How To Password Protect Personal Web Content
You already know How To Publish Personal Web Content, but you want to restrict web surfers' access to certain pages. This can be accomplished by requiring users to authenticate with the web server to access these password-protected pages.
The HTTP protocol has the ability to prompt a user for a username and password. You can require users to enter the username/password of their departmental account or check the username/password against your own password file.
Unfortunately, the HTTP authentication mechanism transmits this information unencrypted. Therefore you must enforce the use of HTTPS (HTTP+SSL) to protect the username/password between the web surfer's browser and the departmental web server, as instructed below.
Syntax Changes in Apache 2.2
In version 2.2 of the Apache webserver, the syntax for configuring password protection changed. Although the new syntax is more logical and flexible, it is not backwards-compatible.
Currently, ECE course websites, research group websites, and personal websites are running on Apache 2.2. (Personal websites were upgraded March 27, 2008. If you encounter Internal Server Errors when accessing password-protected content in your personal website, you will need to update your configuration.)
First you need to set up an area in your document tree that you wish to make private. These instructions follow the convention that the ~/etc/www/priv/ directory is the one containing the password-protected content, but it could be any directory within the ~/etc/www/ document tree.
|File or Directory||Minimum Filesystem Permissions||Comment|
|~/||rwx--x--x (chmod a+x)||Your home directory|
|~/etc/||rwx--x--x (chmod a+x)||Your etc directory|
|~/etc/www/||rwx--x--x (chmod a+x)||Your document root|
|~/etc/www/index.html||rw-r--r-- (chmod a+r)||Your public home page|
|~/etc/www/public.html||rw-r--r-- (chmod a+r)||Another public document|
|~/etc/www/priv/||rwx--x--x (chmod a+x)||Directory for password-protected files|
|~/etc/www/priv/protected.html||rw-r--r-- (chmod a+r)||A password-protected document|
|~/etc/www/priv/.htaccess||rw-r--r-- (chmod a+r)||Apache config file|
|~/etc/www/priv/.htpasswd||rw-r--r-- (chmod a+r)||Apache file for \AuthUserFile|
|~/etc/www/priv/.htgroup||rw-r--r-- (chmod a+r)||Apache file for \AuthGroupFile|
All of these files need to have world-readable filesystem permissions (chmod a+r) and all of these directories need to be marked world-executable (chmod a+x) to allow the webserver to access them.
The key to getting this setup to work is the .htaccess file in the priv directory. There are three basic variations for this file:
Variation 1: Authenticate Departmental Users Only
Use the following .htaccess file:
# Force the use of SSL... SSLRequireSSL # ... and redirect non-SSL requests to the corresponding HTTPS URL ErrorDocument 403 /cgi-bin/ssl-redirect # Use HTTP Basic Authentication AuthType Basic # Validate usernames/passwords against the ECE account database AuthBasicProvider ece # The AuthName is incorporated in the username/password prompt AuthName "ECE Account" # Allow any authenticated user Require valid-user
You can restrict access to specific ECE users and groups by changing the Require valid-user line. For more information, see The All-Important Require Directive below.
Variation 2: Authenticate Non-Departmental Users Only
With this .htaccess configuration, only users listed in your .htpasswd file may access the private pages. To create and manage your .htpasswd file, use the htpasswd utility.
SSLRequireSSL ErrorDocument 403 /cgi-bin/ssl-redirect AuthType Basic AuthBasicProvider file AuthUserFile <path to home directory>/etc/www/priv/.htpasswd AuthName "my private page" Require valid-user
The AuthBasicProvider file line may be omitted.
Please ensure that value for <path to home directory> that you use is identical to that reported by the command getent passwd username. It must be a full path (starting with /ubc/ece/home/... or /usr/home/...); ~username will not work.
Variation 3: Authenticate Non-Departmental and Departmental Users
With this .htaccess configuration, the webserver will authenticate the user against both your .htpasswd file and the ECE account database.
SSLRequireSSL ErrorDocument 403 /cgi-bin/ssl-redirect AuthType Basic AuthBasicProvider file ece AuthName "ECE or Other Account" AuthUserFile <path to home directory>/etc/www/priv/.htpasswd Require valid-user
The All-Important Require Directive
The Require directive is the means by which you can restrict access to your password-protected personal web content to a specific set of users. The following table of examples should help to understand how the directive can be used.
|To restrict access to...||... use this Require directive|
|any authenticated user||Require valid-user|
|specific users (e.g., lucaf and robr)||Require user lucaf robr|
|specific groups (e.g., robotics)||Require group robotics|
For more information on the Require directives, please see http://httpd.apache.org/docs/2.2/mod/core.html#require .