Documentation:Web pw protect

=How to password-protect a web site=

There are a few ways to password-protect a UGCS website. Since we run Apache 2, you can put your authorization configuration in a .htaccess file. This file should be in the folder you want to protect (it also protects subfolders), and is called ".htaccess"

These methods will just restrict access to people trying to access your files via the web. Users on the cluster can still see the files unless you change the AFS ACL's. You need to make sure the webserver (www-data) and your scripts ( _cgi) can read the files, but no one else can. The following "fs" command will set the correct permissions for the given directory: fs setacl. system:anyuser none www-data read _cgi read

Add simple passwords
Add the following lines to your .htaccess file AuthType Basic AuthName  AuthUserFile  Require valid-user

You may then add users and password with htpasswd. You will have to pick a secure location to put your password file- it should be outside of ~/public so other users can't read it, but must also be in a directory that the web server can read. A sample invocation looks like: mkdir ~/apache-users fs sa ~/apache-users www-data read htpasswd -c ~/apache-users/htpasswd

The program will then prompt you for the password for the given user. Future runs should just include the "htpasswd" command and not have the "-c" option.

Use Kerberos
UGCS also supports Kerberos authentication. Under this system, users will be required to give the username and password for a UGCS account. Note that you cannot use this technique for virtual domains (anything outside of www.ugcs.caltech.edu) because you don't have a valid Kerberos keytab- if this is a problem, please contact us. You can set it up by adding the following lines to the appropriate .htaccess file: AuthType Kerberos AuthName "" Krb5KeyTab "/etc/apache2/poseidon-apache.keytab" Require valid-user

If you want to allow only certain users, replace Require valid-user with Require @UGCS.CALTECH.EDU @UGCS.CALTECH.EDU with as many user names as you want

See Kerberos for more kerberos information.

Use IP addresses
You can restrict a site to Caltech IP's by adding the following lines: Order Deny,Allow Deny From All Allow from 131.215

Use both
You can use both types of authentication if you want. This way, users will only be prompted for a password if they are outside of the Caltech network. To use this, add both the lines for the password protection and the IP restriction, and add the following line Satisfy Any

This way, either a valid IP or valid password will let a user in.