Is possible to restrict access to my web pages?

Yes, you can use a file named .htaccess within your directory to be protected to control access. The most straightforward methods restrict access to an entire subdirectory and the pages it contains by client address or by password. Generally, you will set up a special protected subdirectory or subdirectories within one of your existing assigned web directories. These instructions are for the simplest kind of restrictions. Much more elaborate schemes are available. Consult the Apache 2.0 .htaccess documentation for details.

Back to top

How do I change file permissions?

You can use the SWEB web file manager, or use the chmod command from a SSH session.

Back to top

How do I password protect individual files and directories?

SWEB runs Apache 2.0, so most anything in their .htaccess documentation should apply.

Back to top

How do I restrict access to my web pages by password?

This method requires that users enter a name and password that you have defined before accessing your protected pages. This method uses basic HTTP authentication and does not encrypt the userid or password, which makes them vulnerable to unauthorized viewing during transmission if they are intercepted on the network.

Create a file called .htaccess within your directory to be protected. It will contain lines like this:

AuthType Basic
AuthName "your identifying name goes here"
AuthUserFile /www/htdocs/.../password.web
Require valid-user

The AuthName string will be displayed by most clients as a part of their prompt for a name and password. The AuthUserFile line contains the full path to your password.web file. The Require line contains a list of names that will be allowed to access the pages in your protected subdirectory. You will define these names yourself - they have no connection with the system userids on the web server or any other system. Specifying valid-user on the Require line allows access to all names defined in your password.web file.

Next you must build your password file which will define the names and their associated passwords. First use SSH to connect to www.uky.edu and change directories your subdirectories identified in the AuthUserFile line as the location of your password file:

cd /www/htdocs/...

Next use the htpasswd command to create the password file and define the names:

~www/bin/htpasswd -c password.web name1
~www/bin/htpasswd password.web name2
~www/bin/htpasswd password.web name3
...

(The -c option causes a new password file to be created.) Each time you will be prompted to enter the password to be associated with the name. Note that names and passwords are restricted to eight characters and some browsers cannot correctly handle special characters in either. Deleting names requires editing the password file with a text editor or some other means.

For some applications, it may be possible to reduce the amount of work involved by giving the same name and password to groups, such as all of the students in a particular class. If this level of control is appropriate, it significantly reduces the number of names you will need to define.

After you have created your names and passwords, you must distribute them to the individuals who will use them, using a method as secure as is appropriate for your application. Remember that these names and passwords have no intrinsic relationship with the userids and passwords on the web server system or any other system. They are solely for controlling access to your pages. There is no mechanism for the users to change their own passwords.

The first time a browser attempts to access one of your protected pages, the user will be prompted for a name and password. If a name listed in your .htaccess file and defined in your password.web file is entered with the correct password, access to the pages in the protected directory is granted.

Once a valid name and password have been entered through a web browser, it will be authorized for access even if the user walks away from the machine running the browser. This is a security exposure that would allow anyone who subsequently uses the browser to access your pages. Generally, if the user quits from the browser, the authorization will be lost. You may want to recommend this on your pages.

Back to top

How do I restrict access to my web pages by client address?

Create a file called .htaccess within your directory to be protected. It will contain lines like this:

Deny from all
Allow from 128.163. .uky.edu

The Deny line disables all access and the following Allow line restores access to clients on the UK's campus. There are two points to keep in mind, however. This method would exclude users connecting through off-campus internet service providers, which many students and employees use, as well as users on campus with special network addresses. That may or may not be what you intend.

Back to top

How do I restrict access to my web pages by UK link blue authentication?

You can use link blue authentication to control access to web pages. Create a file named .htaccess and place it in the directory along with the files and subdirectories you would like to protect. The contents of the file should look like this:

AuthName "link blue @ uky.edu"
AuthType Basic
AuthLDAPURL ldap://ukldap.uky.edu/ou=users,o=uky??sub?
Require valid-user

You may place any message you like in quotes after the AuthName directive and it will be displayed to the user on the login panel.

The example above will allow access to anyone with a link blue account. You can limit access to only a specific list of users by replacing the "valid-user" keyword with a list of link blue userIDs. For example:

AuthName "link blue @ uky.edu"
AuthType Basic
AuthLDAPURL ldap://ukldap.uky.edu/ou=users,o=uky??sub?
Require user1 user2 user3

This will only allow user1, user2, and user3 to view the pages.

Back to top

© 2005 University of Kentucky
Lexington, KY 40506
(859) 257-9000