Skip to main content

How-to Guides

Limiting access to your web pages

May 30, 2012 by Sara Nagreen

Contents

Occasionally, you might find the need to restrict access to part or all of your website. This can be done in one of three ways: limiting access by computer address, or by requiring passwords and/or login IDs before you page is accessible, or a combination of the two. There are cgi scripts for password protection (particularly if you want to restrict access to a single document), as well as javascript password routines (although we have found big security holes in a few of them). If you don't want to deal with programming, however, you can use .htaccess and .htpasswd. These are two files you created to designate the area (or "realm") you wish to protect, and/or to assign login IDs and passwords for individual students (or one global login ID and password which you could give to all of your students).

To limit by computer address.

1. Log in to your server account by SSH. You will be at the command prompt in your \home directory.

  • PC users: If you don't have an SSH client, you can get one from http://shelf.doit.wisc.edu/securecrt/. You'll need to login with your
    netID and fill out a form to download it.
    • Using Secure CRT to connect to your server:
      After it is installed, create a new session. (File, Connect, New Session [third icon from the left]).
      • Name: you can type anything you want.
      • Change the protocol to SSH2.
      • The host name is the name of your server. Examples: german.lss.wisc.edu, frit.lss.wisc.edu, ling.wisc.edu
      • Port should continue to be 22
      • Enter your username. This is whatever your server administrator has told you is your username.
      • Click OK.
    • To connect, just double click on the named session you created. You will be prompted to accept a certificate if this is the first time you connect, and you'll have to type in the password that your server administrator has created for you.
  • Mac OS X users: You have a built-in SSH client. It is called Terminal. You can find it in Applications, Utilities, Terminal. Open it and type this to connect "ssh <your username>@<servername>". Example: Let's say I have an username of Harold on the IMP server. I might type "ssh harold@imp.lss.wisc.edu" to connect. You will be prompted for you password and may be asked to accept the certificate for that server.

2. Change into the directory you want to restrict.

  • If this is your entire website, you would type cd public_html.
  • If you want to protect a subset of you website, create a directory (mkdir <name of new directory>) under public_html for the documents you want to be protected and then change directory (cd) over to that directory (cd <name of new directory>).
    • For example, if I wanted to limit access to a testing page called test1.html, I would first create a directory to put it in.
      mkdir public_html/tests
      and then move into that directory for the next step:
      cd public_html/tests

3. Create an userID and password file by typing nano .htaccess This will open a new file called ".htaccess". This wil open a text editor called "nano" and a new file called ".htaccess". The dot in front of the file name means it will be hidden, which makes it a tad more secure. (Actually, you could call the file anything you wish, .htaccess is simply a convention.)

4. Type the following lines as they appear below, including the spaces and case:

<Limit GET POST PUT>
order deny,allow
deny from all
allow from 144.92. 128.104. 146.151.
</Limit>

Note that there is no space after deny, in line 2 and there is a space between the 144.92. and 128.104 and 146.151. (Be sure to include the trailing dots after these numbers.) The numbers we allowed access from are the UW IP numbers. This will allow access to only UW faculty, staff, or students.

To limit access to just a few computers, type in the IP numbers of those particular computers instead.

allow from 144.92.165.9 144.92.115.122

in line 4. (don't use commas between the numbers, just spaces.)

5. Hit Ctrl-x and then y and then hit <Enter> to exit nano and save the file.

6. Set permissions on your .htaccess file by typing at the prompt chmod 644 .htaccess

Back to Top

To Limit by user and/or password

1. Log onto your <server> account by SSH.

  • PC users: If you don't have an SSH client, you can get one from http://shelf.doit.wisc.edu/securecrt/. You'll need to login with your netID and fill out a form to download it.
    • Using Secure CRT to connect to your server:
      After it is installed, create a new session.
      (File, Connect, New Session [third icon from the left]).
      • Name: you can type anything you want.
      • Change the protocol to SSH2.
      • The host name is the name of your server. Examples: german.lss.wisc.edu, frit.lss.wisc.edu, ling.wisc.edu
      • Port should continue to be 22
      • Enter your username. This is whatever your server administrator has told you is your username.
      • Click OK.
    • To connect, just double click on the named session you created. You will be prompted to accept a certificate if this is the first time you connect, and you'll have to type in the password that your server administrator has created for you.
  • Mac OS X users: You have a built-in SSH client. It is called Terminal. You can find it in Applications, Utilities, Terminal. Open it and type this to connect "ssh <your username>@<servername>". Example: Let's say I have an username of Harold on the IMP server. I might type "ssh harold@imp.lss.wisc.edu" to connect. You will be prompted for you password and may be asked to accept the certificate for that server.

2. Create the password file.

  • Type htpasswd -c .htpasswd username (where username is the login name you want someone to use and .htpasswd is the name of the password file to be created)
  • You will be prompted to create a password. For security and legal reasons you should avoid using student ID numbers for IDs or passwords.
  • The -c option is for creating the file initially; subsequent modifications should be done using htpasswd .htpasswd username.

