WWW Access Control

You can implement access control on all or part of your Web site so that:

Warning

Basic Authentication alone does not provide the security and privacy to adequately protect truly confidential or personal information.

Basic Authentication is analogous to simply "closing a door" to parts of your Web site. It will prevent the casual or polite users from "opening the door", but will not prevent someone mildly determined to walking in.

Two issues that contribute to the lack of security and privacy are:

Implementing Access Control

To implement access control, you must create a file name '.htaccess' that contains with the proper configuration instructions. You may also need to create a ".htpasswd" file using the utility "htpasswd" and a ".htgroup" file.
Filename Description
.htaccess This file contains the instructions the WWW Server needs in order to implement access control. The directives contained within this file will apply to all the files and subdirectories at or below the level of the .htaccess file.

For example, /home/j/h/jharvard/public_html/private/.htaccess will apply to all files contained within the ~jharvard/public_html/private directory (and its subdirectories), but would not be applied to the file ~jharvard/public_html/index.html.

This file needs to be readable by the Web Server.

See below for sample configurations of .htaccess

.htpasswd This file contains usernames and encrypted passwords (username:enc_passwd). It is created and managed with the utility, "htpasswd", which can be run from the command line on fas.harvard.edu and ice.fas.harvard.edu.

This file should not lie within your public_html. It should reside at the root level of your home directory (for example, /home/j/h/jharvard/.htpasswd

This file needs to be readable by the Web Server.

.htgroup This file contains group definitions (group_name:member1, member2, ...).

This file should not lie within your public_html. It should reside at the root level of your home directory (for example, /home/j/h/jharvard/.htgroup

This file needs to be readable by the Web Server.

Examples

For the examples given, the user "web" is used. You should substitute your username and home directory appropriately.

The following .htpasswd and .htgroup files are used:
Filename Description
/home/w/e/web/.htpasswd The .htpasswd was generated by using the utility "htpasswd" 

ice% htpasswd
Usage: htpasswd [-c] passwordfile username 
The -c flag creates a new file. 

ice% htpasswd -c /home/w/e/web/.htpasswd guest
Adding password for guest 
New password: *****
Re-type password: *****
Password for "guest" is "guest". Entries for guest2, guest3, and guest4 are created without the "-c" flag, since the .htpasswd file already exists.
Contents of file: 
guest:79WeSn3vYGsKQ
guest2:PR4APgA.4CKO.
guest3:5DbCMPbSDstj2
guest4:htPnr8jT4bI5E
.htgroup Contents of file: 
VIP: guest, guest4

Example 1

Any valid user in .htpasswd is allowed access

The"AuthName" is the description that is displayed by the browser in the Basic Authentication dialog box.

Contents of sample .htaccess file: 
AuthName "Basic Authentication Tutorial 1"
AuthType Basic
AuthUserFile /home/w/e/web/.htpasswd
require valid-user
Demonstration of Example 1
You may login as any of the following users (username:password):
guest:guest
guest2:guest2
guest3:guest3
guest4:guest4

Example 2

Only certain users in .htpasswd are allowed access

Contents of sample .htaccess file: 

AuthName "Basic Authentication Tutorial 2"
AuthType Basic
AuthUserFile /home/w/e/web/.htpasswd
require user guest2, guest3
Demonstration of Example 2
Only guest2 and guest3 are authorized:
guest2:guest2
guest3:guest3

Unauthorized:
guest:guest
guest4:guest4

Example 3

Only members of a particular group are allowed access

Contents of .htaccess file: 

AuthName "Basic Authentication Tutorial 3"
AuthType Basic
AuthUserFile /home/w/e/web/.htpasswd
AuthGroupFile /home/w/e/web/.htgroup
require group VIP
Demonstration of Example 3
Only members of the group "VIP" (as defined by /home/w/e/web/.htgroup) are authorized (guest and guest4):
guest:guest
guest4:guest4

Unauthorized:
guest2:guest2
guest3:guest3

Example 4

Only certain computers are allowed access

Contents of sample .htaccess file: 

order deny,allow
deny from all
allow from 140.247, 128.103, .harvard.edu
Demonstration of Example 4
Computers that are on the Harvard network (computers with hostnames ending in .harvard.edu or with IP addreses beginning with 128.103 or 140.247) will have access, others will be denied.

Example 5

Only certain computers are deniedaccess

Contents of sample .htaccess file: 

order allow,deny
allow from all
deny from .fas.harvard.edu
Demonstration of Example 5
Connections from within the domain 'fas.harvard.edu' will be denied.

Example 6

Certain computers are allowed in; others must provide a username and password

Contents of sample .htaccess file: 

order deny,allow
deny from all
allow from .yale.edu

AuthType Basic
AuthUserFile /home/w/e/web/.htpasswd
AuthName "Basic Authentication Tutorial 6"
require valid-user

satisfy any
Demonstration of Example 6
Connection from within ".yale.edu" will be allowed; others must provide a valid username and password.

Example 7

Only certain computers are allowed in and users must provide a valid username and password.

Contents of sample .htaccess file: 

order deny,allow
deny from all
allow from .harvard.edu

AuthType Basic
AuthUserFile /home/w/e/web/.htpasswd
AuthName "Basic Authentication Tutorial 7"
require valid-user

satisfy all
Demonstration of Example 7
Only connections from within ".harvard.edu" will be allowed and users must provide a valid username and password (satifsy all).

Relevant information can also be found in the Stronghold and Apache documentation:

LastModified: 04/20/04
URL:http:// cscie12.dce.harvard.edu /apache/access/index2.html
Copyright © The President and Fellows of Harvard College