name the file anything you wish, UITS recommends a file name preceded by a period, such as .file-password.
AuthGroupFile
This variable should point to /dev/null, which tells Unix that this file does not exist.
AuthName
This variable simply refers to the title for the authentication box that pops up when your browser tries to access the contents of the restricted directory. This message can be anything you like, but recent versions of Apache require you to enclose it in quotes. If you leave it blank, the default name will be ByPassword.
AuthType
This variable must be set to Basic, since you are using Basic HTTP Authentication.
Limit
Set this variable type to GET POST PUT. The GET is used for most web page accesses. The POST is used almost exclusively for CGI scripts. The PUT is used by CGI scripts and some web editors to upload files using HTTP. This entire line must be capitalized.
require user
This line is a list of usernames for people who are authorized to view the restricted directory. In this line, enter the usernames of those users for whom you wish to grant access.

Note: Don't forget to include your username in the list. Otherwise, the password screen will keep you from seeing your own files.

Setting up the password file

Once you have finished editing your .htaccess file, you can create a password file. This file is a plain text file with passwords encrypted using the one-way encryption crypt() call. On many Unix systems, the task of setting up the password file is automated with the htpasswd command.

Note: Your password for web pages should not be the same as the password you use to access your central web and email accounts. Although your password file will be encrypted, it is still very easy to crack passwords using commonly available cracking programs. For this reason, your password should never be a real word or any other password that could be easily guessed; see Your IU passphrase.

To set up your password file with htpasswd:

  1. Enter cd to exit the subdirectory where you set up your .htaccess file, and then enter:
      htpasswd -c ~/.file-password username

    Replace username with your username. When you run this command, htpasswd will automatically generate the .file-password file and will prompt you for a password.

  2. The htpasswd program will then ask you to confirm your password. If you set up the password correctly, the password and username will be in your password file.
  3. To add additional users to the password file, run htpasswd without the -c flag. For example, to add the username hsolo to the password file, you would enter:
      htpasswd ~/.file-password hsolo

    When prompted, enter the password for hsolo.

  4. Finally, to make your files world readable, enter the following command for each password file:
      chmod 644 filename

    Replace filename with the name of your password file (e.g., .file-password), and enter the password for your new user when prompted.

Now, when you try to access the restricted directory from a web browser, the browser will bring up a password protection window. Enter a valid username to view the restricted files. If you wish to remove the password restrictions for files in the directory, you must either move the files to another directory or remove the .htaccess file.

Unfortunately, there is no other simple way to restrict access to a directory or to individual files within a directory. If you want to restrict access to a directory without having to enter all of the authorized usernames, create an easily remembered username (such as guest) and password (such as password), and release it to the people whom you want to have access. Be aware that if you do this, you lose some control over who can access your files. If you wish to change access restrictions, you will have to edit your .htaccess and password files.

This is document abeq in the Knowledge Base.
Last modified on 2021-09-08 10:17:49.