Computing Facilities    links to the SCS and CMU home pages Carnegie Mellon School of Computer Science Carnegie Mellon University
 
Advanced search tips 
 
 » Introduction to Facilities 
 » Accounts & passwords 
 » AFS 
 » Application software 
 » AV help 
 » Backups & restores 
 » Calendaring 
 » E-mail 
 » Networking 
 » Printing 
 » Purchasing 
 » Resource management 
 » Security 
 » Software licensing 
 » Support charges 
 » Web publishing 
 » Mac support 
 » Linux support 
 » Windows PC support 

How to password protect web pages

The SCS web servers support Apache basic authentication which allows one to password protect web pages. Some notes about this protection:

  • The passwords and usernames used for this type of web page password protection are not related to any other SCS passwords or accounts.
  • Any passwords you type to access protected web pages will be sent over the network in what is basically plain text format (they are not encrypted). For this reason (and others), such passwords should not be the same as any of your other passwords.
  • Basic authentication is not terribly secure --- it should not be used to protect especially sensitive information such as credit card numbers. It does not perform any encryption of data that is being sent over the network.
  • Because the SCS FTP servers do not understand the .htaccess commands needed to set up passworded web pages, files in password-protected directories will not be downloadable via anonymous FTP. However, anonymous FTP users will be able to perform directory listings of password-protected directories.

A more secure method for password protecting web pages is to use WebISO, which makes use of CMU's existing Kerberos infrastructure.

You should not rely on this or any other .htaccess-based protection mechanism to restrict web access to especially sensitive information (SSNs, credit card numbers, etc), and we advise not making such information accessible in any way via the SCS web servers.

How to set up password protection

  1. Decide where the pages will be located. Choose a directory where your password protected web pages will be located. The directory /afs/cs/user/bovik/www/private will be used as an example in some of the steps below.
  2. Remove regular AFS access for non-authorized users. Make sure that the AFS ACL of this directory only has entries for you and anyone else who needs AFS (as opposed to web) access to the files. It will also need an AFS ACL entry for "wwwsrv:http-ftp rl". You should remove all entries for other AFS special groups besides the group "wwwsrv:http-ftp". An easy way to do so is with the command (using the example of user "bovik" protecting the directory /afs/cs/user/bovik/www/private):
    fs setacl /afs/cs/user/bovik/www/private bovik all -clear
    
    which will remove all ACLs except one that grants full AFS access to user "bovik" (substitute your own username and directory when running these commands). After running that command, one should run:
    fs setacl /afs/cs/user/bovik/www/private wwwsrv:http-ftp rl
    
    to allow the web servers access to the directory.
  3. Create a file containing usernames and passwords. You can use the htpasswd program (available on Facilitized Linux, and Solaris 7 & 9 hosts) to create a file containing usernames and passwords needed to access the web pages. The command:
    htpasswd -c /path/to/directory/.htpassword username
    
    will create a file called .htpassword in the given directory with a password entry for the given username; (it will prompt you for the password). The command:
    htpasswd /path/to/directory/.htpassword anotherusername
    
    will add entries for additional usernames. Note: only use the "-c" option when initially creating the .htpassword file, otherwise you will overwrite your existing password file. Passwords are stored in an encrypted form in the .htpassword file.
  4. Protect your .htpassword file. The .htpassword file you created in the previous step contains encrypted passwords that someone could use brute force methods to guess. It must be placed in a location that the web servers can access. However it should not be accessible to the general public via the web. You can place it in the same directory as your password-protected files, if you are not worried about authorized users having access to this file. Otherwise, you can place it in a separate protected directory that only "wwwsrv:http-ftp" has access to, and give it a .htaccess file such as:
    order deny,allow
    deny from all
    IndexIgnore .htaccess
    
    to prevent any http-based or anonymous FTP access.
  5. Create a .htaccess file in the directory you wish to serve password protected pages from. This file should have the following contents:
    AuthType Basic
    AuthName "My secret pages"
    AuthUserFile /path/to/directory/.htpassword
    require valid-user
    order deny,allow
    allow from all
    

    "AuthName" can be any string that you wish to appear on the password dialogue box that people will see when they are asked for a password. "AuthUserFile" must be the full path to the .htpassword file.

    The above .htaccess file will require password authentication before allowing access to web pages, but places no restrictions on which hosts people may access the pages from if they know a password. See the additional .htaccess examples below for some ways to place additional restrictions on access.

  6. Test the password protection. The directory should now be set up for password-protected web access. You should test it out and verify that the contents are password protected, and run the command:
    fs la /path/to/directory
    
    to verify that only the web servers and authorized usernames are on the AFS ACL of this directory.

You should now be ready to populate the directory with the web pages you wish to serve.

Additional .htaccess examples

You can use both host-based access control and password-based access control in the same .htaccess file. For example, the .htaccess file:

AuthType Basic
AuthName "My secret pages"
AuthUserFile /path/to/directory/.htpassword
require valid-user
order deny,allow
deny from all
allow from .cs.cmu.edu

would require both password authentication and that the host accessing the web pages be in the cs.cmu.edu domain.

If you wish to require only one of these conditions, i.e. that only people coming from non-cs.cmu.edu hosts are required to give a password, you could use the satisfy directive to indicate that only one of the requirements needs to be true. For example, the .htaccess file:

AuthType Basic
AuthName "My secret pages"
AuthUserFile /path/to/directory/.htpassword
require valid-user
order deny,allow
deny from all
allow from .cs.cmu.edu
satisfy any

would allow people coming from cs.cmu.edu hosts to access the pages without giving a password, but would require a password from people coming from non-cs.cmu.edu hosts.

Related documentation

How to restrict access to web pages
How to restrict AFS and anonymous FTP access to web pages.
AFS
How to use AFS in SCS, including how to protect directories.

Additional information

The following off-site links will open in a new browser window:

Apache authentication, authorization, and access control
Details and "how to" information about protecting web pages using Apache. Note that we do not support all of the authentication mechanisms mentioned on that page.