Access controls on web pages come in two types: configuration directives in the web server, which can only be implemented by the administrator, or user controls, which can be implemented by any user.
Material in a directory “public_html/campus_only/” is restricted to machines on the Sheffield campus. It uses the IP address of the requesting machine to identify their status. Note that any class of user on the machines will be able to view the files.
File and directories in the directory will need to be set world-readable in order to be read by the web server.
Using htaccess You can create an access control file '.htaccess' in the directory containing the pages, which allows you to specify a username and password pair that must be typed in to view the pages. You can create a private new set of users and password using the 'htpasswd' command (currently only available from Unix). The password file that you create (e.g. '.htpasswd') needs to be world-readable in order to work - remember that local network users will usually be able to read this file through the local filesystem.
The template htaccess file is like this:
AuthType Basic AuthName 'XXX' require RRR
The name XXX should be something descriptive to the user, indicating what the material is, or who is entitled to login. The require RRR should be either “user username” or “group group name”. For example, the following '.htaccess' file requires the user 'george' to login:
AuthType Basic AuthName 'for georges eyes only' AuthUserFile /home/george/public_html/private/.htpasswd require user george
Please read the web server documentation for more detail on using access files.
Using htaccess on www.dcs.shef.ac.uk The previous section works on all the DCS webservers. This next section is only available on the departmental web server “staffwww.dcs.shef.ac.uk”, but not the student web server “stuwww.dcs.shef.ac.uk”
If you also include these two lines in your htaccess file
AuthLDAPEnabled off AuthPAM_Enabled on
then you will be able to use the existing set of user accounts and groups on the system, rather than having to create new accounts using htpasswd.
Stealth You can implement simple security by 'stealth', i.e. dont advertise pages by links, and dont allow browsing of the directory. On the directory containing the pages (e.g. hidden/) do not set e.g. 'chmod 755 hidden', instead set 'chmod 711 hidden'. Users will be able to read pages they know about by typing in the URL, but cannot get a directory listing to show what files are available.
An extension of the idea is that you can create subdirectories with unusual names, e.g. hidden/stTcWWx/. The subdirectory can have normal browse access, and the directory name is effectively a password to access the contents.
Remember that with both these methods the pages may be indexed by a search engine and thus advertised to all.