LavaNet Home

ANNOUNCEMENTS   SEARCH LAVANET
11/26/08 Lavanet News and Announcements: Thanksgiving Holiday Hours - November 27, 2008

LavaNet's offices will be closed Thursday November 27th. All departments
will be open for normal business hours the following day, Friday November
28th.

  
NAVIGATION
  News
  Services
  Support
  About Us
  System Status
  Webmail

CONTACT
Phone
(808) 545-LAVA

Fax
(808) 529-0596

Address
733 Bishop Street
Makai Tower, Suite #1170
Honolulu, HI 96813

Maps
 

Web page security

Jump to: navigation, search

Public access to personal Web pages can be controlled by creating a hidden file named .htaccess in your public_html directory where your HTML files are located. The following instructions briefly summarize the basic format of this file, the accompanying password files, and the commands used to create and modify these files.

Contents

[edit]

Prerequisites

These instructions assume you meet certain minimum requirements:

  • Know how to telnet to your UNIX account.
  • Have some basic understanding of UNIX shell commands.
  • Know how to use the pico editor (or a similar editor).
  • Have an existing public_html directory.

The reference for these instructions can be found at the following:

http://www.apacheweek.com/features/userauth

http://hoohoo.ncsa.uiuc.edu/docs/tutorials/user.html

http://www.apache.org/docs/mod/mod_access.html

http://www.apache.org/docs/mod/mod_auth.html


[edit]

Access methods

There are two methods by which the .htaccess file may restrict access:

1. Username/password-level access authorization. This method requires a user to enter a username and password to access the web page.

2. Rejection or acceptance of connections based on Internet address, hostname, or domain name of the Web client.

The above two methods may also be combined. WARNING: neither of these security methods is foolproof.


[edit]

Access by username/password

This is a sample .htaccess file for method #1: 

AuthUserFile /home/1/username/.htpasswd 
AuthGroupFile /home/1/username/.htgroup 
AuthName LavaFriend 
AuthType Basic 
Require group myfriends

The AuthUserFile parameter must specify the full path of the .htpasswd file and the AuthGroupFile parameter must specify the full path of the .htgroup file. The .htgroup file will contain the list of authorized usernames, and .htpasswd will contain their passwords.

[edit]

Creating the files

To create the .htaccess file, login to a UNIX shell and enter the following: 

   cd ~ pwd

Write down what is displayed. This is the path to your home directory. It will be used in the AuthUserFile and AuthGroupFile parameters. Then create and edit the .htaccess file using the pico editor: 

   pico ~/public_html/.htaccess

Enter the text from the above sample .htaccess file. Make the appropriate changes for AuthUserFile and AuthGroupFile, and save the file. Now create the other files: 

   touch ~/.htgroup ~/.htpasswd

To add the first username/password pair to .htpasswd use the | htpasswd program: 

   htpasswd ~/.htpasswd pumpkin

This adds username pumpkin to it. You will be prompted for the corresponding password for user pumpkin. Adding additional username/password pairs to .htpasswd is almost identical: 

   htpasswd ~/.htpasswd peanuts

The above creates or changes a password entry for user peanuts. To edit the list of authorized users do the following: 

   pico ~/.htgroup

The .htgroup file should created with the following format: 

   myfriends: pumpkin peanuts
[edit]

Access by domain name

The following is a sample .htaccess file for method #2 using domain name restriction: 

   order deny,allow deny from all allow from .lava.net

This example allows only clients within the lava.net domain to have access. The .htpasswd and .htgroup files are not required for this type of access restriction.


[edit]

Access by IP addresses

Here is an .htaccess file for method #2 restricting access to the 192.168.1.0 network: 

   order deny,allow deny from all allow from 192.168.1.0/24

To limit access to a specific machine, either the complete hostname or the complete IP address must be entered. Multiple entries separated by spaces may be added on the 'allow from' line.


[edit]

Access Combinations

As a final example this .htaccess file allows access by domain OR passwords.

AuthUserFile /home/1/username/.htpasswd AuthGroupFile /home/1/username/.htgroup AuthName LavaFriend AuthType Basic order deny,allow deny from all allow from .lava.net require group myfriends satisfy any

Use 'satisfy all' to restrict access by domain/addresses AND passwords.

[edit]

Turning it on and off

The .htaccess, .htpasswd, and .htgroup files must be accessible to the Web server process for security to be active.

To activate the new restrictions use the following command so that your access files are readable by the Web server: 

   chmod a+r ~/.ht* ~/public_html/.htaccess

To disable security (your personal Web pages become accessible by everyone) you'll need to remove or rename the .htaccess file. To remove it do the following: 

   rm ~/public_html/.htaccess
Retrieved from "http://www.lava.net/support/Web_page_security"

Copyright © 2006 LavaNet, Inc. All rights reserved.   News | Support | Services | About Us | System Status | Webmail | Press Box | Privacy & Copyright