Indiana University Bloomington

School of Informatics and Computing

CSG FAQ

Q: How do I limit access to my web pages by user?

Please Note: This FAQ entry describes a mechanism to limit access to web pages via the web server. If you also want to prevent access by people with local CS accounts, you MUST take extra steps to prevent access via the local filesystem. Please see the corresponding FAQ entry for more information.

The CS department's central web and cgi servers (www.cs.indiana.edu and cgi.cs.indiana.edu) allow authentication against the standard UITS Network ID using kerberos. When using kerberos authentication, you must use the secure https instead of unencrypted http. So, you must use URLs of the form https://www.cs.indiana.edu/ instead of http://www.cs.indiana.edu/.

These servers are set up with a search order for access control files. The non secure (http) server uses .htaccess_nonssl then .htaccess. The secure (https) server uses .htaccess_ssl then .htaccess. Whichever file is seen first is used. In order to provide directory control and ONLY allow access via the more secure encrypted server use a .htaccess_nonssl file which denies all connections, and a .htaccess file which allows connections only via authentication. The example files follow

.htaccess_nonssl
deny from all

.htaccess
AuthType KerberosV5
AuthName "UITS Network ID"
<LIMIT GET POST PUT>
require user dvader@ADS.IU.EDU
</LIMIT>

Note that .htaccess files must be readable by the web server which is most easily accomplished by making the files world readable (chmod 644).

If you want to automatically redirect users of non-secure http URLs to the https URLs instead of denying them access, you can use the following .htaccess_nonssl instead:

.htaccess_nonssl (web server)
Redirect permanent / https://www.cs.indiana.edu/
If you are using the cgi server (via cgi-pub) instead of the web server then you will have to do the redirect slightly differently:

.htaccess_nonssl (cgi server)
Redirect permanent /~username https://www.cs.indiana.edu/cgi-pub/username

The above example would only allow connections from a person with the UITS Network ID of dvader. You could add multiple require lines as needed to grant access to multiple users.

require user dvader@ADS.IU.EDU
require user lskywalk@ADS.IU.EDU
require user pleia@ADS.IU.EDU

If you wish to allow anyone with a valid UITS login, then instead replace the require line with the following

require valid-user

If you have a large number of usenames, or different groupings of people to allow and deny access to different directories then a group file may be of use. Create the group file outside of any directory which is serviceable via the web, ie NOT in your .hyplan directory. I recommend a "dot" file in your home directory such as ~/.www-groups. Here is the syntax for the group file

.www-groups
managers: dvader@ADS.IU.EDU
managers: yoda@ADS.IU.EDU
managers: obone@ADS.IU.EDU
workers: hsolo@ADS.IU.EDU
workers: lskywalk@ADS.IU.EDU
extras: ewok@ADS.IU.EDU

To use the group file reference in your .htaccess as follows

.htaccess
AuthType KerberosV5
AuthUserFile /dev/null
AuthGroupFile /u/username/.www-groups
AuthName "UITS Network ID"
<LIMIT POST GET PUT>
require group managers workers
</LIMIT>

The above example would only allow the managers and workers list to access this particular directory. As with all web documents, these files must be readable by the web server, i.e. chmod 644. This also allows anyone with a CS department account to view the files via the file system. If this is a concern then see the corresponding FAQ entry or contact systems staff.

There are also many predefined access groups available for use. This includes all of the normal unix groups defined in /etc/group as well as several departmental groups, such as faculty, staff, AIs, etc. Please see the Access Groups Section of the Web Page Support Document for more information.

If you are using php, you can access the username using:

$_SERVER["REMOTE_USER"].

This will include the kerberos domain (ie. username@ADS.IU.EDU) but you can turn this into just a username in php with something like:

    <?php print preg_replace("/(.*)@.*/", "$1", $_SERVER["REMOTE_USER"]); ?>



See an error in this FAQ entry? Please report it.

[Return to the FAQ index]