Difference between revisions of "How To Password Protect Personal Web Content"

From ECE Information Technology Services
Jump to navigationJump to search
m (Removed superfluous backslashes)
(More Apache 2.4 updates)
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
<!--Originally written by: Derek Poon-->
 
<!--Originally written on: 2008-Mar-28-->
 
 
 
You already know [[How To Publish Personal Web Content]], but you want to
 
You already know [[How To Publish Personal Web Content]], but you want to
 
restrict web surfers' access to certain pages. This can be accomplished by
 
restrict web surfers' access to certain pages. This can be accomplished by
Line 15: Line 12:
 
protect the username/password between the web surfer's browser and the
 
protect the username/password between the web surfer's browser and the
 
departmental web server, as instructed below.
 
departmental web server, as instructed below.
 
 
==Syntax Changes in Apache 2.2==
 
In version 2.2 of the Apache webserver, the syntax for configuring password
 
protection [http://httpd.apache.org/docs/2.2/upgrading.html changed].
 
Although the new syntax is more logical and flexible, it is not
 
backwards-compatible.
 
 
Currently, ECE course websites, research group websites, and personal websites are
 
running on Apache 2.2.  (Personal websites were upgraded March 27, 2008.  If you
 
encounter Internal Server Errors when accessing password-protected content in your
 
personal website, you will need to
 
[[How To Password-Protect Web Content (Instructions for Apache 2.0 or Earlier)|update your configuration]].)
 
 
  
 
==Directory Layout==
 
==Directory Layout==
 
First you need to set up an area in your document tree that you wish to make
 
First you need to set up an area in your document tree that you wish to make
private.  These instructions follow the convention that the ''~/etc/www/priv/''
+
private.  These instructions follow the convention that the <tt>~/etc/www/priv/</tt>
 
directory is the one containing the password-protected content, but it could be
 
directory is the one containing the password-protected content, but it could be
any directory within the ''~/etc/www/'' document tree.
+
any directory within the <tt>~/etc/www/</tt> document tree.
  
{| class="wikitable"
+
        {|
|-
+
        |-
!  File or Directory
+
        !  File or Directory
!  Minimum Filesystem Permissions
+
        !  Minimum Filesystem Permissions
!  Comment
+
        !  Comment
|-
+
        |-
''~/''
+
        <tt>~/</tt>
''rwx--x--x'' (''chmod a+x'')
+
        <tt>rwx--x--x</tt> (<tt>chmod a+x</tt>)
|  Your home directory
+
        |  Your home directory
|-
+
        |-
''~/etc/''
+
        <tt>~/etc/</tt>
''rwx--x--x'' (''chmod a+x'')
+
        <tt>rwx--x--x</tt> (<tt>chmod a+x</tt>)
|  Your etc directory
+
        |  Your <tt>etc</tt> directory
|-
+
        |-
''~/etc/www/''
+
        <tt>~/etc/www/</tt>
''rwx--x--x'' (''chmod a+x'')
+
        <tt>rwx--x--x</tt> (<tt>chmod a+x</tt>)
|  Your document root
+
        |  Your document root
|-
+
        |-
''~/etc/www/index.html''
+
        <tt>~/etc/www/index.html</tt>
''rw-r--r--'' (''chmod a+r'')
+
        <tt>rw-r--r--</tt> (<tt>chmod a+r</tt>)
|  Your public home page
+
        |  Your public home page
|-
+
        |-
''~/etc/www/public.html''
+
        <tt>~/etc/www/public.html</tt>
''rw-r--r--'' (''chmod a+r'')
+
        <tt>rw-r--r--</tt> (<tt>chmod a+r</tt>)
|  Another public document
+
        |  Another public document
|-
+
        |-
''~/etc/www/priv/''
+
        <tt>~/etc/www/priv/</tt>
''rwx--x--x'' (''chmod a+x'')
+
        <tt>rwx--x--x</tt> (<tt>chmod a+x</tt>)
|  Directory for password-protected files
+
        |  Directory for password-protected files
|-
+
        |-
''~/etc/www/priv/protected.html''
+
        <tt>~/etc/www/priv/''protected''.html</tt>
''rw-r--r--'' (''chmod a+r'')
+
        <tt>rw-r--r--</tt> (<tt>chmod a+r</tt>)
|  A password-protected document
+
        |  A password-protected document
|-
+
        |-
''~/etc/www/priv/.htaccess''
+
        <tt>~/etc/www/priv/.htaccess</tt>
''rw-r--r--'' (''chmod a+r'')
+
        <tt>rw-r--r--</tt> (<tt>chmod a+r</tt>)
|  Apache config file
+
        |  Apache config file
|-
+
        |-
''~/etc/www/priv/.htpasswd''
+
        <tt>~/etc/www/priv/.htpasswd</tt>
''rw-r--r--'' (''chmod a+r'')
+
        <tt>rw-r--r--</tt> (<tt>chmod a+r</tt>)
|  Apache file for AuthUserFile
+
        |  Apache file for <tt>AuthUserFile</tt>
|-
+
        |-
''~/etc/www/priv/.htgroup''
+
        <tt>~/etc/www/priv/.htgroup</tt>
''rw-r--r--'' (''chmod a+r'')
+
        <tt>rw-r--r--</tt> (<tt>chmod a+r</tt>)
|  Apache file for AuthGroupFile
+
        |  Apache file for <tt>AuthGroupFile</tt>
|}
+
        |}
  
