Skip to the content

Kansas State University

Restricting access to web pages

Web pages are normally available to any user. However, access to web pages can be restricted in one or both of these ways:

  • by user ID and password
  • by IP address

Both methods share some features:

  • It is generally easiest to collect restricted pages into a single directory that contains just restricted pages. Restrictions will apply to all files and subdirectories in the restricted folder.
  • Restrictions are controlled by a file called .htaccess that is placed in the directory to be protected. The file must be readable by the web server. In other words, user www must be able to read the file.
  • Punctuation and capitalization are important. The directives are case-sensitive; double quotes are required around all parameters; and each directive must be on a single line.

User ID and Password Restriction

Using a user ID and password combination is easiest when there are few user IDs involved. For class situations, the goal is to prevent access to the entire world, so a well-known user ID and password for a class is a reasonable approach. This will not restrict access by roommates or friends, but will prevent access by the entire world. This is similar to how lectures are restricted. We don't ask for a photographic identification of everyone walking in to a lecture hall. Nonetheless, simple physical limits prevent 10,000 people from attending a lecture.

To restrict access with a user ID and password, you need to add two files to the directory. The first file is named .htaccess. Place the following lines into the .htaccess file.

AuthType Basic
AuthName "Site Description"
AuthBasicProvider file
AuthUserFile /usr/local/data/www/your_directory_name/userlist.txt
Require valid-user

This file tells the web server that to gain access to all files in this directory, the client must enter a user ID and password that matches one in the file /usr/local/data/www/your_directory_name/userlist.txt, where your_directory_name is the path to the protected directory.

The Site Description should be a short description of the site. The description is used by the browser in the prompt for the password. The prompt varies with different browsers, but is similar to:

Enter username for site description at www.k-state.edu:

The second file is named userlist.txt. Inside this file, each user has one line of the form:

userid:encryptedpassword

where userid is the user name and encryptedpassword is the password, encrypted with the standard Unix password encryption algorithm. These lines can be created with the password encryption page.

These user IDs and passwords are created for the web page only. They have no relationship to the user IDs and passwords used to access CTS's Unix system, Telecommunication's dial-in service, or departmental resources.

Any number of user IDs and passwords can be included in the userlist.txt file. However, management of forgotten passwords may become burdensome for the page author. For classes, a single user ID and password should be sufficient.

Example of Password Protection

The URL http://www.k-state.edu/tools/restrict-access/password is protected by user ID neil and password testpass. Try the link to verify that the protection works.

Restricting Access by IP Address

Every computer connected to the Internet has an Internet Protocol (IP) address. Such addresses are written as four numbers separated by periods. For example, 129.130.12.5 is the address assigned to one of K-State's central Unix machines. All IP addresses that have 129.130 as the first two numbers are associated with K-State.

To restrict access based on an IP address, put the following lines in the .htaccess file:

Order deny,allow
Deny from all

Allow from ipaddress

Satisfy Any

where ipaddress is the IP address pattern that is allowed access. You can have as many lines of ipaddresses as needed, or you can use a partial IP address to limit to a group of IP's, such as a building or department. For example, to limit access to K-State's IP addresses, use "129.130".

Order deny,allow
Deny from all

Allow from 129.130

Satisfy Any

Example IP Address Restriction

An example page restricted to K-State only shows how to limit access to K-State IP addresses, i.e., those with the first two numbers of "129.130".

Notes

  • The above discussion assumed that the pages to be protected are on the www.k-state.edu server. The same procedure works for personal pages stored on the www-personal.ksu.edu server. However, the path to the userlist.txt file must reflect where the file is stored. For K-State home directories, the path is of the format:
    /homes/userid/.html/userlist.txt

    To find out your home directory, log on to Unix and run the command "echo $HOME".

  • Restricting access to K-State IP addresses is not the same as restricting access to K-State people. K-State students, faculty, and staff may use various network providers such as America Online and local Internet Service Providers; restrictions based on IP address can stop access via these methods. Similarly, university offices and computing labs are not entirely limited to use by K-State students and employees.

    More specifically, an IP address restriction of 129.130 would allow access only by computers on campus, those using Telecommunications dial-in service, and those using the Virtual Private Network.

    Off campus access to K-State IP restricted websites can be handled by using K-State's Virtual Private Network (VPN).

  • The .htaccess and userlist.txt files must themselves be readable by the web server, i.e., have appropriate Unix file permissions. For files on the www.k-state.edu server, the Unix Access Control List provides appropriate defaults. However, for the www-personal.ksu.edu server, be sure to change permissions as you normally would for an HTML file.
  • Access to the .htaccess is done at the global level. As you can use any file name to store your eid/password (we suggest userlist.txt) you should protect it also. Access to these files may help hackers understand and plan circumventions of access restrictions. Common passwords, for example, can be determined from the encrypted password.

    To remove all access to these files, add the following to the end of the .htaccess file:


    Order allow,deny
    Deny from all
    Satisfy All

    With this addition, the files cannot be accessed via the web server. However, the files are still accessible via FTP, samba, or by logging on to the Unix system.

  • When accessing the protected pages, if you receive the message:

    Server Error

    This server has encountered an internal error which prevents it from fulfilling your request. The most likely cause is a misconfiguration. Please ask the administrator to look for messages in the server's error log.

    check the format of the .htaccess file.

    This error can also occur of the userlist.txt file isn't at the location specified in the .htaccess file or can't be read by user www.

  • If you use pico to edit the .htaccess file, beware that pico by default wraps long lines. To widen the margin so that there is enough room for the long middle line of the .htaccess file, use the command: pico -r200 .htaccess