## page was renamed from services/web/restricting-access = Restricting access to web pages = If you have web pages which you think should only be seen by people within Imperial College, or even just particular groups of users within the Department, this can be done via the web server's .htaccess mechanism: == General instructions == * Create a new directory within your public_html directory, e.g. ~+`mkdir public_html/secure`+~ * Make this readable and executable by all in the usual way: ~+`chmod a+rx public_html/secure`+~ * Create a file in this directory called ~+`.htaccess`+~ ('''Note:''' There is a dot at the beginning of the name of this file!), readable by all (so: ~+`chmod a+r .htaccess`+~) containing the lines: {{{ SSLRequireSSL AuthType KerberosV5 }}} Your web-page will only be accessible as {{{https://www.doc.ic.ac.uk/~yourusername}}} after the above change. {{{http://www.doc.ic.ac.uk/~yourusername}}} will not work. == Restricting access to Imperial staff and students only == Append the following lines to the ~+`.htaccess`+~ file you just created: {{{ AuthName "Imperial only" Require valid-user }}} This means that to gain access to the pages you put in this directory, the user will be prompted for a Kerberos (i.e. college or legacy DoC Linux) login and password before they can gain access. On current DoC Linux systems, if you already have a Kerberos ticket (which you most likely will if you are using X) then Firefox will use that automatically instead of prompting you. Rest assured that secure authentication still occurs. == Restricting access to a particular set of users == Pages can also be set to only be accessible to particular users, or to a Departmental Unix user group, by appending one or both of the following ~+`require`+~ lines to ~+`.htaccess`+~ instead of the above: {{{ require user user1 user2 user3 require group groupname1 groupname2 }}} To restrict access to staff only, then you should use the following line instead: {{{ require group doc-staff }}} == Restricting access based on IP address == CSG no longer recommend restricting access based on IP address (for example, allowing access to particular web pages if the visitor is on a DoC workstation). However, if you have a particular need for this, please [[contact|contact us]] and we will provide you with an ~+`.htaccess`+~ recipe. == Web-specific passwords == Up to now, all the secure authentication has been using Kerberos logins. Frankly, we recommend this as it makes sense within DoC and Imperial. However, you can also protect files with password access with separate, web-specific, passwords that you set yourself. This might be useful to share secure access with people outside of Imperial, because -- of course -- you should never tell anyone a real DoC password! To do this, the ~+`.htaccess`+~ file should contain something like: {{{ AuthType basic AuthName "Password Protected Area" AuthUserFile /homes/your-username/protected/list require user username }}} The ~+`AuthUserFile`+~ is a list of names and encrypted passwords. It should be stored '''outside''' your ~+`public_html`+~ directory, and be publicly readable. To make a password file, use the ~+`htpasswd`+~ program: {{{ shell1% htpasswd --help Usage: htpasswd [-c] passwordfile username }}} The ~+`-c`+~ flag creates a new file. The program will prompt you for the password twice and will add it to the file (or create the file if you use ~+`-c`+~). You can link to the files using both http and https.