Restrict Web Page Access - .htaccess

What Is .htaccess?

htaccess is a way to restrict access to (parts of) a web site to specified users and those passwords. In the example below, you are allowing user bgreene access to a web page in your public_html directory.

How Create the Necessary Files?

Now create a .htaccess file in the directory you want to protect (or the directory that contains the file(s) you want to protect). In this example, you are protecting a file in the directory "solutions" in your public_html directory. The pathname, thus, is: /user/eng/accountID/public_html/solutions/

  1. Login to your account using a Linux workstation, either by sitting at a Linux workstation or by using NX Client for Windows from a Windows computer.

  2. Create a password file using the htpasswd tool. In this example only the account bgreene is included for access to the file. The htpasswd tool encrypts the password. It prompts for a password and writes the user name (bgreene) and encrypted password to the file you specify. The password you create should be a secure one; here is our information about what makes a good password. If only College of Engineering users will have access to the web page, you can use Kerberos authentication, as explained below.

    htpasswd ā€“c ~/.htpasswd bgreene

    Use the "-c" argument ONLY on the first run. You can add additional usernames and passwords to this file using the htpasswd command without the ā€˜-cā€™.

    Note: do NOT put this file in the directory where you put the .htaccess file. We recommend you put this file in your home directory.

  3. Give the world read access.

    chmod 644 ~/.htpasswd

  4. After you login, change to the solutions directory: cd ~/public_html/solutions

  5. Create a file like the one below, substituting your account ID for "accountID" and the account to have access for bgreene in the example.

    AuthType Basic
    AuthName "Welcome. Please sign in."
    AuthUserFile /user/eng/accountID/.htpasswd
    require user bgreene

  6. Make the file readable by the web server

    chmod 644 ~/public_html/solutions/.htaccess

Kerberos

If people getting to the secure web area have an Engineering account, you can use Kerberos authentication. You need to create a .htaccess file, but no .htpasswd file. A sample .htaccess file is shown below. This grants access to all engineering account holders. If you want to restrict access to specified account(s), use the .htaccess/.htpasswd combination described above.

# Specify use of Krb5
AuthType KerberosV5
# name for user
AuthName "Engineering Login-ID"
# default realm
KrbAuthRealm ENGR.UIOWA.EDU
# Demand valid user
<Limit GET>
require valid-user
</Limit>

For Security

As noted above, to provide security,

  • the password used by the htpasswd file should be a good (not easily guessed or cracked) one.
  • make the web page one protected by SSL (https://...).

Help

Contact the consultant at the Engineering Help Desk, 1253 SC, 319-335-5055, if you need assistance creating or modifying .htaccess files.