Restricting access to web pages

Instructions
FAQs

You can restrict access to web pages (i.e., to allow only certain people to view the web pages with a web browser) on the central (www1.udel.edu) web server. You can make your web pages accessible to specific users, groups, or IP addresses.

Notes:

You can only restrict access to web pages on the central (www1.udel.edu) web server. These directions will not work on web pages served out from your public_html directory on copland.udel.edu.
These instructions assume you already have a web directory. If you don't, see How do I get a web directory? and then return to these instructions.
These directions cover the syntax used by Apache HTTP Server Version 2.4.

Instructions

To restrict access to web pages, you must place a .htaccess file in the directory to which you want to restrict access. Because you probably have other web pages you want everyone to be able to see, you will need to create a special directory for the restricted pages and give your files the correct permissions.

In most cases, you will be working on a website with other people. Make sure that you have requested a UNIX project at least two business days before you need to restrict access to the web pages. (More information)

Change to the directory in which you want to create a restricted directory.

At the copland.udel.edu prompt, type the following command, replacing directory_name with the name of your directory on the central web server. Then press ENTER:
```
cd /www/htdocs/directory_name
```

Create the directory you want to restrict.

If you alone are creating and working on the files to which you wish to restrict access, type the following commands, pressing ENTER after each command, and replacing restricted_dir_name with a name of your choice:
```
mkdir restricted_dir_name
chmod 755 restricted_dir_name
cd restricted_dir_name
```
If you and your workgroup are creating and working on the files to which you wish to restrict access, type the following commands, pressing ENTER after each command, and replacing project number with your actual project number and restricted_dir_name with a name of your choice:
```
mkdir restricted_dir_name
chgrp project_number restricted_dir_name
chmod 775 restricted_dir_name
chmod g+s restricted_dir_name
cd restricted_dir_name
```

The two options above leave the content you publish in the directory visible to users who login to copland.udel.edu. If you need to prevent such access, consider having the directory set up for WebDAV publishing. If WebDAV is infeasible, advanced UNIX file access control using file ACLs can be used.

Access to users other than the owning user and group is removed. Then a file ACL granting read access to the web server is added.

chmod o-rwx restricted_dir_name
setfacl -m group:www:r-x restricted_dir_name

Create your .htaccess file. Use the UNIX text editor of your choice (vi, emacs, Pico) or your web page editor of choice (e.g., Dreamweaver) to create and save a .htaccess file in the directory you want to restrict.
- A .htaccess file contains directives that affect how the web server handles requests for files and subdirectories in a directory.
- Generally, there are three ways to use a .htaccess file to restrict access (allow only certain people to view your web pages with a web browser):
  - By IP address or network
  - By user
  - By group.
  Those methods can be combined.

Specific information is listed below.

Restrict access by IP address or network

To restrict access to computers with specific IP addresses or in specific networks, type the following line into the .htaccess file:

Require ip address_or_network(s)

For address_or_network, substitute IP address(es) or network(s). Multiple values should be separated by a space. If the remote computer has its IP address present in the list or is on a network present in the list, access is granted. The acceptable IP address and network syntax is covered in the Apache documentation.

Here's an example of a .htaccess directive to restrict access to computers on University networks:

Require ip 128.175 128.4 10

Restrict access by user

To restrict by user, type the following line into the .htaccess file:

Require user username(s)

For username(s), substitute the actual UDelNet ID(s) of the person or people to whom you want to allow access. For more than one user, list each name separated by a space.