 
All of these files need to have world-readable filesystem
 
All of these files need to have world-readable filesystem
permissions (''chmod a+r'') and all of these directories need to be marked
+
permissions (<tt>chmod a+r</tt>) and all of these directories need to be marked
world-executable (''chmod a+x'') to allow the webserver to access them.
+
world-executable (<tt>chmod a+x</tt>) to allow the webserver to access them.
  
The key to getting this setup to work is the ''.htaccess'' file in the ''priv''
+
The key to getting this setup to work is the <tt>.htaccess</tt> file in the <tt>priv</tt>
 
directory. There are three basic variations for this file:
 
directory. There are three basic variations for this file:
  
 
==Variation 1: Authenticate Departmental Users Only==
 
==Variation 1: Authenticate Departmental Users Only==
Use the following ''.htaccess'' file:
+
Place an <tt>.htaccess</tt> file with the following contents in the directory you wish to protect:
  
<pre>
+
<tt>
# Force the use of SSL...
+
# Force the use of SSL...<br>SSLRequireSSL
SSLRequireSSL
+
# ... and redirect non-SSL requests to the corresponding HTTPS URL<br>ErrorDocument 403 /cgi-bin/ssl-redirect
# ... and redirect non-SSL requests to the corresponding HTTPS URL
 
ErrorDocument 403 /cgi-bin/ssl-redirect
 
  
# Use HTTP Basic Authentication
+
# Use HTTP Basic Authentication<br>AuthType Basic
AuthType Basic
+
# Validate usernames/passwords against the ECE account database<br>AuthBasicProvider ece
# Validate usernames/passwords against the ECE account database
+
# The AuthName is incorporated in the username/password prompt<br>AuthName "ECE Account"
AuthBasicProvider ece
+
# Allow any authenticated user<br>Require valid-user
# The AuthName is incorporated in the username/password prompt
+
</tt>
AuthName "ECE Account"
 
# Allow any authenticated user
 
Require valid-user
 
</pre>
 
  
 
You can restrict access to specific ECE users and groups by changing the
 
You can restrict access to specific ECE users and groups by changing the
''Require valid-user'' line.  For more information, see
+
<tt>Require valid-user</tt> line.  For more information, see
[[#The All-Important Require Directive|The All-Important ''Require'' Directive]] below.
+
[[#The All-Important Require Directive|The All-Important <tt>Require</tt> Directive]] below.
  
 
==Variation 2: Authenticate Non-Departmental Users Only==
 
==Variation 2: Authenticate Non-Departmental Users Only==
With this ''.htaccess'' configuration, only users listed in your ''.htpasswd''
+
With this <tt>.htaccess</tt> configuration, only users listed in your <tt>.htpasswd</tt>
file may access the private pages.  To create and manage your ''.htpasswd''
+
file may access the private pages.  To create and manage your <tt>.htpasswd</tt>
file, use the ''htpasswd'' utility.
+
file, use the <tt>htpasswd</tt> command, which is available on the [[How To Use SSH |<tt>ssh.ece.ubc.ca</tt>]] machines.
 
