By default the web pages you post are viewable by anyone. Sometimes it's useful to restrict access to a smaller audience. This document describes two techniques for limiting access to your web pages. While the processes are similar for many web servers these particular details are only intended for use with web pages on www.acad.carleton.edu (aka Fifi).
The simplest technique is to limit your pages so that they can only be viewed
by computers directly on Carleton's network.This includes all the computers
on the Carleton campus as well as those dialing in to Carleton's modem pool.
It's important to note that students living in private housing off-campus, as
well as many faculty when working from home, may be getting internet access
from a provider other than Carleton. This technique will block their access
as well.
The basic approach is to include a single file named .htaccess in the
folder along with the web pages you want to protect. This file contains a few
very particular lines of text. If the text is exactly right the presence of
the file will block off-campus access to everything else in the folder. Your
computing coordinator should be able to provide you with a copy of the file
which you can simply move into place into the appropriate directory. And once
you've got a copy of the .htaccess file you can duplicate it and reuse
it whenever you create a new web folder that needs to be protected from off-campus
access.
For reference the particular lines of text are:
AuthName "Carleton Only Web Pages"
AuthType Basic
<Limit GET POST>
order deny,allow
deny from all
allow from 137.22.
</Limit>
You can test to make sure the security is in place by trying to visit the pages
from a machine off-campus. Of course often this is inconvenient. An alternative
if you're on-campus but want to see the result as if you were off-campus is
to go to <http://www.anonymizer.com>.
From this site you can enter the web address of your pages and view then as
if you were coming from off-campus. Hopefully the protected pages will not be
visible. If they are you'll want to get in touch with your computing coordinator
for help in diagnosing the problem.
Sometimes limiting pages to a Carleton-only audience is not appropriate. You
may want to restrict viewing to a smaller group of people. Or some of the intended
viewers may be off-campus. Password protecting web pages is significantly more
complex than restricting them to Carleton-only access. So you may want to enlist
the help of your computing coordinator if you think password-protecting is a
tool you'd like to use.
Here is an example procedure that would require viewers to enter a particular
username and password to view web pages in a particular folder. If the username
and password were known only to students in a particular class only they would
be able to view the pages. Note that currently there is no way to use existing
usernames and passwords (e.g. from the email system) in conjunction with web
pages. You'll need to make up a new username and password for the particular
web pages.
1. Create a new folder within the folder that contains the web pages you want
to protect. We'll call this folder noaccess (though the exact name isn't
important).
2. Within this folder we need to create two files. One will be called .htaccess
and will be identical to "Carleton-only" file except it will not have
the line that starts with "allow from...". As a result the contents
of this folder won't be viewable from the web anywhere (though you'll be able
to see it directly on Fifi).
3. The second file in this noaccess directory will be called htpassword
and will contain the username and password (in encrypted form) that will protect
the directory above (which contains the web pages of interest). The single line
in this file will look something like this:
bus101:30z8HRF/X1iHQ
This line is the username (bus101 in this example), followed by a colon and
then a bunch of seemingly random characters which are actually an encrypted
form of the password. Though the password is encrypted it's not hard to break
the encryption. Which is why the noaccess directory shouldn't be accessible
from the web at all. And hence step number two.
There are a number of ways to create the contents of the htpassword file.
The simplest is to visit a site like <http://cobalt.golden.net/generator/>.
Here you can enter the username and password you'd like to use and it will automatically
generate the appropriate line for your htpassword file.
4. Create another file called .htaccess. This one should be in the folder with
the web pages to be protected. This should be a plain text file containing the
following lines:
AuthUserFile /curricular/BUS/courses/bus101/private/noaccess/htpassword
AuthName "Business 101 private files"
AuthType Basic
<Limit GET POST>
require valid-user
</Limit>
The first line, which you should modify to fit your situation, contains the
complete path to the htpassword file. In this example the private
folder is the password-protected one. It contains the noaccess folder
where the username and encrypted password sit in the htpassword file.
The second line just gives the text that will appear in the login box when the
viewer is prompted for username and password. Obviously this should be changed
to something more appropriate.
That's it. If everything is setup correctly viewer enter the address of the
protected pages (or click a link that points at them) will be prompted for the
username and password you've hidden away in the htpassword file. If they can
provide them correctly they'll be able to view the pages. If not they just get
a message saying that they have been denied access.
Sean Fox (sfox@carleton.edu) Sept 1, 2001