Often it is desirable to restrict access to your website or portions thereof to certain users. Most people have clicked on a link and had a box pop up requiring a user name and password to continue. This feature is available on JHUniverse. Sites restricted using the following procedure should be considered restricted, but not secure, since the password is sent in clear text. Implementing this feature requires an SSH account, which can be requested from webhosting@jhu.edu. The following information assumes the user has a basic familiarity with using SSH and Linux shell commands.
One User, One Password
For this example, let's say the account name is wwwdev, which means the home directory is /home/wwwdev. The web directory is /home/wwwdev/public_html. Let's say we want to restricted a folder within the website called private. This folder is located here: /home/wwwdev/public_html/private . We will start off by restricting access to a user named jhu with a password of hopkins.
The first step is to create a password file. This file should be placed somewhere not accessible from the web. This is so that the password file cannot be downloaded. In our example, the file will be /home/wwwdev/privatepwd . To create the file, use the htpasswd utility.
Login to your account via SSH and type:
htpasswd -c /home/wwwdev/privatepwd jhu
htpasswd will ask you for the password, and then ask you to type it again to confirm it.
The second step in setting up IP restrictions is to create a .htaccess file (detailed instructions) in the private folder.
Next, place the following lines in the .htaccess file:AuthType Basic
AuthName "wwwdev private"
AuthUserFile /home/wwwdev/privatepwd
Require user jhu
You can test this by trying to access this directory.
Many User and PasswordsOften more than one user is required for password authentication. To accomplish this, you will need to use the AuthGroupFile directive. You will need to create a group file that associates group names with a list of users in that group. The format of this file is pretty simple, and you can create it using vi in SSH or upload a file created with a text editor. Let's call our file jhugroup, and place it in /home/wwwdev/ . The contents of the file will look like this:
jhugroup: jhu jhu2 jhu3 jhu4
That's just a list of the members of the group in a long line separated by spaces.
To add a user to your already existing password file, type:htpasswd /home/wwwdev/privatepwd jhu2
You'll get the same response as before, but it will be appended to the existing file, rather than creating a new file. (It's the -c that makes it create a new password file).
Now, you need to modify your .htaccess file to look like the following:AuthType Basic
AuthName "wwwdev private"
AuthUserFile /home/wwwdev/privatepwd
AuthGroupFile /home/wwwdev/jhugroup
Require group jhugroup
Now, anyone that is listed in the jhugroup and has an entry in the password file will be let in, assuming they type the correct password.
There's another way to let multiple users in that is less specific. Rather than creating a group file, you can just use the following directive:
Require valid-userUsing that rather than the Require user jhu line will allow anyone in that is listed in the password file, and who correctly enters their password. You can even emulate the group behavior here, by just keeping a separate password file for each group. The advantage of this approach is that Apache only has to check one file, rather than two. The disadvantage is that you have to maintain a bunch of password files, and remember to reference the right one in the AuthUserFile directive.
Getting all this to work can take some time and patience. If you get stuck, please consult the tutorial below.
More Information:
Authentication Tutorial.
Updated Sunday, 27-Jul-2003 23:41:30 EDT -- webhosting@jhu.edu -- JHUniverse -- Technical Information