Difference between revisions of "How To Password Protect Personal Web Content"

From ECE Information Technology Services
Jump to navigationJump to search
m (Minor clarifications and typesetting changes.)
(Updated instructions for Apache 2.4 compatibility)
Line 163: Line 163:
 
         |-
 
         |-
 
         |  specific groups (e.g., <tt>robotics</tt>)
 
         |  specific groups (e.g., <tt>robotics</tt>)
         |  <tt>Require group robotics</tt>
+
         |  <tt><IfVersion < 2.4><br>&nbsp;&nbsp;&nbsp;&nbsp;Require group robotics<br></IfVersion><br><IfVersion >= 2.4><br>&nbsp;&nbsp;&nbsp;&nbsp;Require unix-group robotics<br></IfVersion></tt>
        |}
+
|}
  
 
For more information on the <tt>Require</tt> directives, please see
 
For more information on the <tt>Require</tt> directives, please see
 
http://httpd.apache.org/docs/2.2/mod/core.html#require .
 
http://httpd.apache.org/docs/2.2/mod/core.html#require .
 
  
 
==See Also==  
 
==See Also==  
 
* [[How To Password-Protect Web Content (Instructions for Apache 2.0 or Earlier)]]
 
* [[How To Password-Protect Web Content (Instructions for Apache 2.0 or Earlier)]]
 
* [http://httpd.apache.org/docs/2.2/howto/auth.html Apache Documentation]
 
* [http://httpd.apache.org/docs/2.2/howto/auth.html Apache Documentation]

Revision as of 14:57, 25 September 2017

You already know How To Publish Personal Web Content, but you want to restrict web surfers' access to certain pages. This can be accomplished by requiring users to authenticate with the web server to access these password-protected pages.

The HTTP protocol has the ability to prompt a user for a username and password. You can require users to enter the username/password of their departmental account or check the username/password against your own password file.

Unfortunately, the HTTP authentication mechanism transmits this information unencrypted. Therefore you must enforce the use of HTTPS (HTTP+SSL) to protect the username/password between the web surfer's browser and the departmental web server, as instructed below.


Syntax Changes in Apache 2.2

In version 2.2 of the Apache webserver, the syntax for configuring password protection changed. Although the new syntax is more logical and flexible, it is not backwards-compatible.

Currently, ECE course websites, research group websites, and personal websites are running on Apache 2.2. (Personal websites were upgraded March 27, 2008. If you encounter Internal Server Errors when accessing password-protected content in your personal website, you will need to update your configuration.)


Directory Layout

First you need to set up an area in your document tree that you wish to make private. These instructions follow the convention that the ~/etc/www/priv/ directory is the one containing the password-protected content, but it could be any directory within the ~/etc/www/ document tree.

File or Directory Minimum Filesystem Permissions Comment
~/ rwx--x--x (chmod a+x) Your home directory
~/etc/ rwx--x--x (chmod a+x) Your etc directory
~/etc/www/ rwx--x--x (chmod a+x) Your document root
~/etc/www/index.html rw-r--r-- (chmod a+r) Your public home page
~/etc/www/public.html rw-r--r-- (chmod a+r) Another public document
~/etc/www/priv/ rwx--x--x (chmod a+x) Directory for password-protected files
~/etc/www/priv/protected.html rw-r--r-- (chmod a+r) A password-protected document
~/etc/www/priv/.htaccess rw-r--r-- (chmod a+r) Apache config file
~/etc/www/priv/.htpasswd rw-r--r-- (chmod a+r) Apache file for AuthUserFile
~/etc/www/priv/.htgroup rw-r--r-- (chmod a+r) Apache file for AuthGroupFile

All of these files need to have world-readable filesystem permissions (chmod a+r) and all of these directories need to be marked world-executable (chmod a+x) to allow the webserver to access them.

The key to getting this setup to work is the .htaccess file in the priv directory. There are three basic variations for this file:

Variation 1: Authenticate Departmental Users Only

Place an .htaccess file with the following contents in the directory you wish to protect:

# Force the use of SSL...
SSLRequireSSL # ... and redirect non-SSL requests to the corresponding HTTPS URL
ErrorDocument 403 /cgi-bin/ssl-redirect
# Use HTTP Basic Authentication
AuthType Basic # Validate usernames/passwords against the ECE account database
AuthBasicProvider ece # The AuthName is incorporated in the username/password prompt
AuthName "ECE Account" # Allow any authenticated user
Require valid-user

You can restrict access to specific ECE users and groups by changing the Require valid-user line. For more information, see The All-Important Require Directive below.

Variation 2: Authenticate Non-Departmental Users Only

With this .htaccess configuration, only users listed in your .htpasswd file may access the private pages. To create and manage your .htpasswd file, use the htpasswd command, which is available on the ssh.ece.ubc.ca machines.

SSLRequireSSL
ErrorDocument 403 /cgi-bin/ssl-redirect

AuthType Basic
AuthBasicProvider file
AuthUserFile path to home directory/etc/www/priv/.htpasswd
AuthName "my private page"
Require valid-user

The AuthBasicProvider file line may be omitted.

Please ensure that value for path to home directory that you use is identical to that reported by the command getent passwd username. It must be a full path (starting with /ubc/ece/home/...; ~username will not work.


Variation 3: Authenticate Non-Departmental and Departmental Users

With this .htaccess configuration, the webserver will authenticate the user against both your .htpasswd file and the ECE account database.

SSLRequireSSL
ErrorDocument 403 /cgi-bin/ssl-redirect

AuthType Basic
AuthBasicProvider file ece
AuthName "ECE or Other Account"
AuthUserFile path to home directory/etc/www/priv/.htpasswd
Require valid-user


The All-Important Require Directive

The Require directive is the means by which you can restrict access to your password-protected personal web content to a specific set of users. The following table of examples should help to understand how the directive can be used.


To restrict access to... ... use this Require directive
any authenticated user Require valid-user
specific users (e.g., lucaf and robr) Require user lucaf robr
specific groups (e.g., robotics) <IfVersion < 2.4>
    Require group robotics
</IfVersion>
<IfVersion >= 2.4>
    Require unix-group robotics
</IfVersion>

For more information on the Require directives, please see http://httpd.apache.org/docs/2.2/mod/core.html#require .

See Also