Wednesday April 23 2014
information technology central services at the university of michigan

Restrict Access to Web Pages

home / how-to / htaccess

Restrict Access to Web Pages Using .htaccess

By default, documents you make available via the U-M Web Servers www.umich.edu and www-personal.umich.edu are readable by anyone with access to the World Wide Web, which means that many, many people can view your pages. They are also accessible via AFS, a global file system in use here at the University of Michigan.

In some cases, you may want to restrict access to your pages. The options available currently are:

  1. You may restrict access to users within a certain internet domain. For example, you can specify that only users whose domain names end in umich.edu may access your pages. You may also specify that only users on certain IP subnets may access your pages.

    You should be aware that restricting access based on internet domain or IP address is not bulletproof, and should not be relied upon for sensitive data.
  2. You can restrict access based on a username/password pair. Note that this username and password are completely separate from the U-M's uniqname/kerberos database, and must be maintained by you. The usernames and password are sent as plain text (not encrypted) over the network, and are therefore susceptible to network eavesdroppers.

    This method is not very secure, though it is documented here. It should not be used for very sensitive data. It should work, however, and the htpasswd command, which is used to manage the password files, is available on the ITD login servers. (For more information, try the 'man htpasswd' command).

This document assumes that you are familiar with World Wide Web concepts, and that you know enough UNIX to log onto the ITD login service and create, navigate around, and list your directories. If you don't know how to do these things, please review the ITD Online Documentation or attend ITD Workshops on these subjects.

Directions for Restricting Access

  1. Access control may only be specified on a per-directory basis, so you will need to first create a directory underneath your Public/html directory in IFS to hold your access-controlled documents. Copy your documents to this directory.
  2. You should reset your AFS Access Control Lists (ACLs) for the newly-created directory. By default, any directories created underneath ~/Public/html inherit ACLs which allow any AFS client to read your files.

    To reset your ACLs, issue the following command within the directory you are setting up:
    fs sa . umweb:servers read system:anyuser none
    This command makes it so that only "umweb:servers" may read your files. The www.umich.edu web server authenticates as user "umweb:servers" so it can read files in directories permitted in this fashion. Permitting your web directories in this fashion prevents access to pages from most users, but allows the web servers to provide access control.
  3. Every directory protected this way should have an index.html file that is given out when a request is made for a list of files in the directory. Without that file, a request for the directory will list all of the files in the directory.
  4. Create a file named .htaccess within your directory (note the leading period). This file is consulted by the Web server to determine whether or not to allow access.

Note: This file can NOT be created with an editor (like SimpleText) on a Macintosh. You will have to create this file by connecting to a unix machine and editting the file with vi, emacs, or pico. This is because of the way that the IFS Translators deal with files that start with a period.

Restricting access by domain

Below is an example, of an .htaccess file which allows anyone on the U-M campus, or anyone connecting via a Michnet dial-in line to access documents in the directory:

AuthType Basic
<Limit GET>
order deny,allow
deny from all
allow from .umich.edu
allow from .mich.net
</Limit>

In the case of the example .htaccess file (above) which restricts access to umich.edu and mich.net addresses, only hosts which have a valid domain name registered in the Domain Name System (DNS) will be allowed access. If you wish to also allow access to U-M hosts without a DNS entry, you can include the following lines in the .htaccess file (in addition to the existing lines in the example):

allow from 141.211
allow from 141.212
allow from 141.213
allow from 141.214
allow from 141.215
allow from 141.216

These numbers are the network numbers for, respectively, the U-M Ann Arbor central campus ring, the U-M North Campus ring, the U-M EECS dept, the Medical Center, and the Dearborn and Flint campuses.

These additional lines must be after the order directive and before the </Limit> tag.

Restricting Access by User/Password Pair

Restricting access based on username and password pairs operate in a very similar manner to IP permissions.

Here is an example .htaccess file which allows user "pumpkin" to access documents in the directory ~umweb/Public/html/how-to/htacccess.sample:

AuthUserFile /afs/umich.edu/group/itd/umweb/Private/htpasswords

AuthGroupFile /dev/null
AuthName UMWebSample
AuthType Basic
 
<Limit GET>
require user pumpkin
</Limit>
  • The first line is the password file to use for authentication. Note that the password file should be in another directory from the .htaccess file. This is so that someone can't look at your password file and attempt to crack the passwords in it. It would probably be best to not have the password file in your Public/html directory anywhere, but rather put it in another directory that the web servers can access.
  • The second line is the group file. In this case, it's set to a null file, because we aren't restricting access by group. In most cases, this file will be not be needed, and if it is, it will be kept with the password file.
  • The third line gives the Realm name for which protection is provided. It should be set to something descriptive for the protected pages. This name can't use spaces.
  • The fourth line specifies basic HTTPd authentication.
  • Between the <Limit GET> and </Limit> lines, there can be any number of require lines. Each can require a user, or a group of users specified in the group file.

You should next create a password file, in the location that you specified for the AuthUserFile value. You can do this with the htpasswd command on the login.itd.umich.edu servers:

htpasswd -c htpasswords pumpkin

The "-c" on that line tells htpasswd to create the file, and the command should be run in the directory specified for the password file.

You can add users to the password file with the command:

htpasswd htpasswords newuser

Note: You should NOT use your Kerberos password here. This is because of the inherent insecurity of this method of authentication, and the fact that anyone can "sniff" your password off the network. If you use your Kerberos password, someone could seriously abuse your computing account, files, mail, etc.

Sample Restricting Access

Here is an example of a page restricted to the username pumpkin, with password pie.

Further documentation can be found in the Apache .htaccess files documentation.