RESTRICTING ACCESS TO WEB PAGES
It is possible to restrict access to your web pages. The most straightforward methods restrict access to an entire subdirectory and the pages it contains by client address or by password. Generally you will set up a special protected subdirectory or subdirectories within one of your existing assigned web directories. These instructions are for the simplest kind of restrictions. Much more elaborate schemes are available. Consult the Apache documentation for details.
THESE ACCESS RESTRICTIONS DO NOT PROVIDE FOOLPROOF SECURITY. THEY CAN BE CIRCUMVENTED BY A DETERMINED INTRUDER. WWW.UKY.EDU IS NOT A SECURE SERVER AND SHOULD NOT BE USED FOR CONFIDENTIAL OR SENSITIVE INFORMATION.
Restricting Access By Client Address
This is useful, for example, for limiting access to a group of pages to only University of Kentucky users. Create a file called .htaccess within your directory to be protected. It will contain lines like this:
Deny from all Allow from 128.163 Allow from uky.edu
The Deny line disables all access and the following Allow line restores access to clients on the University of Kentucky's campus. There are points to keep in mind though. This would exclude users connecting through Internet service providers, which many students and employees use, and some on campus with special network addresses. Another consideration is that anyone with a userid on a University system that provides a web browser could log on to that system from anywhere on the Internet and would appear to the web server as a Lexington campus user and would therefore have access to your protected pages in this example. That may or may not be what you intend. Users of the campus wireless network, which may include people who aren't UK students or employees, will be in the 10.20 subnet. Most medical and UK Healthcare users will be in the 172.24 subnet.
There are services on campus that access web pages and make them available to browsers in other forms. Our Google Search Appliance will index and cache your pages from UK servers unless it is instructed not to. This information is available to everyone, without restrictions. You may need to exclude these servers from your pages if you need to restrict access to campus users. For example:
Order Allow,Deny Allow from uky.edu Allow from 128.163 Deny from diogenes.uky.edu
Restricting Access By Password
This method requires that users enter a name and password that you have defined before accessing your protected pages. This method uses basic HTTP authentication and does not encrypt the userid or password which makes them vulnerable to unauthorized viewing during transmission if they are intercepted on the network.
Create a file called .htaccess within your directory to be protected. It will contain lines like this:
AuthType Basic AuthName "your identifying name goes here" AuthUserFile /www/htdocs/.../password.web Require valid-user
The AuthName string will be displayed by most clients as a part of their prompt for a name and password. The AuthUserFile line contains the full path to your password.web file. The Require line contains a list of names that will be allowed to access the pages in your protected subdirectory. You will define these names yourself - they have no connection with the system userids on the web server or any other system. Specifying "valid-user" on the Require line allows access to all names defined in your password.web file.
Next you must build your password file which will define the names and their associated passwords. First use SSH to connect to www.uky.edu and change directories your subdirectories identified in the AuthUserFile line as the location of your password file:
cd /www/htdocs/...
Next use the htpasswd command to create the password file and define the names:
~www/bin/htpasswd -c password.web name1 ~www/bin/htpasswd password.web name2 ~www/bin/htpasswd password.web name3 ...
(The -c option causes a new password file to be created.) Each time you will be prompted to enter the password to be associated with the name. Note that names and passwords are restricted to eight characters and some browsers cannot correctly handle special characters in either. Deleting names requires editing the password file with a text editor or some other means.
For some applications it may be possible to reduce the amount of work involved by giving the same name and password to groups, like all of the students in a particular class. If this level of control is appropriate it significantly reduces the number of names you will need to define.
After you have created your names and passwords you must distribute them to the individuals who will use them, using a method as secure as is appropriate for your application. Remember that these names and passwords have no intrinsic relationship with the userids and passwords on the web server system or any other system. They are solely for controlling access to your pages. There is no mechanism for the users to change their own passwords.
The first time a browser attempts to access one of your protected pages the user will be prompted for a name and password. If a name listed in your .htaccess file and defined in your password.web file is entered with the correct password access to the pages in the protected directory is granted.
Once a valid name and password have been entered through a web browser it will be authorized for access even if the user walks away from the machine running the browser. This is a security exposure that would allow anyone who subsequently uses the browser to access your pages. Generally if the user quits from the browser the authorization will be lost. You may want to recommend this on your pages.
Restricting Access With Link Blue Authentication
It is also possible to restrict access to web pages using Link Blue login authentication. Details can be found here.
These notes reflect the Apache server. The old instructions for the CERN server are still available for reference purposes.
This page was last updated on 2011-06-01. Please direct questions and comments regarding this page to webmaster@www.uky.edu.