Why limit access to a Web site? If all the pages at a Web site pertain to a select group of people - for example, a society with restricted membership - the provider might limit access to members so that the information is kept private. Another person might have two or more categories of information with different audiences. Someone else might have general information and additional subsets of information, intended for specific groups (only). The general information would be open to all visitors, but only specific persons would be allowed to view the subset(s) meant for the groups alone. Limiting access with a password The "password" must be recognizable as a string of characters. Generally the password has an associated "login". For example, I might want to know if you are a member of one of my clubs and know the password for it, or I might want to know who you are as well as have your password, or I might allow anyone from a machine whose address ends in "virginia.edu" to enter, in which case the person's IP address could act as the "login". There are at least two steps required to "lock" files from access by the general visitor to your Web site. The first step is to set up a login/password pair that will act as a key to the restricted set of files. The second step is to create a file called ".htaccess" - that is "dot-htaccess" - and position it properly so that it can police your visitors. How to create the login/password pair Here, you must know enough about the UNIX operating system that you can give UNIX commands and move around the file system. The examples here are about as simply structured as possible, but nonetheless this step cannot (yet) be carried out in any way other than by logging onto the computer that holds your Web pages. The command to create the login/password pair is htpasswd and has two different forms: one for creating the file that will hold the encrypted entries, and the other for adding additional pairs once the file exists. To create an authorization file named ".htpasswd" with a login for "friend", you type something similar to this: htpasswd -c .htpasswd friend <Return or Enter> The computer will ask you for a password that will then be paired with the login "friend". To create another pair, let's say for those on your swim team, whether immediately or at some later date, use a command similar to this: htpasswd .htpasswd swimmer <Return or Enter> You will be similarly asked for a password that will be paired with the login "swimmer". The login/password combinations are encrypted so they will not be useful to someone who might get a look at the file. It is up to you to remember the passwords - the file is of no help. In this example, the login/password pairs were friend/mybuddy and swimmer/frog. Use the command more .htpasswd to see the contents of the file. You should see the logins, friend and swimmer, each followed by a colon (:) and some nonsense string of characters similar to this:
Where to put the authorization file It is best not to have the file in the public_html directory with your Web pages - that directory is wide open from a security standpoint. At least put the authorization file at the same level in your UNIX account's tree as the public_html file. For most users, this will be at the login directory level with a location similar to "/home/user_id", where user_id is the owner's user_id, as in the above example. Where to put the .htaccess file In the simplest case - when your entire Web site is to be password-protected, put the .htaccess file in the public_html directory. A listing of the home directory would probably show these files and directories along with many others:
A second, differently constructed example that has protected subdirectories for our friends and swimmers might look something like this:
Note that there is no .htaccess file at the public_html level. Any visitor can use or view the files "home.html" and "test.cgi" . The .htaccess files are now going to be in their respective subdirectories whose listings might appear thus:
What text is in the .htaccess file? There are several "authorization types" that must be named so that http protocol connections know where to and how to protect your files. Example 1. Allow ONLY users whose connections come from the ".virginia.edu" domain. The file /home/user_id/public_html/.htaccess contains the following attributes:
Note that the first action is to deny everyone, but continue to check and, if the address contains ".virginia.edu", to allow access. Example 2. Allow ONLY users who know the "friend/mybuddy" pair to access the files in /home/user_id/public_html/pals. The .htaccess file - in the public_html/pals directory - needs these attributes:
Note that there is nothing magic about AuthName. This is just an "identifier" that helps the reader to know what the purpose of the .htaccess file is. Example 3. Allow ONLY visitors who are on the swimteam, to whom you have given the login/password pair "swimmer/frog". This .htaccess file goes in the directory named /home/user_id/public_html/swimteam:
These
examples rely on the information in the authorization file named ".htpasswd".
When a person clicks on a URL in the swimteam subdirectory, a window
pops up with two text fields - one in which to type the login, the other
in which to type the password. What are the basic directives? There
are several entries allowed in the .htaccess file. For a more thorough
explanation of them, please refer to the Apache Web site's documentation
at http://httpd.apache.org/docs/.
The functions of the more frequently used ones are summarized in the following
table, along with examples.
Web
Development Support | General
Info | Getting Started
| Design & Promotion
If you need further assistance with Web applications or questions, send e-mail to web-consult@virginia.edu or call the ITC Help Desk at 924-3731. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
