Restricting Access to Web Pages

Note: the methods described here are still available and still work, but University policy requires the use of the Central Authentication Service (CAS) protocol for authentication of members of the campus community. See our page on CAS for more information.

.htaccess/.htpasswd

This tutorial covers web-based user authentication using htaccess. Web-based authentication denies web access to visitors who do not give a valid username and password. This feature allows people to restrict access to certain directories.

The following is an example use of the .htaccess file. Let's assume that it resides at /u/username/public_html/restricted/.htaccess

AuthUserFile /u/username/restricted/.htpasswd
AuthGroupFile /dev/null
AuthName Test
AuthType Basic

<Limit GET POST>
require valid-user
</Limit>

## If we're doing auth, require SSL
RewriteEngine   On
RewriteCond     %{HTTPS} off
RewriteRule     (.*) https://%{HTTP_HOST}%{REQUEST_URI}

The .htaccess file affects the directory in which it is placed, so in this example, any visitor requesting <http://www.cs.princeton.edu/~username/restricted> would be presented with an authentication request similar to the one at the left.

The .htaccess file also affects directories recursively below it. Therefore, requesting <http://www.cs.princeton.edu/~username/restricted/stillsecure/> would yield the same authentication request unless ~username/restricted/stillsecure had a .htaccess file of its own.

The first line, starting with AuthUserFile, tells the webserver where to find your username/password file. We'll create that file in a minute. For now, change the AuthUserFile line as necessary for your use. Note that the path specified for the .htpasswd file is different than you might expect. Because of the security configuration of the web server that handles home directory web spaces, the "public_html" or "htdocs" portion of the path is eliminated and your web directory is mounted as though it were your home directory.

Notice that the AuthName in the example, "Test," is used in the authentication request. This is an arbitrary string which you can use to identify the site for users, for example "Restricted Documents". Note that any string you use that contains spaces must have double quotes around it.

Using your favorite text editor, create a file similar to the example, replacing AuthUserFile and AuthName with values for your situation. Be sure to name the file .htaccess.

Now that we understand the basic .htaccess model, how can we specify who is allowed? We'll create an .htpasswd file named in the AuthUserFile line above.

To create an .htpasswd file, go to the directory you specified in AuthUserFile. In the example, this is /u/username/public_html/restricted. Then use the htpasswd program with the -c switch to create your .htpasswd in the current directory. (Note: for further information on htpasswd, check out the man page.)

Type htpasswd -c .htpasswd username to create the file and add "username" as the first user. The program will prompt you for a password, then verify by asking again. You will not see the password when entering it here:

soak:/u/username/public_html/restricted%
htpasswd -c .htpasswd username
Adding password for username.
New password:
password
Re-type new password:
password

To add more users in the future, use the same command without the -c switch: htpasswd .htpasswd bob will add username "bob" to your .htpasswd file.

To delete users, open the .htpasswd file in a text editor and delete the appropriate lines:

username:v3l0KWx6v8mQM
bob:x4DtaLTqsElC2

Restricting Access By IP

In order to restrict access by IP address (with or without a password), you need the following lines in your .htaccess file:

<Limit GET POST>
order deny,allow
deny from all
allow from 128.112.
allow from 140.180.
allow from 192.168.
allow from 172.16.
</Limit>

The first two "allow" lines cover the campus (including some of the subnets in CS), and the last two "allow" lines cover subnets in the department that are internal only. Note, too, that subnets are used here by only including the first two octets of an IP address. You can use a full IP address here if you only wish specific machines to have access.

The IP address ranges (that OIT sees) for the CS department are:

  1. 128.112.4.0/22
  2. 128.112.92.0/22
  3. 128.112.136.0/22
  4. 128.112.152.0/22
  5. 128.112.168.0/22

Tags: