Restrict Access to Web Pages
home / how-to / htaccess
Restrict Access to Web Pages Using .htaccess
By default, documents you make available via the U-M Web
Servers www.umich.edu and www-personal.umich.edu are readable
by anyone with access to the World Wide Web, which means that
many, many people can view your pages. They are also
accessible via AFS, a global file system in use here at the
University of Michigan.
In some cases, you may want to restrict access to your
pages. The options available currently are:
You may restrict access to users within
a certain internet domain. For example, you can
specify that only users whose domain names end in
umich.edu may access your pages. You may also
specify that only users on certain IP subnets may
access your pages.
You should be aware that restricting access
based on internet domain or IP address is not
bulletproof, and should not be relied upon for
You can restrict access based on a
username/password pair. Note that this username and
password are completely separate from the U-M's
uniqname/kerberos database, and must be maintained by you.
The usernames and password are sent as plain text (not
encrypted) over the network, and are therefore susceptible
to network eavesdroppers.
This method is not very secure, though it is
documented here. It should not be used for very
sensitive data. It should work, however, and the
htpasswd command, which is used to manage the password
files, is available on the ITS login servers. (For more
information, try the 'man htpasswd' command).
This document assumes that you are familiar with World
Wide Web concepts, and that you know enough UNIX to log
onto the ITS login service and create, navigate around,
and list your directories. If you don't know how to do
these things, please review the
Directions for Restricting Access
Access control may only be specified on a
per-directory basis, so you will need to
first create a directory underneath your
Public/html directory in IFS to hold your
access-controlled documents. Copy your
documents to this directory.
You should reset your AFS Access
Control Lists (ACLs) for the newly-created directory.
By default, any directories created underneath
~/Public/html inherit ACLs which allow any AFS client to
read your files.
To reset your ACLs, issue the following
command within the directory you are setting up:
fs sa . umweb:servers read system:anyuser none
This command makes it so that only
"umweb:servers" may read your files. The
www.umich.edu web server authenticates as user
"umweb:servers" so it can read files in directories
permitted in this fashion. Permitting your web
directories in this fashion prevents access to
pages from most users, but allows the web
servers to provide access control.
Every directory protected this way should have
an index.html file that is given out when a
request is made for a list of files in the
directory. Without that file, a request for
the directory will list all of the files in the
Create a file named .htaccess within your directory (note
the leading period). This file is consulted by the Web
server to determine whether or not to allow access.
Note: This file can NOT be created with an
editor (like SimpleText) on a Macintosh. You
will have to create this file by connecting to
a unix machine and editting the file with vi,
emacs, or pico. This is because of the way
that the IFS Translators deal with files that
start with a period.
Restricting access by domain
Below is an example, of an .htaccess file which allows
anyone on the U-M campus, or anyone connecting via a
Michnet dial-in line to access documents in the directory:
deny from all
allow from .umich.edu
allow from .mich.net
In the case of the example .htaccess file (above) which
restricts access to umich.edu and mich.net addresses,
only hosts which have a valid domain name
registered in the Domain Name System (DNS) will be
allowed access. If you wish to also allow access to
U-M hosts without a DNS entry, you can include the
following lines in the .htaccess file (in addition to
the existing lines in the example):
allow from 141.211
allow from 141.212
allow from 141.213
allow from 141.214
allow from 141.215
allow from 141.216
These numbers are the network numbers for,
respectively, the U-M Ann Arbor central campus ring,
the U-M North Campus ring, the U-M EECS dept, the
Medical Center, and the Dearborn and Flint campuses.
These additional lines must be after the order
directive and before the
Restricting Access by User/Password Pair
Restricting access based on username and password
pairs operate in a very similar manner to IP
Here is an example .htaccess file which allows user
"pumpkin" to access documents in the directory ~umweb/Public/html/how-to/htacccess.sample:
require user pumpkin
- The first line is the password file to use for
authentication. Note that the password file should be in
another directory from the .htaccess file. This is so that
someone can't look at your password file and attempt to crack
the passwords in it. It would probably be best to not have
the password file in your Public/html directory anywhere, but
rather put it in another directory that the web servers can
- The second line is the group file. In this case, it's set to a
null file, because we aren't restricting access by group. In most
cases, this file will be not be needed, and if it is, it will be kept
with the password file.
- The third line gives the Realm name for which protection is
provided. It should be set to something descriptive for the protected
pages. This name can't use spaces.
- The fourth line specifies basic HTTPd authentication.
- Between the <Limit GET> and </Limit> lines, there can be any number of
require lines. Each can require a user, or a group of users
specified in the group file.
You should next create a password file, in the
location that you specified for the AuthUserFile value. You can do this
with the htpasswd command on the login.itd.umich.edu servers:
htpasswd -c htpasswords pumpkin
The "-c" on that line tells htpasswd to create the
file, and the command should be run in the directory
specified for the password file.
You can add users to the password file with the command:
htpasswd htpasswords newuser
Note: You should NOT use your Kerberos password
here. This is because of the inherent insecurity of
this method of authentication, and the fact that anyone
can "sniff" your password off the network. If you use
your Kerberos password, someone could seriously abuse
your computing account, files, mail, etc.
Sample Restricting Access
is an example of a page restricted to the username
pumpkin, with password pie.
Further documentation can be found in the Apache
.htaccess files documentation.