Go to the U of M home page
School of Physics & Astronomy
Physics & Astronomy Wiki


Controlling Access to Web Pages

By username and password

These steps really have to be performed from the Unix command line. Please also note that preparing files in a non-unix text editor (Windows or Mac) may not work as expected due to the different line break characters used.

1. Create a file named .htaccess in the directory you wish to protect, that looks similar to the following.

           AuthType Basic
           AuthUserFile /home/lemming/htpasswd
           AuthGroupFile /home/lemming/htgroup
           AuthName Private
           <Limit GET POST>
           require group private
           order allow,deny
           allow from all

NOTE: Make sure your htpasswd and htgroup files are outside of the public-html directory, so they can't be downloaded using the web server. In this example, the home directory is /home/lemming, and we put the password and group files here as they will be inaccessible via the web. The word “private” above is the group name we are going to use (you can name it what you want).

2. Create your htpasswd file using the htpasswd command, in the directory you specified above in .htaccess.

          htpasswd -c passwd_file user_name


          htpasswd -c /home/lemming/htpasswd username1

The above command both creates the password file and adds the first user name to it. You should be prompted for a password for the user. You can add further users to the password file using the same command but without the -c switch.

Don't use the same password as you use for your Physics account or UMN internet account - the personal or group web pages do not use a secure connection, so the password isn't as safe against snooping as most other logins.

3. Create your htgroup file (using a text editor). It should look something like:

           private:username1 username2

NOTE: The group name “private” needs to match the specified group name in the .htaccess file (step 1 above) in the “require group private” line.

By domain name

It's also possible to restrict access according to the clients location. For example, you could restrict a directory to be accessed only from within .umn.edu using a .htaccess file like this:

     <Limit GET POST>
     order deny,allow
     deny from all
     allow from .umn.edu

You can also restrict access to our department only, but you have to list all the domain names in use here (e.g., hep.umn.edu, space.umn.edu, astro.umn.edu, etc). Note that restricting access in this way doesn't give full security, as it's possible to spoof the domain name… although for most purposes it should be “good enough”.

If you're working on your pages locally, it may be difficult to test your access rules, to make sure they are working! One way you can do a partial test is to give your protected URL to a web validation service (for example, the W3C validator). If the access control is working, the validator will report not being able to check the page.

computing/web/web_publishing/acl.txt · Last modified: 2013/09/19 14:43 by allan