There are various methods that can be used to limit access to web pages. The instructions on this page apply to various SICE web servers including cs.indiana.edu, cgi.sice.indiana.edu and homes.sice.indiana.edu. These methods may or may not work on other web servers.
Limit Access By Host, IP, or Domain
If you just want to limit access to hosts in a certain domain (eg. indiana.edu) or to a specific list of hosts that can be some very simply by just creating a file named .htaccess with deny and allow lines like this:
In this example, all hosts in the iu.edu and indiana.edu domains will have access along with the specific host and IP address listed.
Note that .htaccess files must be readable by the web server which is most easily accomplished by making the file world readable (chmod 644). If you get an 'Internal Server Error' then you likely have a permissions problem on the .htaccess file.
Limit Access With a Password
Let's say you want to require a user to know a password to access a web page but you don't want to use the IU Network ID and password as described in the next section. You might want to do this if the people who need access are not affiliated with IU or if you want to create a single password to be used by several people to access the pages.
As an example, let's say I want to allow access to users jane and joe, with passwords janepw and joepw, respectively. First, you must create a password file for the access. This file contains one line per user of the form:
The easiest way to create this password file is using the htpasswd command. For example, to create the password file /u/username/passwords/project1 and add the user jane, you would run:
You will be prompted for the password. If you want to add additional users, you just rerun the htpasswd command without the -c (create) flag. For example, to add a second entry for joe:
Next, create a .htaccess file in the directory you want to protect that contains:
The first block of that file ensures that you are using https which is required when using passwords.
Note that both the password file and the .htaccess file must be readable by the web server which is most easily accomplished by making the files world readable (chmod 644). If you get an 'Internal Server Error' then you likely have a permissions problem on one of these files.
You are also encouraged to strictly limit access to https and not http when using passwords. See the next section for information about setting this up.
Limit Access By IU Username
The SICE web servers are configured to allow authentication and access restrictions using IU usernames and passphrases. This can be done in a couple different ways. If you want to allow access for all IU users then create the .htaccess file as follows:
The first block of that file ensures that you are using https which is required when using passwords. The 'require valid-user' will be accepted for anyone who can log into any IU account which is a convenient way to limit access to just IU users when it isn't necessary to limit to specific users.
If you want to restrict access to a list of users, then use something like:
In this example, only the users with the IU usernames janedoe and joedoe would have access. You can add as many require lines as needed to the file.
Another convenient way to manage access is via an access group file. For example, you could have a .htaccess file like this:
This allows access to all the manages and workers listed in the group file /u/username/some_group_file. This group file would contain entries like this:
As with all web documents, these .htaccess and group files must be readable by the web server (eg. chmod 644).
There are also a large number of predefined access groups available for use. This includes all of the normal unix groups as well as several student and departmental groups. The best way to see what groups are available is to actually look at the groups file /l/sicehelp/support/groups/access_groups. Here is an example of how to use this:
In this example, we are giving access to all SICE faculty, all CS graduate students, and janedoe.
Combining Access Methods
You may find yourself in a situation where you want to limit access using multiple access methods. For example, you may want to allow all access from indiana.edu hosts without a password OR from non-IU hosts using an IU login. Here is an example that does this:
This lets you combine domain/host restrictions along with one of the other login mechanisms. Unfortunately, it is not possible to combine the two different AuthTypes (KerberosV5 and Basic) into a single .htaccess file.
If you are limiting pages by users, it may be helpful in your code to know the username accessing the files. This information can be obtained via the REMOTE_USER environment variable. For example, in php you can get the username of the person who authenticated via the $_SERVER["REMOTE_USER"] variable. Note that when using the IU username examples above, this will include the @ADS.IU.EDU. Here is a little PHP snippet that strips this and prints the authenticated user: