Documentation:Web pw protect

From UGCS
Jump to: navigation, search

How to password-protect a web site

There are a few ways to password-protect a UGCS website. Since we run Apache 2, you can put your authorization configuration in a .htaccess file. This file should be in the folder you want to protect (it also protects subfolders), and is called ".htaccess"

These methods will just restrict access to people trying to access your files via the web. Users on the cluster can still see the files unless you change the AFS ACL's. You need to make sure the webserver (www-data) and your scripts (<username>_cgi) can read the files, but no one else can. The following "fs" command will set the correct permissions for the given directory: 

fs setacl . system:anyuser none www-data read <username>_cgi read

Add simple passwords

Add the following lines to your .htaccess file 

AuthType Basic
AuthName <Name of your Website goes here>
AuthUserFile <path-to-htpasswd-file>
Require valid-user

You may then add users and password with htpasswd. You will have to pick a secure location to put your password file- it should be outside of ~/public so other users can't read it, but must also be in a directory that the web server can read. A sample invocation looks like: 

mkdir ~/apache-users
fs sa ~/apache-users www-data read
htpasswd -c ~/apache-users/htpasswd <username1>

The program will then prompt you for the password for the given user. Future runs should just include the "htpasswd" command and not have the "-c" option.

Use Kerberos

UGCS also supports Kerberos authentication. Under this system, users will be required to give the username and password for a UGCS account. Note that you cannot use this technique for virtual domains (anything outside of www.ugcs.caltech.edu) because you don't have a valid Kerberos keytab- if this is a problem, please contact us. You can set it up by adding the following lines to the appropriate .htaccess file: 

AuthType Kerberos
AuthName "<Your Website>"
Krb5KeyTab "/etc/apache2/poseidon-apache.keytab"
Require valid-user

If you want to allow only certain users, replace 

Require valid-user

with 

Require <username1>@UGCS.CALTECH.EDU <username2>@UGCS.CALTECH.EDU

with as many user names as you want

See Kerberos for more kerberos information.

Use IP addresses

You can restrict a site to Caltech IP's by adding the following lines: 

Order Deny,Allow
Deny From All
Allow from 131.215

Use both

You can use both types of authentication if you want. This way, users will only be prompted for a password if they are outside of the Caltech network. To use this, add both the lines for the password protection and the IP restriction, and add the following line 

Satisfy Any

This way, either a valid IP or valid password will let a user in.

See also

Retrieved from "http://www.ugcs.caltech.edu/wiki/Documentation:Web_pw_protect"
Personal tools