Limiting Access to a Web Page

The Internet is a wonderful way to disseminate information broadly, but every now and then it is a bit too broad. This document will discuss how to limit access to a web page on the SSCC's web server.

Please note that this process requires you to log into one of the SSCC's Linux servers. If you're not familiar with Linux, please contact the SSCC Help Desk and we'll be happy to do it for you.

Security is actually set for directories, not individual web pages. Of course you could set up a separate directory for each page if you so desired. When the web server receives a request to view a web page, the server will first see if there is a file called .htaccess in the same directory. If there is, this file determines what kind of access the server will give.

Setting up a Single Username and Password

In many cases it will be enough to have a single user name and password that many people can share. For example, you could give an entire class one user name and password to access the course web site.

Creating the .htaccess File

The first step is to create the .htaccess file. It must contain the following text:

AuthUserFile {full path name to page(s) to be protected}/.htpasswd
AuthName "{description of the protected pages}"
AuthType Basic
<Limit GET POST>
require valid-user
</Limit>

You can download a template of this.htaccess file (if your browser opens it rather than saving it when you click on the link, right click instead and select Save Target as or Save Link as). Place this template in the directory you want to protect and then rename it .htaccess. Open it in your favorite editor and replace everything in curly brackets {} with what applies to your site. For example, if I wanted to protect the pages for an Econ 101 class that were in a directory called econ101 in my web site, the .htaccess file would look like this:

AuthUserFile /home/r/rdimond/PUBLIC_web/econ101/.htpasswd
AuthName "Econ 101 web site"
AuthType Basic
<Limit GET POST>
require valid-user
</Limit>

(Note that if you copy this example you need to change /home/r/rdimond to /home/{first letter of your username}/{your username}.)

Another example, if I wanted to protect the pages for an Soc 101 class that were in a directory called soc101 in Sociology's web site, the .htaccess file would look like this:

AuthUserFile /usr/global/web/soc/class/soc101/.htpasswd
AuthName "Soc 101 web site"
AuthType Basic
<Limit GET POST>
require valid-user
</Limit>

Setting the Username and Password

Once the .htaccess file is created, you need to set the username and password. Log in to Linux (if you haven't already) and make the current directory is the one you want to protect. Then type

/usr/bin/htpasswd -c .htpasswd username

Where username should be replaced by the username you want to give the users of the web page. You will be prompted to enter and confirm a password. This will create a file called .htpasswd. The .htaccess file tells the server to only allow people to view the pages in this directory if they enter the username and password combination that appears in .htpasswd.

Note that if you open .htpasswd, it lists the valid usernames, but the passwords are encrypted. If you forget the password you chose you will create it again.

Creating Multiple Usernames

If you want more than one username, there is a simple program that automates the entire process. Of course the price of automation is lack of flexibility; in particular you cannot choose the usernames and passwords. In the directory you want protected simply type

mkhtpass n

where n is the number of separate usernames you desire. The program will then prompt you to enter a description of the site. It will create the .htaccess and .htpasswd files, along with a file called password.txt. This contains the usernames and passwords in plain text (so you will want to delete it or move it to a non-public location). Note that the usernames are simply numbers: 00001, 00002 etc., and the passwords are completely random.

Limiting Access by Domain

One easy way to limit access is by domain. For example, you could allow access only to those who are currently in the wisc.edu domain. Thus anyone using a University computer or dialing in to DoIT's modem pool would be able to access your web pages. Keep in mind that anyone using a different Internet Service Provider would not be able to access them, so this may not be ideal for a course web site. As before you need to have a .htaccess file, but this time it just needs to contain:

allow from wisc.edu
deny from all

No .htpasswd file is needed. You could replace wisc.edu with any other domain (even ssc.wisc.edu), but keep in mind that this kind of restriction depends on where the user is, not who they are (for example someone dialing in to DoIT's modem pool from home is not in the ssc.wisc.edu domain even if they have an SSCC account). Here is a template for this kind of access.

Caveats

The steps described here are simple and fairly effective, but not state of the art. In particular, the user names and passwords are sent in plain text, and in principle could be intercepted and read. Thus it would be wise to use a different user name and password for web pages than for your SSCC account or any other account. In addition, this would not be appropriate for highly sensitive data, which probably does not belong on the web, period.

Last Revised: 2/1/2008