Please Note: This FAQ entry describes a mechanism to limit
access to web pages via the web server. If you also want to
prevent access by people with local CS accounts, you MUST take
extra steps to prevent access via the local filesystem. Please
see the
corresponding FAQ entry
for more information.
Let's say you want to require a user to know a password to access a web page
but you don't want to use the UITS Network ID and password as described in
that FAQ entry. You might want to do this if the people
who need access are not affiliated with IU or if you want to create a single
password to be used by several people to access the pages.
As an example, let's say I want to allow access to users jane and joe, with
passwords janepw and joepw, respectively. First, you must create a password
file for the access. This file contains one line per user of the form:
username:encrypted_password
The easiest way to create this password file is using the htpasswd command.
To create the password file /u/robh/passwords/project1 and add the user jane,
you would run:
htpasswd -c /u/robh/passwords/project1 jane
You will be prompted for the password. If you want to add additional users,
you just rerun the htpasswd command without the -c (create) flag. For example,
to add an entry for joe:
htpasswd /u/robh/passwords/project1 joe
Alternatively, you could use the cryptit command to generate an encrypted password. Using
the current example:
% cryptit janepw
Encypted version of janepw = XDLQPSf.S0z4E
% cryptit joepw
Encypted version of joepw = XD7FW.bG2qz6s
So, we would create a password file with the following contents:
jane:XDLQPSf.S0z4E
joe:XD7FW.bG2qz6s
You can call this file anything you want. For this example, let's
call it /u/robh/passwords/project1.
Next, create a .htaccess file in
the directory you want to protect that contains:
AuthUserFile /u/robh/passwords/project1
AuthGroupFile /dev/null
AuthName "Project 1 Authentication"
AuthType Basic
<Limit GET POST PUT>
require user jane joe
</Limit>
The path you need to use for the password file used in the
above AuthUserFile line depends on what accounts you
have. If you have a CS Sharkestra account and that's where your
password file lives, you can just use /u/username. If you
only have a Burrow account, you will have to use
/nfs/nfs1/u/username.
Note that the
mechanism shown here will result in cleartext passwords being transferred
across the network if you use http:// URLs. To prevent this from happening,
create a file called .htaccess_nonssl in the same directory as the
.htaccess file and put the following line in that file:
deny from all
This will require you to use secure urls of the form
https:// in order to access the pages.
If you want to redirect http access to https instead
of denying them, you can use the following in the .htaccess_nonssl:
Redirect permanent / https://www.cs.indiana.edu/
If you are using the cgi server (via cgi-pub) instead of the web server
then you will have to
do the redirect slightly differently:
Redirect permanent /~username https://www.cs.indiana.edu/cgi-pub/username
Also note that your password and .htaccess files must be readable
by the www user. This generally means that the files must
be world readable. If you need to limit access to these files so
they are accessible by the web server but not by users with local CS accounts,
please see the
associated FAQ.
