Limiting access to webspace

Sometimes you want to make content available but not to the whole world, google and your competitors.

Restrictions using username/password

With the Apache server, one can limit access to a directory by user-authentication.

Suppose we have a directory /users/www/DDD.
Note that DDD is a relative pathname (relative to /users/www/).
Create a file /users/www/DDD/.htaccess containing:

AuthUserFile /users/www/staff/DDD/.htpasswd
AuthGroupFile /dev/null
AuthName "Authorisation realm"
AuthType Basic
Require valid-user

Common pitfall : the filesystem on the webserver looks different from that on a standard unix staff system, and the .htaccess file is interpreted from the view of the webserver. Note the fact that the AuthUserFile filename includes 'staff' for staff webspace and 'wwwshare' for shared space.

To help users with systems which make it hard to create files with a . at the beginning, the configuration of the staff webserver has been modified to also use /users/www/DDD/htaccess.txt and you can use password files named htpasswd.txt. For the rest, everything works the same.

Examples :

• The webspace for http://www.cs.uu.nl/docs/vakken/owmv/ which you find in /import/www/www/docs/vakken/owmv or \\wwwfs.cs.uu.nl\www\docs\vakken\owmv is for the webserver in /users/www/staff/docs/vakken/owmv.
• The webspace for http://people.cs.uu.nl/example/testdir which you find in /import/www/www/people/example/testdir or \\wwwfs.cs.uu.nl\personalsite\example\testdir is for the webserver in /users/www/staff/people/example/testdir.

Directive AuthName sets the name of the authorization realm for the content. The name .htpasswd is chosen because the webserver will refuse to serve this file to clients.
Create the file .htpasswd containing lines like:

user1:xxdcd3McfVAxg
user2:bz5S97b0axNOY

Usernames may be choosen freely, passwords are crypted in unix crypt style. For encrypting passwords, the genpw(1) is available on all Linux hosts. Usage:

  Usage: genpw passwd salt
  argument salt : must be two letters or digits
  example       : genpw secret bz
  output        : bz5S97b0axNOY

The normal user database is only available for user authentication on our secure webserver.

Restrictions based on IP address

It is also possible to just deny access from outside visitors, for example to visitors outside our staffnet. Create the same file /users/www/DDD/.htaccess containing:

Order Allow,Deny
Allow from 131.211.80.0/23

Or for both staff and student networks:

Order Allow,Deny
Allow from 131.211.80.0/23 # staff fixed network
Allow from 131.211.82.0/23 # students fixed network
Allow from 131.211.113.0/25 # staff vpn clients
Allow from 131.211.112.128/25 # student vpn clients
Allow from 131.211.150.0/23  # beta computerleerzalen
Allow from 131.211.62.0/23   # beta computerleerzalen

Restrictions on IP address OR username/password

The combination (allow internal users and ask external users for a username and password) is also possible, giving two sets of rules and letting the Apache access system know to satisfy any of the rules. Create the same file /users/www/DDD/.htaccess containing:

Order Allow,Deny
Allow from 131.211.80.0/23

AuthUserFile /users/www/staff/DDD/.htpasswd
AuthGroupFile /dev/null
AuthName "Authorisation realm"
AuthType Basic
Require valid-user

Satisfy Any

Keeping other users from peeking into your files

Sometimes you want the webserver to be able to read your (source) files, but not your fellow staff members. On the Unix command-line, go to the web source directory of the content you need this for, and change the group read access to none:

$ cd /users/www/mysecretproject
$ chmod 705 .

Related pages

Accounts and passwords
BSCW shared workspace server
E-mail
Filesystems
General servers
SSL certificates
Security
Staff account migration ; mail-client configuration and moving mail
Staff account migration to soliscom accounts
Students account migration to soliscom accounts
Webspace

---