Difference between revisions of "How To Password Protect Personal Web Content"
m (Removed superfluous backslashes) |
m (Minor clarifications and typesetting changes.) |
||
Line 1: | Line 1: | ||
− | |||
− | |||
− | |||
You already know [[How To Publish Personal Web Content]], but you want to | You already know [[How To Publish Personal Web Content]], but you want to | ||
restrict web surfers' access to certain pages. This can be accomplished by | restrict web surfers' access to certain pages. This can be accomplished by | ||
Line 32: | Line 29: | ||
==Directory Layout== | ==Directory Layout== | ||
First you need to set up an area in your document tree that you wish to make | First you need to set up an area in your document tree that you wish to make | ||
− | private. These instructions follow the convention that the | + | private. These instructions follow the convention that the <tt>~/etc/www/priv/</tt> |
directory is the one containing the password-protected content, but it could be | directory is the one containing the password-protected content, but it could be | ||
− | any directory within the | + | any directory within the <tt>~/etc/www/</tt> document tree. |
− | + | {| | |
− | + | |- | |
− | + | ! File or Directory | |
− | + | ! Minimum Filesystem Permissions | |
− | + | ! Comment | |
− | + | |- | |
− | + | | <tt>~/</tt> | |
− | + | | <tt>rwx--x--x</tt> (<tt>chmod a+x</tt>) | |
− | + | | Your home directory | |
− | + | |- | |
− | + | | <tt>~/etc/</tt> | |
− | + | | <tt>rwx--x--x</tt> (<tt>chmod a+x</tt>) | |
− | + | | Your <tt>etc</tt> directory | |
− | + | |- | |
− | + | | <tt>~/etc/www/</tt> | |
− | + | | <tt>rwx--x--x</tt> (<tt>chmod a+x</tt>) | |
− | + | | Your document root | |
− | + | |- | |
− | + | | <tt>~/etc/www/index.html</tt> | |
− | + | | <tt>rw-r--r--</tt> (<tt>chmod a+r</tt>) | |
− | + | | Your public home page | |
− | + | |- | |
− | + | | <tt>~/etc/www/public.html</tt> | |
− | + | | <tt>rw-r--r--</tt> (<tt>chmod a+r</tt>) | |
− | + | | Another public document | |
− | + | |- | |
− | + | | <tt>~/etc/www/priv/</tt> | |
− | + | | <tt>rwx--x--x</tt> (<tt>chmod a+x</tt>) | |
− | + | | Directory for password-protected files | |
− | + | |- | |
− | + | | <tt>~/etc/www/priv/''protected''.html</tt> | |
− | + | | <tt>rw-r--r--</tt> (<tt>chmod a+r</tt>) | |
− | + | | A password-protected document | |
− | + | |- | |
− | + | | <tt>~/etc/www/priv/.htaccess</tt> | |
− | + | | <tt>rw-r--r--</tt> (<tt>chmod a+r</tt>) | |
− | + | | Apache config file | |
− | + | |- | |
− | + | | <tt>~/etc/www/priv/.htpasswd</tt> | |
− | + | | <tt>rw-r--r--</tt> (<tt>chmod a+r</tt>) | |
− | + | | Apache file for <tt>AuthUserFile</tt> | |
− | + | |- | |
− | + | | <tt>~/etc/www/priv/.htgroup</tt> | |
− | + | | <tt>rw-r--r--</tt> (<tt>chmod a+r</tt>) | |
− | + | | Apache file for <tt>AuthGroupFile</tt> | |
− | + | |} | |
All of these files need to have world-readable filesystem | All of these files need to have world-readable filesystem | ||
− | permissions ( | + | permissions (<tt>chmod a+r</tt>) and all of these directories need to be marked |
− | world-executable ( | + | world-executable (<tt>chmod a+x</tt>) to allow the webserver to access them. |
− | The key to getting this setup to work is the | + | The key to getting this setup to work is the <tt>.htaccess</tt> file in the <tt>priv</tt> |
directory. There are three basic variations for this file: | directory. There are three basic variations for this file: | ||
==Variation 1: Authenticate Departmental Users Only== | ==Variation 1: Authenticate Departmental Users Only== | ||
− | + | Place an <tt>.htaccess</tt> file with the following contents in the directory you wish to protect: | |
− | < | + | <tt> |
− | # Force the use of SSL... | + | # Force the use of SSL...<br>SSLRequireSSL |
− | SSLRequireSSL | + | # ... and redirect non-SSL requests to the corresponding HTTPS URL<br>ErrorDocument 403 /cgi-bin/ssl-redirect |
− | # ... and redirect non-SSL requests to the corresponding HTTPS URL | ||
− | ErrorDocument 403 /cgi-bin/ssl-redirect | ||
− | # Use HTTP Basic Authentication | + | # Use HTTP Basic Authentication<br>AuthType Basic |
− | AuthType Basic | + | # Validate usernames/passwords against the ECE account database<br>AuthBasicProvider ece |
− | # Validate usernames/passwords against the ECE account database | + | # The AuthName is incorporated in the username/password prompt<br>AuthName "ECE Account" |
− | AuthBasicProvider ece | + | # Allow any authenticated user<br>Require valid-user |
