Child pages
  • Limiting Access to Web Pages
Skip to end of metadata
Go to start of metadata


There are various methods that can be used to limit access to web pages.  The instructions on this page apply to various SICE web servers including cs.indiana.edu, cgi.sice.indiana.edu and homes.sice.indiana.edu.  These methods may or may not work on other web servers.

Limit Access By Host, IP, or Domain

If you just want to limit access to hosts in a certain domain (eg. indiana.edu) or to a specific list of hosts that can be some very simply by just creating a file named .htaccess with deny and allow lines like this:

.htaccess
deny from all
allow from .indiana.edu
allow from .iu.edu
allow from some.host.com
allow from 129.79.1.1

In this example, all hosts in the iu.edu and indiana.edu domains will have access along with the specific host and IP address listed.

Note that .htaccess files must be readable by the web server which is most easily accomplished by making the file world readable (chmod 644).  If you get an 'Internal Server Error' then you likely have a permissions problem on the .htaccess file.

Limit Access With a Password

Let's say you want to require a user to know a password to access a web page but you don't want to use the IU Network ID and password as described in the next section.  You might want to do this if the people who need access are not affiliated with IU or if you want to create a single password to be used by several people to access the pages.

As an example, let's say I want to allow access to users jane and joe, with passwords janepw and joepw, respectively. First, you must create a password file for the access. This file contains one line per user of the form:

username:encrypted_password

The easiest way to create this password file is using the htpasswd command. For example, to create the password file /u/username/passwords/project1 and add the user jane, you would run:

htpasswd -c /u/username/passwords/project1 jane

You will be prompted for the password. If you want to add additional users, you just rerun the htpasswd command without the -c (create) flag. For example, to add a second entry for joe:

htpasswd /u/username/passwords/project1 joe

Next, create a .htaccess file in the directory you want to protect that contains:

.htaccess
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] 

AuthUserFile /u/username/passwords/project1
AuthGroupFile /dev/null
AuthName "Project 1 Authentication"
AuthType Basic

<Limit GET POST PUT>
require user jane joe
</Limit>

The first block of that file ensures that you are using https which is required when using passwords. 

Note that both the password file and the  .htaccess file must be readable by the web server which is most easily accomplished by making the files world readable (chmod 644).  If you get an 'Internal Server Error' then you likely have a permissions problem on one of these files.

You are also encouraged to strictly limit access to https and not http when using passwords.  See the next section for information about setting this up.

Limit Access By IU Username

The SICE web servers are configured to allow authentication and access restrictions using IU usernames and passphrases.  This can be done in a couple different ways.  If you want to allow access for all IU users then create the .htaccess file as follows:

.htaccess
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] 

AuthType KerberosV5
AuthName "IU Network ID"

<LIMIT GET POST PUT>
require valid-user
</LIMIT>

The first block of that file ensures that you are using https which is required when using passwords.  The 'require valid-user' will be accepted for anyone who can log into any IU account which is a convenient way to limit access to just IU users when it isn't necessary to limit to specific users.

If you want to restrict access to a list of users, then use something like:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] 

AuthType KerberosV5
AuthName "IU Network ID"

<LIMIT GET POST PUT>
require janedoe@ADS.IU.EDU
require joedoe@ADS.IU.EDU
</LIMIT>

In this example, only the users with the IU usernames janedoe and joedoe would have access.  You can add as many require lines as needed to the file.

Another convenient way to manage access is via an access group file.  For example, you could have a .htaccess file like this:

.htaccess
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] 

AuthType KerberosV5
AuthUserFile /dev/null
AuthGroupFile /u/username/some_group_file
AuthName "IU Network ID"

<LIMIT GET POST PUT>
require group managers
require group workers
</LIMIT>

This allows access to all the manages and workers listed in the group file /u/username/some_group_file.  This group file would contain entries like this:

/u/username/some_group_file
managers: dvader@ADS.IU.EDU
managers: yoda@ADS.IU.EDU
managers: obone@ADS.IU.EDU
workers: hsolo@ADS.IU.EDU
workers: lskywalk@ADS.IU.EDU

As with all web documents, these .htaccess and group files must be readable by the web server (eg. chmod 644).

There are also a large number of predefined access groups available for use. This includes all of the normal unix groups  as well as several student and departmental groups.  The best way to see what groups are available is to actually look at the groups file /l/sicehelp/support/groups/access_groups.    Here is an example of how to use this:

.htaccess
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] 

AuthType KerberosV5
AuthUserFile /dev/null
AuthGroupFile /l/sicehelp/support/groups/access_groups
AuthName "IU Network ID"

<LIMIT GET POST PUT>
require group SICE_FACULTY
require group CS_GRADS
require user janedoe@ADS.IU.EDU
 </LIMIT>

In this example, we are giving access to all SICE faculty, all CS graduate students, and janedoe.

Combining Access Methods

You may find yourself in a situation where you want to limit access using multiple access methods.  For example, you may want to allow all access from indiana.edu hosts without a password OR from non-IU hosts using an IU login.  Here is an example that does this:

.htaccess
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] 

AuthType KerberosV5
AuthUserFile /dev/null
AuthGroupFile /l/sicehelp/support/groups/access_groups
AuthName "IU Network ID"

<LIMIT GET POST PUT>
deny from all
allow from .indiana.edu
allow from .iu.edu
require valid-user
satisfy any
 </LIMIT>

This lets you combine domain/host restrictions along with one of the other login mechanisms.  Unfortunately, it is not possible to combine the two different AuthTypes (KerberosV5 and Basic) into a single .htaccess file.

Usage Notes

If you are limiting pages by users, it may be helpful in your code to know the username accessing the files.  This information can be obtained via the REMOTE_USER environment variable.  For example, in php you can get the username of the person who authenticated via the $_SERVER["REMOTE_USER"] variable.  Note that when using the IU username examples above, this will include the @ADS.IU.EDU.  Here is a little PHP snippet that strips this and prints the authenticated user:

<?php print preg_replace("/(.*)@.*/", "$1", $_SERVER["REMOTE_USER"]); ?>