Please Note: This FAQ entry describes a mechanism to limit
access to web pages via the web server. If you also want to
prevent access by people with local CS accounts, you MUST take
extra steps to prevent access via the local filesystem. Please
see the
corresponding FAQ entry
for more information.
The CS department's central web and cgi servers (www.cs.indiana.edu
and cgi.cs.indiana.edu) allow authentication against the standard
UITS Network ID using kerberos. When using kerberos authentication,
you must use the secure https instead of unencrypted http. So, you must
use URLs of the form https://www.cs.indiana.edu/ instead of
http://www.cs.indiana.edu/.
These servers are set up with a search order for access control
files. The non secure (http) server uses .htaccess_nonssl then .htaccess. The
secure (https) server uses .htaccess_ssl then .htaccess. Whichever file is
seen first is used. In order to provide directory control and ONLY
allow access via the more secure encrypted server use a .htaccess_nonssl
file which denies all connections, and a .htaccess file which allows
connections only via authentication. The example files follow
.htaccess_nonssl
deny from all
.htaccess
AuthType KerberosV5
AuthName "UITS Network ID"
KrbAuthRealm IU.EDU
<LIMIT GET POST PUT>
require user dvader dvader@IU.EDU
</LIMIT>
If you want to automatically redirect users of non-secure http URLs
to the https URLs instead of denying them access, you can use the following
.htaccess_nonssl instead:
.htaccess_nonssl (web server)
Redirect permanent / https://www.cs.indiana.edu/
If you are using the cgi server (via cgi-pub) instead of the web server
then you will have to
do the redirect slightly differently:
.htaccess_nonssl (cgi server)
Redirect permanent /~username https://www.cs.indiana.edu/cgi-pub/username<
/i>
Note that there are currently slightly different versions of apache running on
www.cs.indiana.edu and cgi.cs.indiana.edu. The older version on www.cs only
requires the username in the require user line above. The newer version
on cgi.cs requires the username and kerberos realm in the form
username@IU.EDU. By using both forms in the above require user
line this will work on both servers. However, you are only required to
include the form needed for the server you are using.
The above example would only allow connections from a person with the
UITS Network ID of dvader. You could add multiple require lines as needed
to grant access to multiple users.
require user dvader dvader@IU.EDU
require user lskywalk lskywalk@IU.EDU
require user pleia pleia@IU.EDU
If you wish to allow anyone with a valid UITS
login, then instead replace the require line with the following
require valid-user
If you have a large number of usenames, or different groupings of
people to allow and deny access to different directories then a group
file may be of use. Create the group file outside of any directory
which is serviceable via the web, ie NOT in your .hyplan directory. I
recommend a "dot" file in your home directory such as
~/.www-groups. Here is the syntax for the group file
.www-groups
managers: dvader dvader@IU.EDU yoda yoda@IU.EDU obone obone@IU.EDU
workers: hsolo hsolo@IU.EDU lskywalk lskywalk@IU.EDU
extras: ewok ewok@IU.EDU
To use the group file reference in your .htaccess as follows
.htaccess
AuthType KerberosV5
AuthUserFile /dev/null
AuthGroupFile /u/username/.www-groups
AuthName "UITS Network ID"
KrbAuthRealm IU.EDU
<LIMIT POST GET PUT>
require group managers workers
</LIMIT>
The above example would only allow the managers and workers list to
access this particular directory. As with all web documents, these
files must be readable by the web server, i.e. chmod 644. This also
allows anyone with a CS department account to view the files via the
file system. If this is a concern then see the
corresponding FAQ entry or
contact systems staff.
There are also some predefined access groups available for several departmental
groups, such as faculty, staff, AIs, etc. Please see the
Access Groups Section of the
Web Page Support Document for more information.
