|
1: IntroductionAlthough most Web pages are designed for global accessibility, there may be times when you want to make your Web pages accessible only to a certain group of users to whom you have previously given a password. This chapter describes some of the ways in which this can be achieved. 2: Creating a .htaccess fileThe most straightforward way of limiting access to your Web pages is by creating a file called .htaccess . This is a plain text (or "ASCII") file, containing security information which is used by the Web server to determine whether or not it should deliver your Web pages in response to a particular request. A .htaccess file needs to be stored in the same directory as the Web pages that it protects. It will then regulate WWW access to all of the files in that directory (plus any sub-directories of that directory). To control access to your pages by password:Login to your account on hills or fog, change into the Web directory which you want to protect (we will assume that it is a sub-directory ofpublic_html, called private), and then use a text editor to create a .htaccess file: (you type the parts shown in bold) cd public_html/private In the .htaccess file, type the following: <Limit GET POST> Wherelogin01 is your own user-id. on fog: <Limit GET POST> Whereloginis your own user-id. The file .htaccess will need to have read and execute permission for all. $ chmod a+rx .htaccess or $ chmod 755 .htaccess You will need a second file - one which contains the list of users and passwords which you are going to allow to view your pages. To create your password file, use the UNIX htpasswd command with the -c option, to add the first user and password to the list: $ cd (changing back to your home directory, because this is where we have specified that the password file will be located) To add subsequent users to the list, omit the -c option: $ htpasswd passfile jim At the end of this process, you will have a file called passfile in your home filespace, which contains the valid users and their passwords (in encrypted format): $ cat passfile [user]:2nUECVnB1fPUA This file also needs to be "published" for WWW access before it will function properly. We can adjust the file permissions on it as follows: $ chmod go+r passfile or $ chmod 644 passfile Now whenever a user attempts to view your protected Web pages, they will be prompted for a username and password. How secure is .htaccess?There is one major limitation to the use of .htaccess which you should be aware of: it only limits access to your documents when accessed via the Web. There is nothing to stop anyone who has an account on the hills system from logging in, changing directory into your own Web directory, and reading your protected documents straight off the server, using standard UNIX operating system commands (provided they know where to look). Modified from a tutorial of the University of Aberdeen |