This site will look much better in a browser that supports web standards, but it is accessible to any browser or Internet device.

Web page access control »

General Information

If you have an ICS UNIX account, you can create your own personal web page. For more information or help getting started, see Creating Your Own Web Space.

The remainder of this document assumes you have already created your own personal web space and that you are familiar with where to locate your web documents and what URLs to use to access those documents.

Access Control Features

ICS runs the Apache Web Server which allows you to control web access to part or all of your personal web space. You can control access to your web space based on the following criteria:

  • Username/password-level access authorization.
  • Rejection or acceptance of connections based on Internet address of client.
  • A combination of the above two methods.

Access control for a given directory is controlled by a file named .htaccess which resides in that directory. The web server consults this file on each access to a document located in that directory or one of its subdirectories.

Note that your web files in your public_html directory (including the .htaccess file) must be readable by the web server itself. This means that those files will also be readable by any other ICS UNIX user -- you can't use the web server access control features to prevent local users from reading your web files directly though the network filesystem.

By-Password Authentication

With by-password authentication, web access to your documents is allowed only to users with an authorized username and password.

Important Note: There is no correspondence between usernames and passwords on specific UNIX systems (i.e., your UNIX login name and password) and usernames and passwords in the authentication schemes we're discussing for use in the Web. As illustrated in the examples, Web-based authentication uses similar but wholly distinct password files; it is not necessary to have an actual account on a given UNIX system in order to be validated for access to files which are served from that system and protected with by-password authentication.

So let's suppose you want to restrict files in your public_html/turkey directory to username pumpkin and password pie. Here's what to do:

  1. Create a file called .htaccess in directory public_html/turkey that looks like this: 

    AuthUserFile /home/yourname/.htpasswd
AuthGroupFile /dev/null
AuthName ExampleByPassword
AuthType Basic

<Limit GET>
require user pumpkin
</Limit>

    Note that the password file (.htpasswd) will be in your home directory, not the directory where your web pages are located. This prevents web clients from accessing this file.

    Also note that in this case there is no group file, so we specify /dev/null (the standard UNIX way to say "this file doesn't exist").

    AuthName is called the authorization realm for this directory. It's value can be anything you want. This authorization realm value is displayed by users' web browsers so that they know which username and password to send.

    AuthType should always currently be Basic.

  2. Create the password file /home/yourname/.htpasswd.

    The easiest way to do this is to use the htpasswd program. (If you haven't already loaded the apache module, you'll have to load it first to access htpasswd.) Do this: 

    % module load apache
% htpasswd -c /home/yourname/.htpasswd pumpkin

    Type the password -- pie -- twice as instructed.

    Check the resulting file to get a warm feeling of self-satisfaction; it should look something like this: 

    pumpkin:y1ia3tjWkhCK2

That's all. Now try to access a file in http://www.ics.uci.edu/~yourname/turkey -- your web browser should demand a username and password, and not give you access to the file if you don't enter pumpkin and pie. If you are using a web browser that doesn't handle authentication (which is unlikely, but possible), you will not be able to access the document at all.

How Secure Is It?

The password is passed over the network not encrypted but not as plain text -- it is "uuencoded". Anyone watching packet traffic on the network will not see the password in the clear, but the password will be easily decoded by anyone who happens to catch the right network packet.

Your web browser will keep track of any authorization realm names, usernames and passwords that it you asks for. Then, the next time you access a restricted web page in the same authorization realm, your web browser does not have to ask you again for a username and password, it just gives the web server the ones you gave it earlier.

Since your web browser will give out these usernames and passwords to any web site which asks for them, you should not use the same username and password for web-based authentication that you use to login to your computer account.

Multiple Usernames/Passwords

If you want to give access to a directory to more than one username/password pair, follow the same steps as for a single username/password with the following additions:

  1. Add additional users to the directory's .htpasswd file.

    Use the htpasswd command without the -c flag to additional users; e.g.: 

    % htpasswd /home/yourname/.htpasswd peanuts
% htpasswd /home/yourname/.htpasswd almonds
% htpasswd /home/yourname/.htpasswd walnuts

  2. Create a group file.

    Call it /home/yourname/.htgroup and have it look something like this: 

    my-users: pumpkin peanuts almonds walnuts

    ... where pumpkin, peanuts, almonds, and walnuts are the usernames.

  3. Then modify the .htaccess file in the directory to look like this: 

    AuthUserFile /home/yourname/.htpasswd
AuthGroupFile /home/yourname/.htgroup
AuthName ExampleByPassword
AuthType Basic

<Limit GET>
require group my-users
</Limit>

    Note that AuthGroupFile now points to your group file and that group my-users (rather than individual user pumpkin) is now required for access.

That's it. Now any user in group my-users can use his/her individual username and password to gain access to directory turkey.

Internet Address Authentication

With internet address authentication, web access to your documents is allowed or denied to users running web browsers on hosts in particular internet domains.

Let's suppose you want to restrict files in your public_html/local directory to clients running on machines inside domain ics.uci.edu.

  • Create a file called .htaccess in directory public_html/local that looks like this: 

    AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName ExampleAllowFromICS
AuthType Basic

<Limit GET>
order deny,allow
deny from all
allow from .ics.uci.edu
</Limit>

That's all. Now try to access a file in http://www.ics.uci.edu/~yourname/local -- if your web browser is running on a client in the ics.uci.edu domain, you should be able to access the page. Clients not in the ics.uci.edu domain will receive an error when they try to access the page.

Internet Address Authentication -- Exclusion

Let's suppose you want to restrict files in your public_html/remote directory to clients running on machines not inside the ics.uci.edu domain.

  • Create a file called .htaccess in directory public_html/remote that looks like this: 

    AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName ExampleDenyFromICS
AuthType Basic

<Limit GET>
order allow,deny
allow from all
deny from .ics.uci.edu
</Limit>

That's all. Now try to access a file in http://www.ics.uci.edu/~yourname/remote -- if your web browser is running on a client in the ics.uci.edu domain, you should receive an error when you try to access the page. Clients not in the ics.uci.edu domain should be able to access the page.

Acknowledgements

This tutorial is based heavily on work done by Ari Luotonen at CERN and Rob McCool at NCSA.

For More Information