NOTE
This page has been updated and moved into the new FAQ area. Find it here.Old info
So you have one or more web pages that you want to publish via the web but you don't want to make them available to everyone? A solution is to use the htaccess password mechanism that is part of the Apache Web Server. This Apache feature allows you to publish static web pages to validated users via a web browser prompt for a username and password.
For added security, you can force users to access your pages using an SSL (Secure Socket Layer) connection. This means transmitted data is encrypted, so passwords and webpages cannot be read in cleartext over the internet.
Questions:
- How do I secure a Page?
- How do I restrict access to SSL connections (https)?
- How do I redirect non-secure connections to the secure address?
- Can I restrict access by to a Group (e.g. members of comp9316)?
- Can I restrict access by both CSE password and UniPass?
- So my pages are completely secure now?
- Can I use htaccess for securing CGI scripts?
- Are there any alternatives?
- For more information
How do I secure a Page?
Let's say you want to restrict access to the directory called "/home/me/public_html/secret/" to just a small group of people. Then you need to create two files:
- /home/me/public_html/secret/.htaccess - which details the access restrictions for that directory
- .htpasswd - has the username and password details. It doesn't need to be in the same directory
AuthUserFile /home/me/public_html/.htpasswdNote that the .htaccess file needs to be readable by the webserver for it to work. You should set its permissions to 644 (ie. chmod 644 .htaccess).
AuthName "Access to Private Web Pages"
AuthType Basic
require valid-user
You need to create the .htpasswd file, which just contains a username and crypt'd password separated by a ':' on each line, eg:
me:tz373OcXNjQF.nThis can be created on any CSE linux machine, like this:
someoneelse:aSJeo1t2DvYyg
htpasswd -c /home/me/public_html/.htpasswd meWhich will then prompt you for the password for "me" and add the entry to the .htpasswd file. Run "man htpasswd" for more details.
How do I restrict access to SSL connections (https)?
By adding the SSLRequireSSL directive to your .htaccess file, the page is only allowed access through an SSL connection (ie having https at the start of the URL). However, to give a meaningful message when not using SSL, you can add a section like this to your .htaccess:
SSLRequireSSL
# no non-ssl access
order allow,deny
How do I redirect non-secure connections to the secure address?
The .htaccess example above denies access if the connection is not made using SSL. Alternatively, you can tell apache to redirect people to the secure page automatically, by using the following snippet for the non-ssl access instead:
The Redirect directive will automatically append parts beyond / so they are redirected to the correct page. For example, if the web page: http://www.cse.unsw.edu.au/~foo/bar.html is protected from non-secure access with the above, apache will redirect the browser to: https://www.cse.unsw.edu.au/~foo/bar.html (https instead of http).
# no non-ssl access
Redirect permanent / https://www.cse.unsw.edu.au/
Can I restrict access by to a Group (e.g. members of comp9316)?
By using yp authentication, you can restrict access to web pages to certain CSE groups. Here's an example .htaccess to restrict access just to members of comp9316:
AuthType BasicThere is no need for the .htpasswd file here because all the password information is retrieved via YP. However, it is important to note that Web passwords are transmitted over the network in clear text, which might result in the user's CSE password being intercepted. That's why the example here is restricted to just machines in the unsw.edu.au domain. An even better idea is to force the use of SSL as shown above, which encrypts the entire communication including passwords. Under certain conditions (the user belonging to a large number of groups), the authorisation system may incorrectly reject valid group members. If this happens, ask SS to consider raising the netgroup priority for the group in question.
AuthName "Restricted Directory"
AuthYP On
require group @COMP9316
order allow,deny
allow from .unsw.edu.au
Can I restrict access by both CSE password and UniPass?
Yes, the following .htaccess file allows authentication by both CSE users (using YP) and UNSW users (using UniPass/RADIUS):
AuthName "CSE and Unipass Authentication Example"
AuthType basic
# stuff to turn on UniPass authentication
AuthRadiusAuthoritative Off
AuthUseUnipass On
# stuff to turn on YP authentication
AuthYP on
AuthYPAuthoritative Off
SSLRequireSSL
require group @REASON # ie, anyone with a valid CSE account
require user s1234567 s2345678 # list of valid UniPass usernames
RedirectMatch /(.*)$ https://www.cse.unsw.edu.au/$1
So my pages are completely secure now?
No, they're not quite. They are restricted by htaccess when retrieved via the web but because the files are world readable so the web server can serve them, they are also readable by anyone with a CSE account by browsing the file system. In order to prevent people from browsing them this way you need to use the priv webonly script. The priv webonly program will make your "secret" directory group-owned by w3serv (the web server account) and remove world access permissions. This means only you, and w3serv can access those files in the secret dir.
$ priv webonly ~/public_html/secretdirNote that priv webonly on its own doesn't restrict access through the web server - you must use it in conjunction with a
.htaccess file. Can I use htaccess for securing CGI scripts?
Yes. It works just like for normal URLs, except that if you are using a Redirect, you need to redirect to cgi.cse.unsw.edu.au instead of www.cse.unsw.edu.au. Any file references (e.g. for AuthUserFile will also need to be CGI-compatible. In other words, /home/username/public_html/ needs to be referenced as /web/username).
You should also keep in mind that files accessed by your CGI script are not controlled by .htaccess.
No comments:
Post a Comment