3. Determine the full directory path by typing pwd <Enter> (you will need to type this into the file you create next, so you might want to jot it down).

4. Change into the directory you want to restrict.

  • If this is your entire website, you would type cd public_html.
  • If you want to protect a subdirectory under that, create the subdirectory (mkdir <name of new directory>)and then change directory (cd <name of new directory>) over to it. For example, if I wanted to limit access to a testing page called test1.html, I would first create a directory to put it in (mkdir public_html/tests) and move into that directory for the next step (cd public_html/tests).

5. Create an .htaccess file in the directory to be protected by typing nano .htaccess This will open a text editor called "nano" and a new file called ".htaccess." The dot in front of the file name means it will be hidden, which makes it a tad more secure. (Actually, you could call the file anything you wish, .htaccess is simply a convention.)

6. Type the following lines as they appear below, including spaces and case.

AuthUserFile full-path-to-the-.htpasswd-file/.htpasswd
AuthName name-of-the-protected-directory
AuthGroupFile /dev/null
AuthType Basic
<Limit GET POST PUT>
require valid-user
</Limit>

Full-path-to-the-.htpasswd-file, and name-of-the-protected-directory should be substituted appropriately.

Name-of-the-protected-directory can be substituted with anything you want really (it's what will show up in the title bar of the dialog box asking people for their login ID and password). By convention it is just the directory name.

There should be no space between the path in line 1 and /.htpasswd (or whatever you have called your password file).

"valid-user" is a command that will reference any username listed in the .htpasswd file.

You could, if you wish, restrict it to only one or several names in that file by listing the usernames themselves instead of valid-user (with a space between each) such as: require user karen bruno

7. Hit Ctrl-x and then y and <Enter> to exit nano and save the file.

8. Set permissions on your .htaccess file by typing at the prompt chmod 644 .htaccess

Back to Top

Limiting by address OR user

You can limit access to someone either on the Madison campus OR limit by requiring a valid login ID and password by making use of the "satisfy" directive. This would be useful in situations where you generally want to limit access to campus, but you also want access to your website when you are out of town.

1. Follow the directions above (in "To Limit by User") to create your .htpasswd file.
2. Follow the directions above (in "To Limit by computer address") to create your .htaccess file, but substitute the following lines for the <Limit...</Limit> lines:

order deny,allow
deny from all
allow from 144.92 128.104. 146.151.
require valid-user
satisfy any

3. Note: there is no space between deny, and allow in the first line.

Back to Top

Troubleshooting .htaccess

  • Note that the word "htpasswd" is not "htpassword"
  • There is a space between AuthUserFile and the full path name, but no space between the path and /filename
  • There is a space between "htpasswd" and "-c"
  • Remember that the command to add names to the .htpasswd file is htpassed .htpasswd username (with no "-c"). If you want to delete names from the file, you can bring the file into the pico editor and delete the line with the users name.
  • Be sure you use "valid-user" in the .htaccess file or that the usernames you list appear exactly the same as they appear in the .htpasswd file.
  • Check your capitalization in your .htaccess file. It should be <Limit> not <limit>.
  • Make sure your .htaccess file resides in the directory in which you have placed the documents you want to protect.
  • Be sure to set permissions on your .htaccess file using chmod 644 .htaccess
  • Be sure to set permissions on your .htpasswd file using chmod 644 .htpasswd

Back to Top

How safe is it?

The Basic authentication scheme (the one used here) transmits passwords across the Internet unencrypted, so they could be, in theory, intercepted. For this reason (and others) it is not good practice to use student IDs as login IDs or passwords.

That being said, the username and password is as secure as any username/password system, in that end-users should not tell others their password, or write it down, or make it easily guessable. .Htpasswd is a plain text file, and even though the passwords in it are encrypted, they are not completely safe against decryption, so the file should reside in your /home directory - not in your /home/public_html directory where it would be accessible to other users on the system.

Additionally, if you want to use the new Web Initial Sign On (WebISO) system, you can have your students signon to your website using their netID. This isn't something you can do this yourself, but if you want to discuss this as an option for your class website, please contact Bruno Browning at bruno@lss.wisc.edu.

Lastly, if security needs to be really tight, we can set your website to use Secure Sockets Layer. In this technique, we can set your website so that users authenticate securely with a certificate which they are prompted to accept. You may have seen this when accessing secure sites such as online shopping sites or your bank. If you are interested in discussing this, please contact Bruno Browning at bruno@lss.wisc.edu.

Back to Top

More info on .htaccess

For more information on how to set up user authentication, see the NCSA Tutorial at http://hoohoo.ncsa.uiuc.edu/docs/tutorials/user.html or Apache Week's special article at http://www.apacheweek.com/features/userauth

Back to Top

Created by Karen Tusack (karen@lss.wisc.edu)
Updated by Sara Ziemendorf.

Date Last Modified: October 19, 2004

Premium Drupal Themes by Adaptivethemes