DoC Computing Support Group


Restricting access to web pages

If you have web pages which you think should only be seen by people within Imperial College, or even just particular groups of users within the Department, this can be done via the web server's .htaccess mechanism:

General instructions

  • Create a new directory within your public_html directory, e.g. mkdir public_html/secure

  • Make this readable and executable by all in the usual way: chmod a+rx public_html/secure

  • Create a file in this directory called .htaccess (Note: There is a dot at the beginning of the name of this file!), readable by all (so: chmod a+r .htaccess) containing the lines:

SSLRequireSSL

AuthType KerberosV5

Your web-page will only be accessible as https://www.doc.ic.ac.uk/~yourusername after the above change. http://www.doc.ic.ac.uk/~yourusername will not work.

Restricting access to Imperial staff and students only

Append the following lines to the .htaccess file you just created:

AuthName "Imperial only"
Require valid-user

This means that to gain access to the pages you put in this directory, the user will be prompted for a Kerberos (i.e. college or legacy DoC Linux) login and password before they can gain access. On current DoC Linux systems, if you already have a Kerberos ticket (which you most likely will if you are using X) then Firefox will use that automatically instead of prompting you. Rest assured that secure authentication still occurs.

Restricting access to a particular set of users

Pages can also be set to only be accessible to particular users, or to a Departmental Unix user group, by appending one or both of the following require lines to .htaccess instead of the above:

<RequireAny>
  require user user1 user2 user3
  require group groupname1 groupname2
</RequireAny>

To restrict access to staff only, then you should use the following line instead:

require group doc-staff

Restricting access based on IP address

CSG no longer recommend restricting access based on IP address (for example, allowing access to particular web pages if the visitor is on a DoC workstation). However, if you have a particular need for this, please contact us and we will provide you with an .htaccess recipe.

Web-specific passwords

Up to now, all the secure authentication has been using Kerberos logins. Frankly, we recommend this as it makes sense within DoC and Imperial.

However, you can also protect files with password access with separate, web-specific, passwords that you set yourself. This might be useful to share secure access with people outside of Imperial, because -- of course -- you should never tell anyone a real DoC password!

To do this, the .htaccess file should contain something like:

AuthType basic
AuthName "Password Protected Area"
AuthUserFile /homes/your-username/protected/list
require user username

The AuthUserFile is a list of names and encrypted passwords. It should be stored outside your public_html directory, and be publicly readable. To make a password file, use the htpasswd program:

        shell1% htpasswd --help
        Usage: htpasswd [-c] passwordfile username

The -c flag creates a new file.

The program will prompt you for the password twice and will add it to the file (or create the file if you use -c).

You can link to the files using both http and https.

 
 

guides/web/security (last edited 2016-04-30 18:56:58 by ldk)