Here's an example of a .htaccess file to restrict access to users "banana," "apple," "pear", "mango," "grape," "fig":

Require user banana apple pear mango grape fig

To allow access to anyone with a valid UDelNet ID, substitute Require valid-user:

Require valid-user

Restrict access by group

To restrict by group, type the following line into the .htaccess file:

Require ldap-group cn=project_number,ou=Groups,o=udel.edu

Substitute the actual project number for project_number. If you want to restrict access to more than one group, include additional lines, one for each group, and group them in a <RequireAny> block (see Combining directives below). For example, to allow only users in projects 1111 and 1776 to access your restricted directory, create a .htaccess file like this one:

<RequireAny>
  Require ldap-group cn=1111,ou=Groups,o=udel.edu
  Require ldap-group cn=1776,ou=Groups,o=udel.edu
</RequireAny>

Combining directives

By default when multiple Require directives are present in the .htaccess file, a request that satisfies at least one of the directives will be granted access. For example:

Require ip 128.175 128.4 10
Require valid-user

Requests made from computers on University networks will satisfy the Require ip directive and authentication will not be required. From anywhere else on the Internet, authentication is required and, so long as it succeeds, the access is granted.

More complex combinations can be made by grouping Require directives together:

<RequireAny> .. </RequireAny> access is granted if at least one of the enclosed directives grants access
<RequireAll> .. </RequireAll> access is granted if all of the enclosed directives grants access
<RequireNone> .. </RequireNone> access is granted if none of the enclosed directives grants access

For example, if your list of allowed users requires two lines, add the <RequireAny> and </RequireAny> lines to the file:

<RequireAny> Require user banana apple pear mango grape fig Require user maryqdoe johnxroe fawndeer fisherman </RequireAny>

Here's a more complex example showing how to grant access to members of project 9999 who are using a computer on the 128.175.2.0/26 subnet of the campus network:

<RequireAll>
  Require ip 128.175.2.0/26
  Require ldap-group cn=9999,ou=Groups,o=udel.edu
</RequireAll>

Groupings can be nested inside each other. For example, if members of either of two projects should be granted access while on campus, the .htaccess would look like the following:

<RequireAll>
  Require ip 128.175.2.0/26
  <RequireAny>
    Require ldap-group cn=9999,ou=Groups,o=udel.edu
    Require ldap-group cn=1000,ou=Groups,o=udel.edu
  </RequireAny>
</RequireAll>

After you have saved your .htaccess file, you will need to set the permissions correctly. If you are working on the central UNIX servers, at the UNIX command line prompt, type the following command and press ENTER:
```
chmod 644 .htaccess
```

You have now completed all the steps necessary to restrict access to web pages contained in your restricted directory. When users access URLs contained within directories protected in this way, the browser will present a Username and Password Required dialog box in which the user will be prompted to enter his or her UDelNet ID (username) and password. For more information about all the uses of a .htaccess file, review this Apache.org web page

Note: To ensure that people will be logging in through a secure page, when you create the href link to your restricted page, use https rather than http in the URL. For example, https://www1.udel.edu/directory_name/filename.html.

Contents

FAQs

How do I get a web directory?

UD faculty and staff can obtain space on the central web server (www1.udel.edu) to publish official University information by completing the WWW Directory Request Form.

How do I find out a person's UDelNet ID?

Finding the person's UDelNet ID is a two-step process.

At the copland command-line prompt, type the following command, substituting the person's last name for name, then press ENTER:
```
finger name@udel.edu
```
This will give you a list of approximate matches to the name you seek. The matches are in the form first.m.last@udel.edu. You must type the entire name to get the person's exact information, including the UDelNet ID.
Type
```
finger first.m.last@udel.edu
```
to get the person's UDelNet ID.

How does a person get a UDelNet account?

All members of the UD community have a UDelNet account. To activate your UDelNet account, see the University of Delaware Network page.

What is a project, and how do I get a project number?

A project is an established group of individuals in the UNIX computer accounting system.

To obtain a project number, go to the Support Center's Access Forms page. Log in and submit the UNIX Instructional Project Request if you are a faculty member setting up restricted access web pages for a class or the UNIX New Project Request if you are faculty or staff setting up restricted access web pages for something other than a class. Use the "restrict by user" method rather than requesting a project if the number of people to whom you would like to offer access is fewer than 30. Student organizations who have web directories on copland will already have a project number. Individual students can not obtain a project number.

How do I use the pico editor?

See the Pico Text Editor Help Page.

Search IT Help

Search for forms & applications.