 
<pre>
 
SSLRequireSSL
 
ErrorDocument 403 /cgi-bin/ssl-redirect
 
  
AuthType Basic
+
<tt>
AuthBasicProvider file
+
SSLRequireSSL<br>
AuthUserFile <path to home directory>/etc/www/priv/.htpasswd
+
ErrorDocument 403 /cgi-bin/ssl-redirect<br>
AuthName "my private page"
+
<br>
Require valid-user
+
AuthType Basic<br>
</pre>
+
AuthBasicProvider file<br>
 +
AuthUserFile ''path to home directory''/etc/www/priv/.htpasswd<br>
 +
AuthName "my private page"<br>
 +
Require valid-user<br>
 +
</tt>
  
The ''AuthBasicProvider file'' line may be omitted.
+
The <tt>AuthBasicProvider file</tt> line may be omitted.
  
Please ensure that value for ''<path to home directory>'' that you use is
+
Please ensure that value for <tt>''path to home directory''</tt> that you use is
identical to that reported by the command ''getent passwd '''''username'''.
+
identical to that reported by the command <tt>getent passwd ''username''</tt>.
It must be a full path (starting with ''/ubc/ece/home/...'' or
+
It must be a full path (starting with <tt>/ubc/ece/home/...</tt>; <tt>~''username''</tt> will not work.
''/usr/home/...''); ''~username'' will not work.
 
  
  
 
==Variation 3: Authenticate Non-Departmental and Departmental Users==
 
==Variation 3: Authenticate Non-Departmental and Departmental Users==
With this ''.htaccess'' configuration, the webserver will authenticate
+
With this <tt>.htaccess</tt> configuration, the webserver will authenticate
the user against both your ''.htpasswd'' file and the ECE account database.
+
the user against both your <tt>.htpasswd</tt> file and the ECE account database.
 
 
<pre>
 
SSLRequireSSL
 
ErrorDocument 403 /cgi-bin/ssl-redirect
 
  
AuthType Basic
+
<tt>
AuthBasicProvider file ece
+
SSLRequireSSL<br>
AuthName "ECE or Other Account"
+
ErrorDocument 403 /cgi-bin/ssl-redirect<br>
AuthUserFile <path to home directory>/etc/www/priv/.htpasswd
+
<br>
Require valid-user
+
AuthType Basic<br>
</pre>
+
AuthBasicProvider file ece<br>
 +
AuthName "ECE or Other Account"<br>
 +
AuthUserFile ''path to home directory''/etc/www/priv/.htpasswd<br>
 +
Require valid-user<br>
 +
</tt>
  
  
==The All-Important ''Require'' Directive==
+
==The All-Important <tt>Require</tt> Directive==
  
The ''Require'' directive is the means by which you can restrict access to your
+
The <tt>Require</tt> directive is the means by which you can restrict access to your
 
password-protected personal web content to a specific set of users. The
 
password-protected personal web content to a specific set of users. The
 
following table of examples should help to understand how the directive can be
 
following table of examples should help to understand how the directive can be
Line 161: Line 137:
  
  
{| class="wikitable"
+
{|
|-
+
        |-
!  To restrict access to...
+
        !  To restrict access to...
!  ... use this ''Require'' directive
+
        !  ... use this <tt>Require</tt> directive
|-
+
        |-
|  any authenticated user
+
        |  any authenticated user
''Require valid-user''
+
        <tt>Require valid-user</tt>
|-
+
        |-
|  specific users (e.g., ''lucaf'' and ''robr'')
+
        |  specific users (e.g., <tt>lucaf</tt> and <tt>robr</tt>)
''Require user lucaf robr''
+
        <tt>Require user lucaf robr</tt>
|-
+
        |-
|  specific groups (e.g., ''robotics'')
+
        |  specific groups (e.g., <tt>robotics</tt>)
''Require group robotics''
+
        <tt><IfVersion < 2.4><br>&nbsp;&nbsp;&nbsp;&nbsp;Require group robotics<br></IfVersion><br><IfVersion >= 2.4><br>&nbsp;&nbsp;&nbsp;&nbsp;Require unix-group robotics<br></IfVersion></tt>
|}
+
|}
 
 
For more information on the ''Require'' directives, please see
 
http://httpd.apache.org/docs/2.2/mod/core.html#require .
 
  
 +
For more information on the <tt>Require</tt> directives, please see
 +
http://httpd.apache.org/docs/2.2/mod/core.html#require and http://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#require .
  
 
==See Also==  
 
==See Also==  
* [[How To Password-Protect Web Content (Instructions for Apache 2.0 or Earlier)]]
+
* [http://httpd.apache.org/docs/2.2/howto/auth.html Apache 2.2 Documentation]
* [http://httpd.apache.org/docs/2.2/howto/auth.html Apache Documentation]
+
* [http://httpd.apache.org/docs/2.4/howto/auth.html Apache 2.4 Documentation]

Latest revision as of 16:09, 28 September 2017

You already know How To Publish Personal Web Content, but you want to restrict web surfers' access to certain pages. This can be accomplished by requiring users to authenticate with the web server to access these password-protected pages.

