Controlling Access to Web Pages

All about .htaccess files

There are various methods of restricting access to your web pages depending on the web server your host is running. This document provides instructions for www.its.caltech.edu, which is running the Apache webserver. If your documents are on a different server, you will need to find out from your server administrator how that server is configured to restrict web documents.

IMSS allows users to change access permissions on a directory by directory basis with files called .htaccess. This document provides tips on configuring .htaccess files to control access to your web documents.

When you create a .htaccess file, all of the files within that directory, as well as any subdirectories, are protected by that .htaccess file. Any .htaccess files above that directory are also used.

You can control access to specific files or specific types of files by using wildcards or filenames in the opening <Files> tag of the .htaccess file. Use multiple <Files> tags in a single .htaccess file to restrict files with different access controls.

Restricting Access to Caltech Addresses

Here is a .htaccess file that restricts access to the Caltech network:

<Files *>
Order allow,deny
Allow from 131.215
Allow from caltech.edu
</Files>

This ensures that access to the files in this directory are restricted to addresses that end in caltech.edu. This includes its.caltech.edu, ugcs.caltech.edu, or anything.caltech.edu. You must also specify the ip address 131.215 restriction if you want all computers on the Caltech network to have access to your files. Some computers on the network do not have a caltech.edu name.

You can specify an exact machine name which would restrict access only from that machine. For example, the following .htaccess file would permit only the machine example.caltech.edu to have access:

<Files *>
Order allow,deny
Allow from example.caltech.edu
</Files>

You can also restrict it to a number of machines as the following illustrates.

<Files *>
Order allow,deny
Allow from example.caltech.edu
Allow from example2.caltech.edu
Allow from example3.caltech.edu
</Files>

This gives access to the pages from the machines named example, example2, and example3.

Restricting Access to JPL and Caltech Addresses

This is done exactly the same way as restricting the files to Caltech addresses. The only difference is adding an Allow line for JPL addresses.

<Files *>
Order allow,deny
Allow from caltech.edu
Allow from 131.215
Allow from jpl.nasa.gov
Allow from 137.78
Allow from 137.79
Allow from 128.149
Allow from 192.107.192
</Files>

Controling Access to Specific Users

To limit the access of your web files to a limited number of people, you need to assign a username and password to each user. The username and password pairs must be stored in a file that you have stored in your access.caltech Unix account. To create the file in your account, you must login to your account via telnet or ssh. If you have forgotten your password for your account, please call the IMSS Help Desk at x3500 to have it reset. If you need any help with telnet or ssh, you can also contact the Help Desk at x3500.

Once you have logged into your account, you will need to first generate encrypted passwords for each user. First choose a good password for each user, that will be easy to remember. For help in choosing passwords read Password Security Tips page.

Once you have chosen passwords, do the following:

perl -e 'print crypt("password", "ww"), "\\n";'

where 'password' is the text password, and 'ww' is a value that randomizes the encryption; any two-character alphanumeric will do. Do not use punctuation marks in your password as they will not work with this command. The program will return a string of 13 characters.

Create a file using whichever UNIX text editor you know (pico, vi, emacs). For each person you plan to have access to your files, put username: encrypted string you got from the encryption command. For example:

jennifer:wwljpxhGKT7yQ
jane:ww50TmJN01Jgg

This gives me 2 users with their encrypted passwords.

Once you've created your password file, you need to create an appropriate .htaccess file. Here's an example that allows all the users defined in your password file access to this directory.

<Files *>
AuthType Basic
Require valid-user
AuthName "Name for Authentication purposes"
AuthUserFile /home/anybody/public/html/.passwordfile
</Files>

In the above example, you replace "Name for Authentication purposes" with any string that describes what you are authenticating for. Make sure to put it in quotes. You would also replace /home/anybody/public_html/.passwordfile to the absolute path where your password file is stored. You can figure this out by typing pwd in the directory your password file is located. This plus the name of your file is what you would put after AuthUserFile.

An Important Reminder

Note that these access restricting measures provide no guarantee that your sensitive information will remain completely secure.

