Skip to main content
  1. FAQ
  2. Web pages and web applications
  3. Setting up access protection on a website directory

Setting up access protection on a website directory

First you need to decide if you want to restrict access with:

  1. a username and password that you create
  2. by hostname or network address
  3. a Computer Science Department account

Keep in mind that this restricts web-based access only. If someone has a CS account they can view any directory on the server.

Creating an .htaccess file

Any of these protection methods requires an .htaccess file.

The .htaccess file goes in the directory you want to restrict access to. For example, /fs/www/path/to/webdir/.htaccess.

User-based authentication

  • To protect your directory with a username and password that you create, place the following content in your .htaccess
AuthUserFile /fs/www/path/to/webdir/.htpasswd
AuthGroupFile /dev/null
AuthName "A name you will recognize"
AuthType basic

Require valid-user

  • Create an .htpasswd file with the usernames and hashed passwords that will be able to access the directory. The easiest way to do this is with the htpasswd utility. If the .htpasswd file doesn’t exist, use the -c flag to create it.

    htpasswd [-c] /fs/www/path/to/webdir/.htpasswd <username>

Host-based authentication

You can allow access from a combination of UMD or Department hosts. Include one of these or the other - if you need to limit access to more specific parts of campus, contact us for assistance:

<RequireAny>
    # UMD Networks
    Require host 10.0.0.0/8
    Require host 128.8.0.0/16
    Require host 129.2.0.0/16
    Require host 192.54.94.0/23
    Require host 192.54.96.0/21
    Require host 206.196.160.0/19
</RequireAny>

<RequireAny>
    # CSD Networks
    Require host 10.72.0.0/15
    Require host 10.227.96.0/19
    Require host 128.8.125.0/24
    Require host 128.8.126.0/23
    Require host 128.8.128.0/22
    Require host 129.2.189.128/25
    Require host 129.2.152.0/26
</RequireAny>

Computer Science Department Account

AuthName "CS IPA Login"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPBindAuthoritative on
AuthLDAPURL "ldap://idm00.cs.umd.edu idmp0.cs.umd.edu idm02.cs.umd.edu/cn=users,cn=accounts,dc=cs,dc=umd,dc=edu?uid?sub?"
AuthLDAPRemoteUserAttribute uid

Require valid-user

UMD CAS Account

This authentication method should work for all students and may include alumni. The UMD CAS Service is under the control of DIT, not CS staff, and may change behavior without notice.

AuthType CAS

Require valid-user

Our current default CAS server is UMD, so no other directives are needed. You can specify the CAS server explicitly.

CASLoginURL https://login.umd.edu/cas/login
CASValidateURL https://login.umd.edu/cas/samlValidate

Allow specific users

You may replace Require valid-user with Require user username1 username2 username3....usernameN to only allow the named users to access the resource.

Multiple Authentication Methods

For user or host authentication

Include the sections above and modify the <Require*> section

    <RequireAny>
        Require host ____ (see values above)
        Require valid-user
    </RequireAny>

For user and host authentication

Include the sections above and modify the <Require*> section

    <RequireAll>
        <RequireAny>
            Require host ____ (see values above)
        </RequireAny>
        Require valid-user
    </RequireAll>