Documentation:Web pw protect
How to password-protect a web site
There are a few ways to password-protect a UGCS website. Since we run Apache 2, you can put your authorization configuration in a .htaccess file. This file should be in the folder you want to protect (it also protects subfolders), and is called ".htaccess"
These methods will just restrict access to people trying to access your files via the web. Users on the cluster can still see the files unless you change the AFS ACL's. You need to make sure the webserver (www-data) and your scripts (<username>_cgi) can read the files, but no one else can. The following "fs" command will set the correct permissions for the given directory:
fs setacl . system:anyuser none www-data read <username>_cgi read
Add simple passwords
Add the following lines to your .htaccess file
AuthType Basic AuthName <Name of your Website goes here> AuthUserFile <path-to-htpasswd-file> Require valid-user
You may then add users and password with htpasswd. You will have to pick a secure location to put your password file- it should be outside of ~/public so other users can't read it, but must also be in a directory that the web server can read. A sample invocation looks like:
mkdir ~/apache-users fs sa ~/apache-users www-data read htpasswd -c ~/apache-users/htpasswd <username1>
The program will then prompt you for the password for the given user. Future runs should just include the "htpasswd" command and not have the "-c" option.
UGCS also supports Kerberos authentication. Under this system, users will be required to give the username and password for a UGCS account. Note that you cannot use this technique for virtual domains (anything outside of www.ugcs.caltech.edu) because you don't have a valid Kerberos keytab- if this is a problem, please contact us. You can set it up by adding the following lines to the appropriate .htaccess file:
AuthType Kerberos AuthName "<Your Website>" Krb5KeyTab "/etc/apache2/poseidon-apache.keytab" Require valid-user
If you want to allow only certain users, replace
Require <username1>@UGCS.CALTECH.EDU <username2>@UGCS.CALTECH.EDU
with as many user names as you want
See Kerberos for more kerberos information.
Use IP addresses
You can restrict a site to Caltech IP's by adding the following lines:
Order Deny,Allow Deny From All Allow from 131.215
You can use both types of authentication if you want. This way, users will only be prompted for a password if they are outside of the Caltech network. To use this, add both the lines for the password protection and the IP restriction, and add the following line
This way, either a valid IP or valid password will let a user in.