Skip to main content

Setting up access protection on a website directory

First you need to decide if you want to restrict access with:

  1. a username and password that you create
  2. by hostname or network address
  3. a Computer Science Department account

Keep in mind that this restricts web-based access only. If someone has a CS account they can view any directory on the server.

Creating an .htaccess file

Any of these protection methods requires an .htaccess file.

The .htaccess file goes in the directory you want to restrict access to. For example, /fs/www/path/to/webdir/.htaccess.

User-based authentication

  • To protect your directory with a username and password that you create, place the following content in your .htaccess
    AuthUserFile /fs/www/path/to/webdir/.htpasswd
AuthGroupFile /dev/null
AuthName "A name you will recognize"
AuthType basic

Require valid-user
  
  • Create an .htpasswd file with the usernames and hashed passwords that will be able to access the directory. The easiest way to do this is with the htpasswd utility. If the .htpasswd file doesn’t exist, use the -c flag to create it.

    htpasswd [-c] /fs/www/path/to/webdir/.htpasswd <username>

Host-based authentication

You can allow access from a combination of UMD or Department hosts.

    # UMD Public Networks
SetEnvIF X-Forwarded-For "^128\.8\.\d+\.\d+$" UMD_PUBLIC_NETWORK
SetEnvIF X-Forwarded-For "^129\.2\.\d+\.\d+$" UMD_PUBLIC_NETWORK
SetEnvIF X-Forwarded-For "^206\.196\.(?:1[6-9][0-9]|2[0-5][0-9])\.\d+$" UMD_PUBLIC_NETWORK

# Any UMD private IP address
SetEnvIF X-Forwarded-For "^10\.\d+\.\d+\.\d+$" UMD_PRIATE_NETWORK
# or, only allow UMD WiFi
SetEnvIF X-Forwarded-For "^10\.(?:10[4-5])\.\d+\.\d+$" UMD_WIFI_NETWORK

# CSD Networks
SetEnvIF X-Forwarded-For "^172\.\d+\.\d+\.\d+$" CSD_PRIVATE_NETWORK
SetEnvIF X-Forwarded-For "^128\.8\.(?:12[5-9]|13[0-1])\.\d+$" CSD_PUBLIC_NETWORK

<RequireAny>
	Require env UMD_PUBLIC_NETWORK
	Require env UMD_PRIVATE_NETWORK
	Require env UMD_WIFI_NETWORK
	Require env CSD_PRIVATE_NETWORK
	Require env CSD_PUBLIC_NETWORK
</RequireAny>
  

Computer Science Department Account

    AuthName "CS IPA Login"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPBindAuthoritative on
AuthLDAPURL "ldap://ipa00.cs.umd.edu ipa01.cs.umd.edu ipa02.cs.umd.edu/cn=users,cn=accounts,dc=cs,dc=umd,dc=edu?uid?sub?"
AuthLDAPRemoteUserAttribute uid

Require valid-user
  

UMD LDAP Account

This authentication method may not work for all students. The UMD LDAP directory is under the control of DIT, not CS staff, and may change behavior without notice.

    AuthName "University of Maryland Directory ID"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPBindAuthoritative on
AuthLDAPURL "ldaps://directory.umd.edu/dc=umd,dc=edu"
AuthLDAPRemoteUserAttribute uid

Require valid-user
  

Allow specific users

You may replace Require valid-user with Require ldap-user username1 username2 username3....usernameN to only allow the named users to access the resource.

Multiple Authentication Methods

For user or host authentication

Include the sections above and modify the <Require*> section

    <RequireAny>
	Require env UMD_PUBLIC_NETWORK
	Require env UMD_PRIVATE_NETWORK
	Require env UMD_WIFI_NETWORK
	Require env CSD_PRIVATE_NETWORK
	Require env CSD_PUBLIC_NETWORK
	Require valid-user
</RequireAny>
  

For user and host authentication

Include the sections above and modify the <Require*> section

    <RequireAll>
	<RequireAny>
		Require env UMD_PUBLIC_NETWORK
		Require env UMD_PRIVATE_NETWORK
		Require env UMD_WIFI_NETWORK
		Require env CSD_PRIVATE_NETWORK
		Require env CSD_PUBLIC_NETWORK
	</RequireAny>
	Require valid-user
</RequireAll>