Use .htaccess
to Restrict Access to your Web Directories
Ever wanted to restrict access to some or all of
your Web directories? Using an .htaccess
file you can both restrict access to specific Internet addresses
and use Passport York to do user
authentication.
Setting up the .htaccess file
Use your favorite text editor to create
the file and save it in the Central Web service account you want to protect. The
file permission of the .htaccess file must be set to 640, which is user-read,
user-write, and group-read. You can use most FTP clients to set the file
permission.
For instructions on how to restrict
access from Internet addresses, refer to the Host-based restriction
section of this document. For instructions on how to use authentication,
refer to the Authentication section. To include
the authenticated user's username to the html pages after login, see the Adding
the user's username instructions. Example .htaccess files
can be found near the end of this document.
Important Note: Since this protection
system uses Passport York authentication, please advise your users
to log out once they no longer need access to your web site. Provide
a link to the URL http://maya.yorku.ca/mayalogin/logout
on your web page and ask your users to click on it to logout.
Authentication
commands in .htaccess
There are two ways
to require the web user to authenticate prior to accessing a protected web page
or directory. - Passport
York authentication - this will authenticate the user through Passport York .
- Basic
authentication - this will authenticate the user based on a custom password file
that you provide.
The type of authentication
can be set by the AuthType command in the .htaccess file. Instructions below.
| Command | Instructions |
| AuthName | AuthName
"Name you want to show on the Passport York login screen"
- specifies the name to show on the Passport York login screen.
e.g. "My
protected web directory" | |
AuthType | AuthType
MAYA - use MAYA (which
is the older name for "Passport York") authentication. Uses Passport
York to authenticate users before they can access your protected web directory.
AuthType
Basic - use basic authentication
- must
provide a .htpass file for authentication. The .htpass file is a special file
containing username/password information for each allowed user. See the AuthUserFile
command on how to specify the location of this file.
Only
one of these AuthType commands should be specified in the .htaccess file.
You should NOT specify both in the same file. | |
AuthUserFile | AuthUserFile
".htpass" - specifies
the location of the file containing a list of users to allow access to the protected
web directory. Usually this file is placed in the same directory as the .htaccess
file but it can be placed in any directory in your web account. If so, specify
the location of the file using this command. e.g. if the file is in your web account's
home directory, specify:
AuthUserFile "/home/USERNAME/.htpass"
- where USERNAME is your web account username.
If the file is in a directory
called MyFolder in your MyWebSite directory, then specify:
AuthUserFile "/home/USERNAME/MyWebSite/MyFolder/.htpass"
- where USERNAME is your web account username.
- the
.htpass file is created by a program called
htpasswd and can given any name.
Only
for use with "AuthType Basic".
| |
Require | There
are two categories of the Require command. The first specifies who has access
to the protected web directory. The second specifies the different attributes
that have to match on the authenticated user in order for them to access the protected
web directory.
Category 1:
Only one of these commands must
be specified in the .htaccess file. You should NOT specify both in the
same file.
Require valid-user - allows
any *valid* and authenticated "Passport York" user.
A valid user
is someone who has a valid Passport York username and password.
(If a user is locked in "Manage My Services" then
they would receive an error stating that their account is
locked. Access to the protected web site is denied.)
Require user USERNAME1
USERNAME2 - similar to
"Require valid-user" but allows only users with Passport York Login
IDs that match the ones listed.
Category
2:
These commands impose additional access requirements to a web site
and are optional. They restrict access to the web site based on the attribute
of the authenticated user. These commands only work with "AuthType MAYA".
If none of these commands are specified then the protected web directory
uses only Passport York authentication (allows access to any user who can login
to Passport York ).
For instance, to restrict access to only students,
you would use the "Require type UNDERGRAD:STUDENT" command in the .htaccess
file. Or to restrict access to only staff and students, you would use both "Require
type EMPLOYEE:STAFF" and "Require type UNDERGRAD:STUDENT", each
on a separate line.
User types:
Require type EMPLOYEE:STAFF
Require
type UNDERGRAD:STUDENT
Require type GRAD:STUDENT
Require type FACULTY:UNKNOWN
Require type NONDEG:STUDENT
| | ErrorDocument | ErrorDocument
- redirect failed web page
request to an appropriate error page.
