Limiting Access to WWW Pages
Information on access control for the NCSA HTTPd server software is available from NCSA. Further information is also available from the W3 Consortium . Access to WWW pages can be restricted in two ways:
1. University of Reading only
If you need to restrict access to any of your pages to Reading users, you should use the method described in this section. We describe how to use a simple script to create a link to a centrally maintained file which limits access to the pages.
Since many University of Reading users (students and staff) access pages from off-campus, the method of restricting access as described in section 3 below (by IP number or domain name) will not allow access to these users as they will not be logged onto a computer with a University of Reading address.
To make life easier, we've produced a number of .htaccess files that restrict access to:
- users with Reading usernames only
- computers on the Reading network (i.e. with a IP address located on campus
- Reading users connecting from a computer on campus
- either a Reading computer OR a Reading user
- staff at the University of Reading only
The intention is that, rather than writing your own .htaccess files, you create links to these master ones that are maintained centrally by IT Services. There is a script to do this, called "htacc", that you should run from the directory to which you wish to restrict access. In a tlenet window,typing "htacc" on its own will list the options:
main% htaccUsage: [-r] [<name>]
Specify an access control file name from the list below:
password rdg rdg-and-password rdg-or-password staff
Or, use the '-r' option to remove an existing '.htaccess' file.
For example, to restrict access to all the HTM files in a directory (and all directories below unless another .htaccess file overrides this one) to Reading users wherever they happen to be, use:
main% htacc rdg-or-password
Those using a computer on the Reading network will get straight through to the Web pages. Reading users using computers that are not on the
Reading network will be able to get to the pages once they've entered their Reading username & password.
To remove the access restriction, use:
main% htacc -r
If you restrict access to users whom you wish to provide with your own password, you should use your own .htaccess file as described in the next section.
2. By Password
Information Providers can set up a password file of their own to restrict access. Usernames can be created by anyone with Unix access to the directory where the password file is kept. To create a password file, e.g. in a subdirectory where you want access restricted, run the command
htpasswd -c filename username
where filename is the name of the password file to be created (use an obscure name) and username is a username you make up (not a system username). You are prompted to create a password. The -c option is for creating the file initially; subsequent modifications should be done using
htpasswd filename username
After the password file has been created, create a .htaccess file in the directory to be restricted containing the following:
AuthUserFile full_path_to_password_filename
AuthGroupFile /dev/null
AuthName "Comment that will appear on Authentication window"
AuthType Basic
<Limit GET>
require user username
</Limit>
full_path_to_password_filename and username should be substituted appropriately: i.e. the path is of the form:
/export/www/WebPages/AcaDepts/your_department_code/protected_directory/filename
To find the exact path change to the directory containing the .htaccess file and type
pwd
at the main% prompt.
Global read permissions should be set for both the password file and the .htaccess file using:
chmod a+r filename