In order for the web server to be able to read and serve your documents, one of the following must be true:

  • The document must be world-readable.
  • The document must be group-readable, and have group www

This must also be true for .htaccess files and the associated password files.

The usual state of affairs is that you will choose the first option and make your files world-readable. However, this leaves them open to direct reading by people who log in to an interactive Unix server, even if they are prevented from access over the web via an .htaccess file.

To prevent this sort of direct reading, do the following:

  1. Log on to one of the interactive Unix servers (the ones you reach by connecting to its.caltech.edu). The chgrp_www program in the next step must be run from one of those machines; it will not work if run elsewhere.
  2. Use the chgrp_www command to change the group of the files or directories you want to protect to www, like so:

    chgrp_www file1 file2 file3 ...

    substituting the names of your files/directories appropriately. You can use wildcards (like *) as usual with this command.

  3. Change the permissions on your files or directories so they are readable and writable by their owner, readable by their group, and not readable by anyone else:

    chmod u+rw,g+r-w,o-rw file1 file2 file3 ...

An Example

For instance, if I wanted to have two pages, each restricted to different users, in a privateclub directory of webpages in my UNIX account, I could create the following files in my /home/anybody/public_html/privateclub directory:

.htaccess
.passfile

I would begin by generating the random passwords for my users... lets assume that Richard needs access to my science.html page, and Janet needs access to my engineering.html page, and that I need access to both pages.

Richard wants his password to be "GeeKsRuL", Janet wants her password to be "EeMCsqed", and I want my password to be "WebbPagZ".

I run the following perl commands, choosing different randomizing values each time:

{inky:1} perl -e 'print crypt("GeeKsRuL", "fk"), "\\n";'
fkV3fieoIPCpM
{inky:2} perl -e 'print crypt("EeMCsqed", "NZ"), "\\n";'
NZGKjhbWkVgaY
{inky:3} perl -e 'print crypt("WebbPagZ", "Qe"), "\\n";'
QeJxtLAevosdk

I could then use pico to create my .passfile password storage file. The contents of the .passfile password storage file should then look like:

richard:fkV3fieoIPCpM
janet:NZGKjhbWkVgaY
adele:QeJxtLAevosdk

I then use pico to create my .htaccess file. The contents of that file would then look like:

<Files engineering.html>
AuthType Basic
AuthName "Anybody's Engineering Page"
AuthUserFile /home/anybody/public_html/privateclub/.passfile
Require user janet adele
</Files>
<Files science.html>
AuthType Basic
AuthName "Anybody's Science Page"
AuthUserFile /home/anybody/public_html/privateclub/.passfile
Require user adele richard
</Files>

Example of How .htaccess Files Interact

It is important to understand exactly which directories and files are protected and which are not. Let's use this arrangement of files as an example.

  • top.html
  • important.html
  • cit-only (Directory):
    • .htaccess [says: allow from caltech.edu and allow from 131.215]
    • private.html
    • sensitive.html
    • stuff (Directory):
      • party.html
  • blorf-only (Directory):
    • .htaccess [says: allow from blorf.caltech.edu]
    • accounts.html
    • everyone (Directory):
      • .htaccess [says: allow from all]
      • announcement.html

The files top.html and important.html are accessible by anyone, at Caltech or elsewhere.

The file cit-only/.htaccess specifies that only Caltech computers may access the files in and under this directory. Therefore, private.html, sensitive.html, and party.html can only be seen by Caltech users.

The file blorf-only/.htaccess specifies that only the machine blorf.caltech.edu may access the files in and under this directory. Therefore, accounts.html can only be seen by the person(s) using blorf.caltech.edu.

However, notice that the directory blorf-only/everyone has its own .htaccess file. The lower-level file overrides the previous one, so only the specifications in blorf-only/everyone/.htaccess apply to the file announcement.html. Since the lower-level .htaccess says "allow from all", any computer on the Internet may view the file announcement.html.

This should be enough information to use access control in the most common ways. Further documentation about htaccess files can be found on the Apache documentation pages. If you need help with your htaccess file, please contact us at http://help.caltech.edu (request type IMSS-->Desktop Support -->Other).