Home
Limiting Access to Your Site

Limiting or restricting access to your web site:

Quick, General Restrictions

CAE has two quick ways for you to limit access to areas of your web site. All files and folders inside a folder with the name of cae-auth require a CAE username and password to access. If you name the folder uw-only then access is available to only those viewing your site from computers on the UW-Madison campus, including the dial-up lines. Below you will find instruction on how to create your own personalized access restrictions.

Personal, Custom Restrictions

You can protect files with password access with passwords you set yourself. There are two primary parts to creating your own access restricted pages. First, create a password file and populate it with usernames and passwords. Second, limit the access using your own password file.

  • 1. Setting your own passwords

    You can protect files with password access with passwords you set yourself. All password-protected directories should be stored in your public_html directory and also beneath an https-only/ directory (so that the passwords are transmitted securely). An example would be public_html/https-only/mydir/. Your password file will contain a list of names and encrypted passwords. It should be stored inside the same directory that you want to password protect, and be publicly readable. You should name your file .htpasswd, because the server is configured to not reveal the contents of any file that begins with .ht to the outside world. If your password file has any other name it risks being viewed by unauthorized users who could then view your protected data.

    • To make or modify a password file use the htpasswd program:

      htpasswd .htpasswd username

      The -c flag will create a new file. htpasswd will prompt you for the password twice and will add it to the file (or create the file if you use -c). The command should also be used to modify password for users already with a password in the file.

    • Make the passwordfile readable by all: (This is to permit the web server program to use the passwords contained in the file.)

      chmod a+r .htpasswd

    Example: In the home/public_html/https-only/ directory create a password file named protected for the usernames: bucky and guest. Set the access to the passwordfile readable by all.

    sun-123% cd
    sun-123% htpasswd -help
    Usage: htpasswd .htpasswd username
    sun-123% htpasswd -c .htpasswd bucky
    New password:
    Re-type new password:
    Adding password for user bucky
    sun-123% htpasswd .htpasswd guest
    New password:
    Re-type new password:
    Adding password for user guest
    sun-123% chmod a+r .htpasswd

    The initial cd command is to ensure the working directory is the home directory. The htpasswd command will create a file named .htpasswd and add a password for bucky. Another password is added to the file for guest. Additional htpasswd commands should not include the -c option.

  • 2. Limit the access to your web pages.

    With the password file created, you are now ready to start restricting access to your web pages using this file.

    • Create a new directory within your public_html directory and within a https-onlydirectory.
    • Make this directory readable and executable by all in the usual way:

      chmod a+rx directoryname

    • Create a file in this new directory called .htaccess (note: there is a dot at the beginning of the name of this file) which should be readable by all. It should contain something like:

      AuthType basic
      AuthName "Password Protected Area"
      AuthUserFile /pong/usr0/b/badger/public_html/https-only/.htpasswd
      require valid-user

    • The .htpasswd file is the previously created password file. Be sure to specify the full path to this file. (Use the UNIX command pwd to get the full path.) This means that to gain access to the pages you put in this directory the user must enter a valid username and password from the password file.
    • Set the .htaccess file readable by all again in the usual way:

      chmod a+r .htaccess

    Pages can also be set to only be accessible to particular users, by putting the following 'require' lines in .htaccess instead of the above:

    require user user1 user2 user3

    Be sure you have a password defined in your password file for the specified users.

    There is more documentation on the mod_auth module at the Apache web site.

Back to top

up