Website Security
(This material last modified
Most Web servers pay special attention to a file named .htaccess in
any folder. This can be used to allow access to files in this folder
(or any sub-folder thereof) to only those browsers who meet your
criteria. The .htaccess file should be world-readable just like any
.html file. The .htaccess file looks something like an .html file.
Note: Servers can be configured to recognize any file name for this
purpose, but .htaccess is by far the most common.
Access by Domain or IP Address
The <Limit GET> directive controls which clients can access
files in this folder. There are two ways of doing this:
<![CDATA[
<Limit GET>
Order deny,allow
deny from all
allow from .purdue.edu
</Limit>
]]>
The Order directive says to process all "deny" lines first and then
all "allow" lines next. So, "deny from all" says "don't let any
clients retrieve files from this folder". But, "allow from
.purdue.edu" says "but do let clients from .purdue.edu retrieve
files".
<![CDATA[
<Limit GET>
Order deny,allow
deny from all
allow from .purdue.edu
allow from .indiana.edu
allow from .gov
</Limit>
]]>
Once again, "deny from all" says "don't let any clients retrieve files
from this folder". But, the three allow lines say "but do let clients
from .purdue.edu, .indiana.edu, and .gov retrieve files".
<![CDATA[
<Limit GET>
Order deny,allow
deny from .purdue.edu
allow from .cs.purdue.edu
</Limit>
]]>
"deny from .purdue.edu" says "don't let any .purdue.edu clients
retrieve files from this folder". But, "allow from cs.purdue.edu"
says "but do let clients from .cs.purdue.edu retrieve files". Notice
that any client from anywhere else (like cbs.com) is unimpeded in
retrieving files from this folder!
<![CDATA[
<Limit GET>
Order allow,deny
allow from all
deny from .com
deny from .indiana.edu
</Limit>
]]>
The Order directive says to process all "allow" lines first and then
all "deny" lines next. So, "allow from all" says "let any clients
retrieve files from this folder". But, "deny from .com" and "deny
from .indiana.edu" say "but do NOT let clients from .com or
.indiana.edu retrieve files".
<![CDATA[
<Limit GET>
Order allow,deny
allow from .cs.purdue.edu
deny from .purdue.edu
</Limit>
]]>
This is probably an error. "allow from cs.purdue.edu" says "let
clients from .cs.purdue.edu retrieve files". But, "deny from
.purdue.edu" says "don't let any .purdue.edu clients retrieve files
from this folder". Because of the order, this will over-ride the
allow line. So, the allow line accomplishes nothing!
Access by Password
There are several ways of password-protecting files in a folder. The
following is a fairly standard way of doing this.
Suppose that you want access to your files to be through two accounts
| Username | Password |
| bond | james007 |
| holmes | sherwats |
Go to the folder and type the Unix command
<![CDATA[
htpasswd -c .htpasswd bond
]]>
You will see...
<![CDATA[
Adding password for bond.
New password:
]]>
Type the password james007
Then, you will see...
<![CDATA[
Re-type new password:
]]>
Again type the password james007
If the two do not match, you will be scolded and will have to go
through this process again :-)
Then, type the Unix command
<![CDATA[
htpasswd .htpasswd holmes
]]>
Important: Notice that the -c option is only used for the first
Username and Password. It creates a new .htpasswd file.
You will see...
<![CDATA[
Adding password for holmes.
New password:
]]>
Type the password sherwats
Then, you will see...
<![CDATA[
Re-type new password:
]]>
You know what to do!
Make the .htpasswd file world-readable.
Next, use any editor to create a .htgroup file that looks like this:
<![CDATA[
ourSpies: bond holmes
]]>
Make the .htgroup file world-readable.
Now, create or edit the .htaccess file so that it looks like this:
<![CDATA[
AuthUserFile /home/champion/v/bxd/www/secret/.htpasswd
AuthGroupFile /home/champion/v/bxd/www/secret/.htgroup
AuthName SpyInfo
AuthType Basic
<Limit GET>
require group ourSpies
</Limit>
]]>
Make the .htaccess file world-readable.
The
AuthUserFile /home/champion/v/bxd/www/secret/.htpasswd
line tells the server that your password file is at location
/home/champion/v/bxd/www/secret and is named .htpasswd. It is
important that this be the full Unix pathname of the password
file.
The
AuthGroupFile /home/champion/v/bxd/www/secret/.htgroup
line tells the server that your group file is at location
/home/champion/v/bxd/www/secret and is named .htgroup. It is
important that this be the full Unix pathname of the group
file.
The AuthName SpyInfo line tells the server
that the files in this folder are protected under the Realm name
"SpyInfo". The little "Username and Password..." box will say "Enter
username for SpyInfo". When someone gives a correct Username and
Password for this Realm, they can access any other of your SpyInfo
files from any folder without needing to re-type Username and
Password.
The AuthType Basic line tells the server that
you are using Basic HTTP Authentication.
The require group ourSpies line tells
the server that you will only grant access to files in this folder if
the Usernames are from group ourSpies (as denoted in the .htgroup
file).
Try it
Access by Domain and Password
You may combine both Access by Domain or IP Address with Access by
Password as shown below:
<![CDATA[
AuthUserFile /home/champion/v/bxd/www/secret/.htpasswd
AuthGroupFile /home/champion/v/bxd/www/secret/.htgroup
AuthName SpyInfo
AuthType Basic
<Limit GET>
Order deny,allow
deny from all
allow from .purdue.edu
require group ourSpies
</Limit>
]]>
In this situation, access to the files in this folder is limited to
clients from .purdue.edu who know one of the appropriate
Username/Password pairs.