The HTTP protocol has the ability to prompt a user for a username and password. You can require users to enter the username/password of their departmental account or check the username/password against your own password file.

Unfortunately, the HTTP authentication mechanism transmits this information unencrypted. Therefore you must enforce the use of HTTPS (HTTP+SSL) to protect the username/password between the web surfer's browser and the departmental web server, as instructed below.

Directory Layout

First you need to set up an area in your document tree that you wish to make private. These instructions follow the convention that the ~/etc/www/priv/ directory is the one containing the password-protected content, but it could be any directory within the ~/etc/www/ document tree.

File or Directory Minimum Filesystem Permissions Comment
~/ rwx--x--x (chmod a+x) Your home directory
~/etc/ rwx--x--x (chmod a+x) Your etc directory
~/etc/www/ rwx--x--x (chmod a+x) Your document root
~/etc/www/index.html rw-r--r-- (chmod a+r) Your public home page
~/etc/www/public.html rw-r--r-- (chmod a+r) Another public document
~/etc/www/priv/ rwx--x--x (chmod a+x) Directory for password-protected files
~/etc/www/priv/protected.html rw-r--r-- (chmod a+r) A password-protected document
~/etc/www/priv/.htaccess rw-r--r-- (chmod a+r) Apache config file
~/etc/www/priv/.htpasswd rw-r--r-- (chmod a+r) Apache file for AuthUserFile
~/etc/www/priv/.htgroup rw-r--r-- (chmod a+r) Apache file for AuthGroupFile

All of these files need to have world-readable filesystem permissions (chmod a+r) and all of these directories need to be marked world-executable (chmod a+x) to allow the webserver to access them.

The key to getting this setup to work is the .htaccess file in the priv directory. There are three basic variations for this file:

Variation 1: Authenticate Departmental Users Only

Place an .htaccess file with the following contents in the directory you wish to protect:

# Force the use of SSL...
SSLRequireSSL # ... and redirect non-SSL requests to the corresponding HTTPS URL
ErrorDocument 403 /cgi-bin/ssl-redirect
# Use HTTP Basic Authentication
AuthType Basic # Validate usernames/passwords against the ECE account database
AuthBasicProvider ece # The AuthName is incorporated in the username/password prompt
AuthName "ECE Account" # Allow any authenticated user
Require valid-user

You can restrict access to specific ECE users and groups by changing the Require valid-user line. For more information, see The All-Important Require Directive below.

Variation 2: Authenticate Non-Departmental Users Only

With this .htaccess configuration, only users listed in your .htpasswd file may access the private pages. To create and manage your .htpasswd file, use the htpasswd command, which is available on the ssh.ece.ubc.ca machines.

SSLRequireSSL
ErrorDocument 403 /cgi-bin/ssl-redirect

AuthType Basic
AuthBasicProvider file
AuthUserFile path to home directory/etc/www/priv/.htpasswd
AuthName "my private page"
Require valid-user

The AuthBasicProvider file line may be omitted.

Please ensure that value for path to home directory that you use is identical to that reported by the command getent passwd username. It must be a full path (starting with /ubc/ece/home/...; ~username will not work.


Variation 3: Authenticate Non-Departmental and Departmental Users

With this .htaccess configuration, the webserver will authenticate the user against both your .htpasswd file and the ECE account database.

SSLRequireSSL
ErrorDocument 403 /cgi-bin/ssl-redirect

AuthType Basic
AuthBasicProvider file ece
AuthName "ECE or Other Account"
AuthUserFile path to home directory/etc/www/priv/.htpasswd
Require valid-user


The All-Important Require Directive

The Require directive is the means by which you can restrict access to your password-protected personal web content to a specific set of users. The following table of examples should help to understand how the directive can be used.


To restrict access to... ... use this Require directive
any authenticated user Require valid-user
specific users (e.g., lucaf and robr) Require user lucaf robr
specific groups (e.g., robotics) <IfVersion < 2.4>
    Require group robotics
</IfVersion>
<IfVersion >= 2.4>
    Require unix-group robotics
</IfVersion>

For more information on the Require directives, please see http://httpd.apache.org/docs/2.2/mod/core.html#require and http://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#require .

See Also