Restricting Access to Webpages with .htaccess

You can restrict access to directories in your personal web space by creating a .htaccess file in the same directory. Whenever someone requests a file, the web server first looks in that directory and all others above it for files called .htaccess and applies the directives specified.

Prerequisite: Unix permissions

The webserver must be able to read the .htaccess files, as well as any files you want it to serve, so you must allow read permissions for everyone (and "execute" permission on directories) - for example:

chmod 751 sample-directory/
chmod 644 sample-directory/.htaccess
chmod 644 sample-directory/index.html

  Warning: This means any user with a Maths account can access the files directly on the filesystem (if they know/guess the filename or directory listings are allowed), potentially bypassing restrictions configured in .htaccess. For sensitive files, we recommend using Nextcloud, SharePoint or OneDrive instead.

If the webserver cannot read the .htaccess in a directory, it will refuse to give anyone access to files in that directory (with the error message Server unable to read htaccess file, denying access to be safe).

Restricting access to Mathematical Institute users

Any user

AuthType Mellon
MellonEnable auth

Specific users

AuthType Mellon
MellonEnable auth
MellonRequire uid username1 username2

Specific user groups

AuthType Mellon
MellonEnable auth
MellonRequire groups group1 group2

Group membership is managed by IT Support.

Specific user statuses

AuthType Mellon
MellonEnable auth
MellonRequire miStatus mi-staff faculty postdoc

This would restrict access to people with status Support Staff (mi-staff), Permanent Faculty (faculty) or Postdoctoral Research Associate (postdoc). Contact IT Support if you need an up-to-date list of statuses.

Mixed users/groups/statuses

The MellonCond directive allows more flexibility than MellonRequire, so you can mix users/groups/statuses as needed, but the syntax is more verbose:

AuthType Mellon
MellonEnable auth
MellonCond groups group1 [OR]
MellonCond groups group2 [OR]
MellonCond miStatus mi-staff [OR]
MellonCond miStatus faculty [OR]
MellonCond miStatus postdoc [OR]
MellonCond uid username1 [OR]
MellonCond uid username2

Restricting access with custom usernames & passwords

First, create a file to hold the usernames and (hashed) passwords. It can be in the directory you are protecting, or any other directory that is accessible by the web server:

cd sample-directory/
htpasswd -c .htpasswd username1

Enter the password when prompted. Do not use people's normal MI account passwords!

To add another user, or change an existing user's password:

htpasswd .htpasswd username2

Then add the following to .htaccess:

AuthName "My restricted area"
AuthType Basic
AuthUserFile /local/www/htdocs/people/myusername/sample-directory/.htpasswd
Require valid-user

Replace myusername with your username, and sample-directory with the directory name (relative to ~/public_html/).

Related links

• Website Security - an overview of the security issues associated with your webpages
• Setting File and Directory Permissions - more information about Unix file permissions

Apache web server documentation

• <Files> or <FilesMatch> can be used to limit access to specific files, rather than whole directories