This page explains how access can be restricted for some web pages to certain domains, users, or groups of users. You can do this by creating a .htaccessfile in the relevant subdirectory, which allows you to control access to all files in this directory and all its subdirectories.
|
Contents |
Apache access control
Our Apache web servers can only allow or deny access for entire directories, not for individual files. Therefore, you must put files for which you want to apply different access control into different subdirectories.
Our web servers have three ways to identify (“authenticate”) users who request files:
- by the domain name or IP address of the client machine
- using the University’s Raven web authentication system
- via a HTTP password
Method (1) is useful for permitting password-free access for every user connected to a departmental or the University network. You normally want to combine it with one of methods (2) or (3) for the benefit of users who access from outside the University network, e.g. from their home PC.
Methods (2) and (3) are mutually exclusive, so you have to decide first whether you want to rely on the Raven password that users have already received from the Computing Service, or whether you want to maintain your own password file. Raven authentication is much less effort for you to set up, and is more secure, but it can currently only authenticate members of the University who have been assigned a Computing Service identifier (CRSID). All the examples below use method (2).
Method (3) involves editing a password file using the Apache htpasswd command-line tool.
For details on all three options, read the Apache documentation section on Authentication, Authorization and Access Control. (Unfortunately, the mechanism is very flexible and this part of the Apache manual is not written in the clearest possible style, both of which together can be rather confusing.) The next section covers the simplest cases.
Common configuration examples
The following examples show some of the most commonly used .htaccess configurations, which define which users are permitted (“authorized”) to access the directory:
-
Cambridge-wide access – allow access to anyone who is connecting from within the University of Cambridge or who is able to login to Raven:
Order Allow,Deny Satisfy Any Allow from .cam.ac.uk Allow from .ebi.ac.uk Require valid-user
-
Wolfson-wide access – allow access to anyone who is either accessing from within the Wolfson College network or who is a member of some one of the Raven-ID groups that are currently defined:
Order Allow,Deny Satisfy Any Allow from .wolfson.cam.ac.uk Require group fellows staff wcsa
-
Group-specific access – allow access to anyone who is a member of the groups officers or council:
Order Allow,Deny Satisfy Any Require group officers council
-
Password access (non-Raven) – deactivate Raven and allow basic password-controlled access to user “friend” (the hash value of the password of each user is listed in file /homes/mgk25/.htpasswd):
Order Allow,Deny Satisfy Any AuthType Basic AuthName "friends login available from Markus Kuhn" AuthUserFile /home/mgk25/.htpasswd Require user friend
There is an “htpasswd” program in the Apache distribution for creating and modifying the .htpasswd file. Ask webmaster if you do not have access to a machine that has htpasswd installed.
Predefined user groups
The following groups of users are currently defined (see /home/www/wolfson-groups.txt):
| officers | College Officers and Tutors |
| staff | College staff |
| council | College Council |
| fellows | Fellows |
| govbody-others | College staff with access to Governing Body materials |
| wcsa | WCSA Officers |
The wolfson-groups.txt file is currently maintained manually by Sheila Betts (college-secretary@wolfson). There is not yet a group covering all Wolfson members, but we hope to have this implemented soon.
Syntax and semantics
The first two lines in the examples select the semantics of how the following access control list will be interpreted. Apache actually supports four different semantics, but all examples here use the same one only. We suggest that you do the same and start all your access control lists with these same two lines in the interest of simplicity:
- The Order Allow,Deny directive chooses that any Deny directive that matches will override any Allow directive that might also match. This directive also causes access to be denied by default.
- The Satisfy Any directive chooses that a user will be granted access either based on the host address from which the request came (Allow or Deny directive), or based on the user id or group membership (Require directive). Fulfilling only one (“any”) of those two conditions will suffice to get access.
For the exact syntax of the relevant directives, please follow the above links to the relevant reference pages in the Apache manual.