Restricting Access to Webpages with .htaccess

When a computer somewhere in the world asks the webserver for a document in a particular directory, the webserver first looks in that directory and all others above it in the directory hierarchy for files called .htaccess. These files tell the webserver whether a particular computer/user is allowed to have the webpage it wants. Note that .htaccess does not protect individual pages, but whole directories and all of their subdirectories.

For things to go smoothly, the webserver must be able to read the .htaccess files, so you must allow read permissions for everyone on them. If the webserver cannot read the .htaccess in a directory, then it may refuse to give out anything in that directory to anyone.

Restricting access to certain machines

An example of such a file which restricts access to machines inside the maths domain would be

<Limit GET> order deny,allow deny from all allow from .maths.ox.ac.uk allow from .maths </Limit>

Restricting access to certain users

Note when making such a user based restriction the pages should only be accessed via a secure https connection. One can force https with suitable options in the .htaccess file, e.g.

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} myrestricteddir
RewriteRule ^(.*)$ https://www2.maths.ox.ac.uk/mydir/myrestricteddir/$1 [R,L]

would ensure any access to the myrestricteddir section of the site would be redirected to use https.

Via Mathematical Institute usernames and passwords

Since this approach uses the person Institute password you should ensure they always access the material via an https URL so that the connection is encrypted!

To restrict access to a set of users who have Mathematical Institute accounts you just need to create a .htaccess file, within the directory that is to be restricted, with contents of the form:

Restricting to a specified list of users

AuthName "My restricted area" AuthType Basic AuthBasicProvider ldap AuthLDAPURL ldap://ldap.maths.ox.ac.uk/ou=people,ou=current,dc=maths,dc=ox,dc=ac,dc=uk TLS require ldap-user list_of_usernames

where you replace list_of_usernames with a space separated list of the usernames who you wish to have access.

Note if you simply want to restricted to valid users on the maths system instead of the require ldap-user line use

AuthzLDAPAuthoritative off
require valid-user

Restricting to a specified group of users

AuthName "My restricted area" AuthType Basic AuthBasicProvider ldap AuthLDAPURL ldap://ldap.maths.ox.ac.uk/ou=people,ou=current,dc=maths,dc=ox,dc=ac,dc=uk TLS require ldap-filter |(miStatus=mi-staff)(miStatus=faculty)(miStatus=postdoc)

would restrict access to people with accounts with status Support Staff, Permanent Faculty or Research Staff.

If you want to restrict access to people who are in a specific system group then an example is

AuthName "My Restricted Area"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL ldap://ldap.maths.ox.ac.uk/ou=current,dc=maths,dc=ox,dc=ac,dc=uk?uid ?sub TLS
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
Require ldap-group cn=system_group_name,ou=group,ou=current,dc=maths,dc=ox,dc=ac,dc=uk

Via custom usernames and passwords

To do this you first need to create a file containing usernames and password for people you want to access the pages (do not use peoples normal computer account passwords!). You create and maintain this file with the htpasswd command.

The first time you use it as follows

htpasswd -c my_htpasswd_file first_username

The -c options tells it to create the password file called my_htpasswd_file and then to add a user with username first_username. The command will then prompt you to enter the users password which it will encrypt and add to the file.

For all subsequent use the password file already exists so you omit the -c option, e.g.

htpasswd my_htpasswd_file another_username

You can add users as and when necessary or change their password by repeating the command above.

Having created the password file you now put a .htaccess file in the directory you wish to be password access restricted. An example .htaccess file would be

AuthName "My Password Controlled Directory" AuthType Basic AuthUserFile /path/to/password/file require valid-user

The password file must be placed in a place that the web server can read. One possibility would be somewhere in your public_html directory but this means someone could download the password file and attempt to crack the passwords in it. Another possible location is in your home directory (or a sub directory thereof). By default however home directories are initially created so only the user can access them. So if you place the password file in your home directory you need to change the permissions on your account to allow others access. You could do this with

chmod 711 ~/

This allows other users to read files but not to get a file listing. As such someone could only read a file in your account if they could first guess its name. You may wish to further set the permissions on the top level directories within your account so that no one else can access them at all. You could do this with

chmod 700 directoryname

Note by changing the permission on a directory you protect it and all its contents and subdirectories. For further info on permissions see the page on Setting File and Directory Permissions.