For
failed MAYA authorizations (i.e. when a user successfully logs in but is not authorized),
use: ErrorDocument 412 http://tulum.ccs.yorku.ca/needauth.html To
redirect forbidden-errors, use: ErrorDocument
403 http://address.of.your.site/forbidden_explanation.html
|
Host-based restriction
commands in .htaccess
These commands take precedence over
the Authentication commands. In other words, if you deny a certain machine
from accessing a subdirectory then the user from that machine will get a "forbidden"
error message upon accessing the subdirectory and the user will not get a Passport
York Login page. | Command | Instructions |
| Allow from | Allows
access to the directory from certain machines and/or networks.
| Allow
from all | | | Allow
from IP-address | - Allows
access from a certain machine based on the IP address or hostname
- Examples.
Allow a single machine:
Allow from mymachine.yorku.ca
Allow multiple machines:
Allow from mymachine.yorku.ca 130.63.100.101 othermachine.internet.com |
| Allow from subnet-address |
- Allows access from the specified
subnet(s)
- Examples:
Allow machines from
York's domain (by IP-subnet):
Allow from 130.63
Allow machines from York's
domain (by named subnet):
Allow from yorku.ca | |
| Deny from | Denies
access to the directory from certain machines and/or networks.
| Deny
from all | | | Deny
from IP-address | - Denies
access from a certain machine based on the IP address or hostname
- Examples.
Deny a single machine:
Deny from mymachine.yorku.ca
Deny multiple machines:
Deny from mymachine.yorku.ca 130.63.100.101 othermachine.internet.com |
| Deny from subnet-address |
- Denies access from the specified
subnet(s)
- Examples:
Deny machines from
York's domain (by IP-subnet):
Deny from 130.63
Deny machines from York's
domain (by named subnet):
Deny from yorku.ca | |
| Order | Specifies
default access state and the order of precedence of the allow and deny statements.
| Order
deny,allow | Applies all deny-rules and then
allow-rules. Access is allowed by default. Any client which does not
match a Deny command or does match an Allow command will be allowed access to
the server. | | Order allow,deny | Applies
all allow-rules and then deny-rules Access is denied by default. Any
client which does not match an Allow directive or does match a Deny directive
will be denied access to the server. | |
Adding
the user's username to the following HTML page
Once
the user is logged in you can show their username by using the following command
in your HTML page: <!--#echo var="REMOTE_USER"
--> Note that this command will only work
in an HTML page (i.e. file extension must be .htm or .html). Also, this HTML file
must be placed in an .htaccess protected web directory in order to determine the
username (i.e. there won't be a username if the user is not required to login
to see your page).
If you're using active content (i.e. php, perl, etc.)
then you will need to consult the documentation for the corresponding way to read
the server variable "REMOTE_USER" (without the quotes).
Example .htaccess files
Example 1:
Use Passport York authentication and allow any valid Passport York -authenticated
user. AuthName "My protected
web section"
AuthType MAYA
Require valid-user
Example
2: Use Passport York authentication and
allow only the Passport York -authenticated users listed by the Require command
(in this example, only allow the Passport York usernames bsmith, johndoe, and
samuel). AuthName "Example
2"
AuthType MAYA
Require user bsmith johndoe samuel
Example
3: Use Passport York authentication and
allow any valid Passport York -authenticated users who are York faculty.
If the authenticated user is not a York faculty member then s/he will be redirected
to a page which states that authorization is required. AuthName
"Example"
AuthType MAYA
Require valid-user
Require type
FACULTY:UNKNOWN
ErrorDocument 412 http://tulum.ccs.yorku.ca/needauth.html
Example
4: Use Passport York authentication and
allow any valid Passport York -authenticated user who is either a York staff member
or a grad student. AuthName
"Example"
AuthType MAYA
Require valid-user
Require type
EMPLOYEE:STAFF
Require type GRAD:STUDENT
Example
5: Use Basic authentication and allow
any valid Basic-authenticated users. Replace username in the AuthUserFile
line with your Central Web Service username. AuthName
"Example"
AuthType Basic
AuthUserFile "/home/your_username/MyWebSite/password_file"
Require valid-user
Example
6: Use MAYA authentication from
home and allow
valid yorku.ca users. Satisfy any
Order deny, allow
Deny from all
Allow from .yorku.ca
AuthName "Example"
AuthType MAYA
Require valid-user
|
