Webpage Security on www.morris.umn.edu

Passwords | Hostname Restriction |

Webpage security is enabled by creating a ".htaccess" file in a directory containing webpages. The directory that contains the .htaccess file and all subdirectories will have the security restrictions enabled. Files can be protected by using IP number/hostname restrictions and/or passwords. An .htaccess file is a text file that contains Apache directives or commands.

Warning: This form of security only restricts that accessibility of the pages for remote users who use a web browser to access the webpages. It offers no real security from local users who can log onto the computer.

Password Access
There are two types of passwords files, standard and DBM. Created by the dbmpasswd program, DBM password files, are more efficient for use with over a hundred usernames. For most cases, standard password files, created with the htpasswd program, are the easiest to create and maintain.

Standard Password Files
Password files protect an entire directory. To create a password-protected file or group of files, put the files into a separate directory from your open public files. Create the password file in the protected directory using the htpasswd program as in the steps below.

  1. Create the initial password file
    htpasswd -c password_file_name user_name
    The -c option creates a new password file and adds the user 'user_name' to the password file. A prompt will then ask for the new user's password. Example 'htpasswd -c .pass tom'
  2. Additional users can be added by using htpasswd again:
    htpasswd password_file_name new_user_name
  3. Create a file with the name .htaccess (dot is required as the first character of the filename. Here is a sample .htaccess file:
    AuthUserFile "/www/documents/cs/protected/.pass"
    AuthGroupFile /dev/null
    AuthName "access to the documents in this directory"
    AuthType Basic

    This .htaccess file will give a login prompt to any user who tries to open a file in the "protected" directory. The prompt will say "access to the documents in this directory" and it will ask for a username and password. The username and password will be verified against a file called .pass (note dot in first character of filename) which is also located in the /cs/protected directory.

Hostname and IP number restrictions
This limitation can be defined by full/partial IP address or by full/partial domain name. In either case, you'll need to use the deny and allow directives along with the IP address or domain name. These directives or commands are defined as follows:

deny from variablename

This directive defines who cannot access or is "denied" access to the web pages; variablename is the full/partial IP address or domain name to be denied.

allow from variablename

Likewise, this directive defines who can access the web pages. Again, variablename is the full/partial IP address or domain name to be allowed access.

Important: Be aware that, by default, deny directives are evaluated before allow directives regardless of the order in which they appear in the .htaccess file.

For example: Access is denied to all users and then allowed to those using a 146.57 IP address or within the morris.umn.edu domain. 

<limit GET>
deny from all
allow from 146.57.
allow from .morris.umn.edu

</limit>

[ Campus Homepage | WWW Advisory Group Homepage | Web Development Toolbox ]

The University of Minnesota is an equal opportunity educator and employer.

Copyright 1997 University of Minnesota, Morris
Last Updated: April 8, 1996
Page URL: http://www.morris.umn.edu/committees/wwwac/toolbox/security.html