How to restrict access to web pages
If you have web pages that you do not wish to be "public" (i.e. available to anyone in the world with internet access), you can take steps to restrict who can access them. The methods below do not provide extremely strong security, but they may be adequate for many purposes. For example, you may wish to share web pages with a small group of people, but do not want casual web surfers or people using anonymous FTP to access the pages.
You should not rely on these protection mechanisms to restrict web access to especially sensitive information (SSNs, credit card numbers, etc), and you should not make such information accessible in any way via the SCS web servers.
In general, there are three separate ways for web pages in AFS to be accessed, and you will need to restrict all three of these types of access:
- Access via regular AFS file access
- Access via the SCS web servers using anonymous FTP
- Access via the SCS web servers using http
- Be sure to give the special SCS web server group, "wwwsrv:http-ftp", read and lookup ("r" & "l") access to your web pages, or the SCS web servers won't be able to access them. This group (or some group with more liberal privileges) must also have "l" to all directories on the path to the directory with your web pages.
- No matter what you do to protect web directories in AFS, if the SCS Web servers can access the contents of files, anonymous FTP users can at least list the names of files in those directories.
Directories in AFS containing web files are subject to the same AFS access controls as any other directories. .htaccess files have no effect on AFS file access. The first step in restricting access to web files is to set the AFS ACL of web directories so that the only entries on the ACL are:
- The special SCS web server group: wwwsrv:http-ftp
- Your own username (and any other legitimate users)
In particular, you do not want any other AFS special groups besides wwwsrv:http-ftp to be on the access list. You can either individually remove unwanted AFS ACL entries or you can reset the whole AFS ACL at once.
For example, to remove the entry for "system:anyuser" from the directory /afs/cs/user/bovik/www/private one could use the command:
fs sa /afs/cs/user/bovik/www/private system:anyuser none
To reset all ACL entries on that directory so that only bovik has access to it, use the command:
fs sa /afs/cs/user/bovik/www/private bovik all -reset
You will also need to make sure that "wwwsrv:http-ftp" has "rl" access to any directories that serve web files. For example, the command:
fs sa /afs/cs/user/bovik/www/private wwwsrv:http-ftp rl
would add such access to the given directory.
If the SCS web servers can access files in a directory, then anonymous FTP users will always be able to list the names of files in that directory. This is true even if there is not a .htaccess file in the directory (of course, you can simply remove AFS access for "wwwsrv:http-ftp" along with any more permissive AFS ACLs in order to prevent this behavior). However, anonymous FTP users will not be able to access the contents of files in a directory unless there is a .htaccess file that applies to that directory and this .htaccess file:
- Allows access to the files from the host that the anonymous FTP user is coming from.
- Doesn't contain any .htaccess commands that the FTP server doesn't understand. Any .htaccess file containing such commands will be ignored (and access to file contents will be denied).
So, the simplest way to restrict access from the anonymous FTP servers is to include a directive in your .htaccess file that the FTP servers don't understand. One such directive is:
and including that line in your .htaccess is sufficient to restrict access.
You can use .htaccess files to:
- Restrict access by hostname or domain (e.g. only allow .cmu.edu hosts to access pages). See our htaccess documentation for examples of how to do this.
- Require a password when accessing pages. There are two type of password authentication supported by our web servers: