How to restrict access to a page

From OCF Help

Revision as of 05:04, 14 May 2007 by Dwc (Talk | contribs)
(diff) ← Older revision | Current revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Because OCF's web servers run on Unix, you can restrict access to your files by setting appropriate file permissions (try man chmod on a Unix shell). However, unless you want to stop everyone, including yourself, from seeing a particular page or a set of pages on your website using a web browser, this is not the way to go.

There are many ways to control who can do what (read, comment, in case of blogs, or even edit, in case of a wiki like this one). It can be done at various levels, from the system level (Unix file permissions), the web server, or a particular web application.

Using .htaccess

.htaccess files provide the simplest and most general method of restricting access. Follow the directions below to set up access control using usernames and passwords:

  1. Create an .htaccess file in the directory you want to protect. Note that if you place an .htaccess file in one directory it applies to all the subdirectories as well. For example, if you place .htaccess in ~/public_html/area51/ then the same .htaccess applies to ~/public_html/area51/national_security/.
  2. Place the following content in .htaccess (as a text file): 
    AuthUserFile /your/web/directory/.htpasswd
AuthGroupFile /dev/null
AuthName EnterPassword
AuthType Basic
Require user myuser

    Be sure to change /your/web/directory/.htpasswd so that it exactly matches your password file name and path. For example, if your username is foobar, and you created .htpasswd in the root of your web directory, it would be something like: 

    AuthUserFile /services/http/users/f/foobar/.htpasswd

    You should make sure to set correct permissions on this file. You can do so with the following two commands: 

    chmod 600 /your/web/directory/.htpasswd
setfacl -m u:http:4,m:4 /your/web/directory/.htpasswd

    These commands allow you to read and write to the file and allows the webserver to read the file. If you are not familiar with the last two lines, it would help to learn about file permissions. Don't forget to replace /your/web/directory/.htpasswd with the correct filename. The path needs to be a full path for this to work. To find out the full path of any directory you are in, you can try typing 

    pwd

    AuthName is what appears in the username-password dialog, so you may change it to whatever you wish. The last line Require user is for the name of the user who has access to the directory (and it can be any name you want, as long as it's a name in the .htpasswd file, but as a rule of thumb, using only alphanumeric characters is recommended). If you need to have a list of users with access to the directory, change it to Require valid-user with nothing after that.

  3. Create the password file you specified in .htaccess. The format of the file is: 
    myuser:[password hash]
moreuser:[password hash]

    where myuser and moreuser are the names of the users. If you specified Require valid-user in .htaccess all the users in this list will have access to the directory. The password hash is an encrypted string generated from the password you (or the user) have chosen. It is not necessary to create this file by hand; you can generate the file with the htpasswd command.

    To create a new .htpasswd file for authentication: 

    conquest [3] htpasswd -c /your/web/directory/.htpasswd myuser
New password:
Re-type new password:
Adding password for user myuser

    To add another user to this file, use the same command without the -c switch. To remove a user, edit this file by hand to remove the line starting with the username of the user you want to remove.

That's it! Your website (or a portion of it) is now protected from strangers' prying eyes. Just to be sure, check if it works by opening a page under the directory with a web browser.

Using digest authentication

Unfortunately, simple password protection is not entirely secure. While it does prevent unwanted users from seeing your web pages, the password is transmitted in plain text and a malicious hacker might be able to sniff it. In order to protect your passwords from hackers, you should use digest authentication. In order to set up digest authentication, follow these steps:

  1. Create an .htaccess file in the directory you want to protect. Note that if you place an .htaccess file in one directory it applies to all the subdirectories as well. For example, if you place .htaccess in ~/public_html/area51/ then the same .htaccess applies to ~/public_html/area51/national_security/.
  2. Place the following content in the .htaccess (as a text file) 
    AuthDigestFile /your/web/directory/.htpasswd
AuthGroupFile /dev/null
AuthDigestDomain /~username/area51/
AuthName SecretArea
AuthType Digest
Require user myuser

    The AuthDigestDomain should be the URL to the protected area(s), excluding the server part. Be sure to change /your/web/directory/.htpasswd so that it exactly matches your password file name and path. For example, if your username is foobar, you are trying to protect http://www.ocf.berkeley.edu/~foobar/fortknox/, it would be something like: 

    AuthDigestFile /services/http/users/f/foobar/.htpasswd
AuthDigestDomain /~foobar/fortknox/

    You should make sure to set correct permissions on this file. You can do so with the following two commands: 

    chmod 600 /your/web/directory/.htpasswd
setfacl -m u:http:4,m:4 /your/web/directory/.htpasswd

    These commands allow you to read and write to the file and allows the webserver to read the file. If you are not familiar with the last two lines, it would help to lean about file permissions. Don't forget to replace /your/web/directory/.htpasswd with the correct filename. The path needs to be a full path for this to work. To find out the full path of any directory you are in, you can try typing 

    pwd

    AuthName is what appears in the username-password dialog, so you may change it to whatever you wish. The last line Require user is for the name of user who has access to the directory (and it can be any name you want, as long as it's a name in the .htpasswd file, but as a rule of thumb, using only alphabet characters, 8 characters or less is recommended). If you need to have a list of users with access to the directory, change it to Require valid-user with nothing after that.

  3. Create the password file you specified in .htaccess. The format of the file is as following (but do not create this file by hand): 
    myuser:[realm]:[password hash]
moreuser:[realm]:[password hash]

    where myuser and moreuser are the names of the users and realm was the AuthName you specified (in the example above it is SecretArea). If you specified Require valid-user in .htaccess all the users in this list will have access to the directory. The password hash is an encrypted string generated from the realm and the password you (or the user) have chosen. This file is created and maintained with the htdigest command.

    To create a new .htpasswd file for digest authentication: 

    conquest [3] htdigest -c /your/web/directory/.htpasswd SecretArea myuser
Adding password for myuser in realm SecretArea.
New password:
Re-type new password:

    To add another user to this file, use the same command without the -c switch. To remove a user, edit this file by hand to remove the line starting with the username of the user you want to remove.

That's it! Your website (or a portion of it) is now protected from strangers' prying eyes and malicious hackers. Just to be sure, check if it works by opening a page under the directory with a web browser.

Retrieved from "http://docs.ocf.berkeley.edu/wiki/How_to_restrict_access_to_a_page"