Restricting Access to Web Content

Restricting access to an RCS directory (AFS file space) can either use AFS WebSecure over SSL or .htaccess files. WebSecure is recommended for restricting access to members of the campus community. At the moment, .htaccess, while less secure, is the only technique that works for off-campus users. Use one OR the other. These methods CANNOT be combined.

Restricting access with AFS WebSecure and SSL

To restrict access with AFS WebSecure over SSL, all those who will be given access must have an RCS ID . This approach is recommended and, fortunately, only entails two steps: 1.) changing AFS directory permissions, and 2.) providing an explicit link or path for the web address. Note: to access your files in AFS space and to set Access Control Lists (ACLs), you can use the Open AFS Client.

1.) To restrict access in your AFS directory, including /dept and /~ space, you'll need to change your ACLs (access control lists). For an explanation and detailed instructions, see "Sharing Files in RCS UNIX" . Access may be restricted to all RCS users, individuals or groups of RCS users.

2.) In order to access the restricted directory with a web browser, it needs to point in the following fashion:

https://afsws.rpi.edu/AFS/dept/...

or
https://afsws.rpi.edu/AFS/home/[2-digit volume #]/[rcsid]/public_html/...

Please note the SSL protocol, https , and the all-caps AFS which begins the directory path. The former passes the request through the secure server to encrypt the transaction. The latter begins the necessarily explicit path that tells the server to use the WebSecure module for authentication. Access will be limited to only those RCS users who have been authorized to read the contents of that directory, as determined by the directory's acls (see step 1 above). Those users need to log in using their RCS ID and password to gain access.

A note about special users:

Of the specially named users in AFS, two are of particular interest when setting access on web directories:

  • system:anyuser - give this user read and list (rl) access to a web directory to make it accessible to the world.
  • system:authuser - give this user read and list (rl) access to a web directory and revoke rights from system:anyuser (if any rights are granted) to make a web directory only accessible to RPI students, faculty, and staff (or anyone with an RCS user id).

Restricting access with .htaccess

You can restrict access either by password or by IP address . You may also want to refer to the Apache documentation on Authentication, Authorization, and Access Control , § Basic authentication .

In order to issue the commands explained below, you must be on an AIX system . Campus users with PCs, please use SecureCRT and connect to rcs-ibm.rpi.edu. Unix/Linux users should type "ssh rcs-ibm.rpi.edu" in a shell to access an AIX system. Login using your RCS ID and password (same as email).

Restricting access by password

In the directory where you wish to limit access, create a file called .htaccess. This file can be created and edited using any ASCII editor (e.g., Notepad). In this file include:

AuthUserFile /otherdir/.htpasswd
AuthGroupFile /dev/null
AuthName "Text that will appear in the log-in dialog box"
AuthType Basic
<Limit GET>
require user guest jdoe
</Limit>

This example combines several directives instructing the HTTP server to allow access only to users who log in as guest or jdoe. Please note that for AuthUserFile /otherdir/.htpasswd:

  • the .htpasswd file should be in a directory other than the directory containing .htaccess.
  • the directory containing .htpasswd must be set to system:anyuser read (publicly readable).
  • the full path of the directory must be used. If you put your .htpasswd file in a subdirectory of your public_html directory, then this path would look like this:
    AuthUserFile /home/<xx>/<userid>/public_html/<directory>/.htpasswd

Next, you must create a password file for this directory. Use the htpasswd program to create the password file. In a UNIX window "cd" to the directory where you want to put your .htpasswd file. Then, follow these steps:

setup /dept/acs/rpinfo/htpasswd
htpasswd -c .htpasswd guest
Adding password for guest.
New password:
Re-type new password:

htpasswd .htpasswd jdoe
Adding user jdoe
New password:
Re-type new password:

The above example first creates a password file in the current directory and inserts user guest and then adds user jdoe to it. Note that the switch -c is left off after the first user has been added to the file. In both cases the program asks for a password. This is the user name/password combination that users need to use in order to get to the information in that directory. The user name and password is sent by the browser on the remote system.

How do I restrict access to my directory by ip address?

In the directory where you wish to limit access create a file called .htaccess. This file can be created and edited using any ASCII editor. In this file include:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Example Access Control"
AuthType Basic
<Limit GET>
order deny,allow
deny from all
allow from 128.113.
</Limit>

In this example the Limit directive states that for all GETs, allow access to hosts with 128.113. (rpi.edu) in their IP address.