− | # The AuthName is incorporated in the username/password prompt | + | </tt> |
− | AuthName "ECE Account" | ||
− | # Allow any authenticated user | ||
− | Require valid-user | ||
− | </ | ||
You can restrict access to specific ECE users and groups by changing the | You can restrict access to specific ECE users and groups by changing the | ||
− | + | <tt>Require valid-user</tt> line. For more information, see | |
− | [[#The All-Important Require Directive|The All-Important | + | [[#The All-Important Require Directive|The All-Important <tt>Require</tt> Directive]] below. |
==Variation 2: Authenticate Non-Departmental Users Only== | ==Variation 2: Authenticate Non-Departmental Users Only== | ||
− | With this | + | With this <tt>.htaccess</tt> configuration, only users listed in your <tt>.htpasswd</tt> |
− | file may access the private pages. To create and manage your | + | file may access the private pages. To create and manage your <tt>.htpasswd</tt> |
− | file, use the | + | file, use the <tt>htpasswd</tt> command, which is available on the [[How To Use SSH |<tt>ssh.ece.ubc.ca</tt>]] machines. |
− | < | + | <tt> |
− | SSLRequireSSL | + | SSLRequireSSL<br> |
− | ErrorDocument 403 /cgi-bin/ssl-redirect | + | ErrorDocument 403 /cgi-bin/ssl-redirect<br> |
+ | <br> | ||
+ | AuthType Basic<br> | ||
+ | AuthBasicProvider file<br> | ||
+ | AuthUserFile ''path to home directory''/etc/www/priv/.htpasswd<br> | ||
+ | AuthName "my private page"<br> | ||
+ | Require valid-user<br> | ||
+ | </tt> | ||
− | + | The <tt>AuthBasicProvider file</tt> line may be omitted. | |
− | AuthBasicProvider file | ||
− | |||
− | |||
− | |||
− | |||
− | + | Please ensure that value for <tt>''path to home directory''</tt> that you use is | |
− | + | identical to that reported by the command <tt>getent passwd ''username''</tt>. | |
− | Please ensure that value for '' | + | It must be a full path (starting with <tt>/ubc/ece/home/...</tt>; <tt>~''username''</tt> will not work. |
− | identical to that reported by the command | ||
− | It must be a full path (starting with | ||
− | |||
==Variation 3: Authenticate Non-Departmental and Departmental Users== | ==Variation 3: Authenticate Non-Departmental and Departmental Users== | ||
− | With this | + | With this <tt>.htaccess</tt> configuration, the webserver will authenticate |
− | the user against both your | + | the user against both your <tt>.htpasswd</tt> file and the ECE account database. |
− | |||
− | |||
− | |||
− | |||
− | AuthType Basic | + | <tt> |
− | AuthBasicProvider file ece | + | SSLRequireSSL<br> |
− | AuthName "ECE or Other Account" | + | ErrorDocument 403 /cgi-bin/ssl-redirect<br> |
− | AuthUserFile | + | <br> |
− | Require valid-user | + | AuthType Basic<br> |
− | </ | + | AuthBasicProvider file ece<br> |
+ | AuthName "ECE or Other Account"<br> | ||
+ | AuthUserFile ''path to home directory''/etc/www/priv/.htpasswd<br> | ||
+ | Require valid-user<br> | ||
+ | </tt> | ||
− | ==The All-Important | + | ==The All-Important <tt>Require</tt> Directive== |
− | The | + | The <tt>Require</tt> directive is the means by which you can restrict access to your |
password-protected personal web content to a specific set of users. The | password-protected personal web content to a specific set of users. The | ||
following table of examples should help to understand how the directive can be | following table of examples should help to understand how the directive can be | ||
Line 161: | Line 151: | ||
− | {| | + | {| |
− | + | |- | |
− | + | ! To restrict access to... | |
− | + | ! ... use this <tt>Require</tt> directive | |
− | + | |- | |
− | + | | any authenticated user | |
− | + | | <tt>Require valid-user</tt> | |
− | + | |- | |
− | + | | specific users (e.g., <tt>lucaf</tt> and <tt>robr</tt>) | |
− | + | | <tt>Require user lucaf robr</tt> | |
− | + | |- | |
− | + | | specific groups (e.g., <tt>robotics</tt>) | |
− | + | | <tt>Require group robotics</tt> | |
− | + | |} | |
− | For more information on the | + | For more information on the <tt>Require</tt> directives, please see |
http://httpd.apache.org/docs/2.2/mod/core.html#require . | http://httpd.apache.org/docs/2.2/mod/core.html#require . | ||
Revision as of 09:52, 7 September 2011
You already know How To Publish Personal Web Content, but you want to restrict web surfers' access to certain pages. This can be accomplished by requiring users to authenticate with the web server to access these password-protected pages.
