Difference between revisions of "How To Password Protect Personal Web Content"
m (Minor clarifications and typesetting changes.) |
(More Apache 2.4 updates) |
||
(One intermediate revision by the same user not shown) | |||
Line 12: | Line 12: | ||
protect the username/password between the web surfer's browser and the | protect the username/password between the web surfer's browser and the | ||
departmental web server, as instructed below. | departmental web server, as instructed below. | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
==Directory Layout== | ==Directory Layout== | ||
Line 163: | Line 149: | ||
|- | |- | ||
| specific groups (e.g., <tt>robotics</tt>) | | specific groups (e.g., <tt>robotics</tt>) | ||
− | | <tt>Require group robotics</tt> | + | | <tt><IfVersion < 2.4><br> Require group robotics<br></IfVersion><br><IfVersion >= 2.4><br> Require unix-group robotics<br></IfVersion></tt> |
− | + | |} | |
For more information on the <tt>Require</tt> directives, please see | For more information on the <tt>Require</tt> directives, please see | ||
− | http://httpd.apache.org/docs/2.2/mod/core.html#require . | + | http://httpd.apache.org/docs/2.2/mod/core.html#require and http://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#require . |
− | |||
==See Also== | ==See Also== | ||
− | * [ | + | * [http://httpd.apache.org/docs/2.2/howto/auth.html Apache 2.2 Documentation] |
− | * [http://httpd.apache.org/docs/2. | + | * [http://httpd.apache.org/docs/2.4/howto/auth.html Apache 2.4 Documentation] |
Latest revision as of 15:09, 28 September 2017
You already know How To Publish Personal Web Content, but you want to restrict web surfers' access to certain pages. This can be accomplished by requiring users to authenticate with the web server to access these password-protected pages.
The HTTP protocol has the ability to prompt a user for a username and password. You can require users to enter the username/password of their departmental account or check the username/password against your own password file.
Unfortunately, the HTTP authentication mechanism transmits this information unencrypted. Therefore you must enforce the use of HTTPS (HTTP+SSL) to protect the username/password between the web surfer's browser and the departmental web server, as instructed below.
Contents
Directory Layout
First you need to set up an area in your document tree that you wish to make private. These instructions follow the convention that the ~/etc/www/priv/ directory is the one containing the password-protected content, but it could be any directory within the ~/etc/www/ document tree.
File or Directory | Minimum Filesystem Permissions | Comment |
---|---|---|
~/ | rwx--x--x (chmod a+x) | Your home directory |
~/etc/ | rwx--x--x (chmod a+x) | Your etc directory |
~/etc/www/ | rwx--x--x (chmod a+x) | Your document root |
~/etc/www/index.html | rw-r--r-- (chmod a+r) | Your public home page |
~/etc/www/public.html | rw-r--r-- (chmod a+r) | Another public document |
~/etc/www/priv/ | rwx--x--x (chmod a+x) | Directory for password-protected files |
~/etc/www/priv/protected.html | rw-r--r-- (chmod a+r) | A password-protected document |
~/etc/www/priv/.htaccess | rw-r--r-- (chmod a+r) | Apache config file |
~/etc/www/priv/.htpasswd | rw-r--r-- (chmod a+r) | Apache file for AuthUserFile |
~/etc/www/priv/.htgroup | rw-r--r-- (chmod a+r) | Apache file for AuthGroupFile |
All of these files need to have world-readable filesystem permissions (chmod a+r) and all of these directories need to be marked world-executable (chmod a+x) to allow the webserver to access them.
The key to getting this setup to work is the .htaccess file in the priv directory. There are three basic variations for this file:
Variation 1: Authenticate Departmental Users Only
Place an .htaccess file with the following contents in the directory you wish to protect:
# Force the use of SSL...
SSLRequireSSL # ... and redirect non-SSL requests to the corresponding HTTPS URL
ErrorDocument 403 /cgi-bin/ssl-redirect
# Use HTTP Basic Authentication
AuthType Basic # Validate usernames/passwords against the ECE account database
AuthBasicProvider ece # The AuthName is incorporated in the username/password prompt
AuthName "ECE Account" # Allow any authenticated user
Require valid-user
You can restrict access to specific ECE users and groups by changing the Require valid-user line. For more information, see The All-Important Require Directive below.
Variation 2: Authenticate Non-Departmental Users Only
With this .htaccess configuration, only users listed in your .htpasswd file may access the private pages. To create and manage your .htpasswd file, use the htpasswd command, which is available on the ssh.ece.ubc.ca machines.
SSLRequireSSL
ErrorDocument 403 /cgi-bin/ssl-redirect
AuthType Basic
AuthBasicProvider file
AuthUserFile path to home directory/etc/www/priv/.htpasswd
AuthName "my private page"
Require valid-user
The AuthBasicProvider file line may be omitted.
Please ensure that value for path to home directory that you use is identical to that reported by the command getent passwd username. It must be a full path (starting with /ubc/ece/home/...; ~username will not work.
Variation 3: Authenticate Non-Departmental and Departmental Users
With this .htaccess configuration, the webserver will authenticate the user against both your .htpasswd file and the ECE account database.
SSLRequireSSL
ErrorDocument 403 /cgi-bin/ssl-redirect
AuthType Basic
AuthBasicProvider file ece
AuthName "ECE or Other Account"
AuthUserFile path to home directory/etc/www/priv/.htpasswd
Require valid-user
The All-Important Require Directive
The Require directive is the means by which you can restrict access to your password-protected personal web content to a specific set of users. The following table of examples should help to understand how the directive can be used.
To restrict access to... | ... use this Require directive |
---|---|
any authenticated user | Require valid-user |
specific users (e.g., lucaf and robr) | Require user lucaf robr |
specific groups (e.g., robotics) | <IfVersion < 2.4> Require group robotics </IfVersion> <IfVersion >= 2.4> Require unix-group robotics </IfVersion> |
For more information on the Require directives, please see http://httpd.apache.org/docs/2.2/mod/core.html#require and http://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#require .