The HTTP protocol has the ability to prompt a user for a username and password. You can require users to enter the username/password of their departmental account or check the username/password against your own password file.
Unfortunately, the HTTP authentication mechanism transmits this information unencrypted. Therefore you must enforce the use of HTTPS (HTTP+SSL) to protect the username/password between the web surfer's browser and the departmental web server, as instructed below.
Contents
Syntax Changes in Apache 2.2
In version 2.2 of the Apache webserver, the syntax for configuring password protection changed. Although the new syntax is more logical and flexible, it is not backwards-compatible.
Currently, ECE course websites, research group websites, and personal websites are running on Apache 2.2. (Personal websites were upgraded March 27, 2008. If you encounter Internal Server Errors when accessing password-protected content in your personal website, you will need to update your configuration.)
Directory Layout
First you need to set up an area in your document tree that you wish to make private. These instructions follow the convention that the ~/etc/www/priv/ directory is the one containing the password-protected content, but it could be any directory within the ~/etc/www/ document tree.
File or Directory | Minimum Filesystem Permissions | Comment |
---|---|---|
~/ | rwx--x--x (chmod a+x) | Your home directory |
~/etc/ | rwx--x--x (chmod a+x) | Your etc directory |
~/etc/www/ | rwx--x--x (chmod a+x) | Your document root |
~/etc/www/index.html | rw-r--r-- (chmod a+r) | Your public home page |
~/etc/www/public.html | rw-r--r-- (chmod a+r) | Another public document |
~/etc/www/priv/ | rwx--x--x (chmod a+x) | Directory for password-protected files |
~/etc/www/priv/protected.html | rw-r--r-- (chmod a+r) | A password-protected document |
~/etc/www/priv/.htaccess | rw-r--r-- (chmod a+r) | Apache config file |
~/etc/www/priv/.htpasswd | rw-r--r-- (chmod a+r) | Apache file for AuthUserFile |
~/etc/www/priv/.htgroup | rw-r--r-- (chmod a+r) | Apache file for AuthGroupFile |
All of these files need to have world-readable filesystem permissions (chmod a+r) and all of these directories need to be marked world-executable (chmod a+x) to allow the webserver to access them.
The key to getting this setup to work is the .htaccess file in the priv directory. There are three basic variations for this file:
Variation 1: Authenticate Departmental Users Only
Place an .htaccess file with the following contents in the directory you wish to protect:
# Force the use of SSL...
SSLRequireSSL # ... and redirect non-SSL requests to the corresponding HTTPS URL
ErrorDocument 403 /cgi-bin/ssl-redirect
# Use HTTP Basic Authentication
AuthType Basic # Validate usernames/passwords against the ECE account database
AuthBasicProvider ece # The AuthName is incorporated in the username/password prompt
AuthName "ECE Account" # Allow any authenticated user
Require valid-user
You can restrict access to specific ECE users and groups by changing the Require valid-user line. For more information, see The All-Important Require Directive below.
Variation 2: Authenticate Non-Departmental Users Only
With this .htaccess configuration, only users listed in your .htpasswd file may access the private pages. To create and manage your .htpasswd file, use the htpasswd command, which is available on the ssh.ece.ubc.ca machines.
SSLRequireSSL
ErrorDocument 403 /cgi-bin/ssl-redirect
AuthType Basic
AuthBasicProvider file
AuthUserFile path to home directory/etc/www/priv/.htpasswd
AuthName "my private page"
Require valid-user
The AuthBasicProvider file line may be omitted.
Please ensure that value for path to home directory that you use is identical to that reported by the command getent passwd username. It must be a full path (starting with /ubc/ece/home/...; ~username will not work.
Variation 3: Authenticate Non-Departmental and Departmental Users
With this .htaccess configuration, the webserver will authenticate the user against both your .htpasswd file and the ECE account database.
SSLRequireSSL
ErrorDocument 403 /cgi-bin/ssl-redirect
AuthType Basic
AuthBasicProvider file ece
AuthName "ECE or Other Account"
AuthUserFile path to home directory/etc/www/priv/.htpasswd
Require valid-user
The All-Important Require Directive
The Require directive is the means by which you can restrict access to your password-protected personal web content to a specific set of users. The following table of examples should help to understand how the directive can be used.
To restrict access to... | ... use this Require directive |
---|---|
any authenticated user | Require valid-user |
specific users (e.g., lucaf and robr) | Require user lucaf robr |
specific groups (e.g., robotics) | Require group robotics |
For more information on the Require directives, please see http://httpd.apache.org/docs/2.2/mod/core.html#require .