Date: Tue, 05 Nov 1996 21:47:43 GMT Server: NCSA/1.5 Content-type: text/html Last-modified: Mon, 17 Oct 1994 12:54:35 GMT Content-length: 2679 Access control with httpd

A brief tutorial on access control and httpd

Introduction

Under most circumstances it is not necessary to worry about access control when serving web documents because you intend them to be read by anyone who cares to. There might be times, however, when you would like to restrict access to your document to a subset of internet users.

In AFS these restrictions can be made using Access Control Lists (ACLs). When people request documents using HTTP there is (usually) no way of knowing the usernames of the requesters, let alone authenticating them, so access control has to be based on the identity of the requester's machine. Access control is accomplished through adding Limit clauses to .htaccess files in the appropriate directories.

The .htaccess file

.htaccess files are used to make a server act differently when it enters a directory to retrieve a file. The attributes in a .htaccess file apply not only to the directory itself, but to each subdirectory as well. .htaccess files can be used for a number of purposes, but we are only concerned with access control in this document. We will describe the two most commonly needed forms of access control in UW CS, and then briefly describe how access control lists can be constructed.

Restricting access to users on CS machines

To restrict access to your documents to users on CS workstations, you can put the following clause into the .htaccess file in the appropriate directory:

<Limit GET>
order deny,allow
deny from all
allow from .cs.wisc.edu 128.105
</Limit>

This clause will allow access to any machine with a fully qualified domain name that ends with ``.cs.wisc.edu'' or an IP number that starts with ``128.105.''

Restricting access to users at UW Madison

To restrict access to your documents to users at UW Madison, you can put the following clause into the .htaccess file in the appropriate directory:

<Limit GET>
order deny,allow
deny from all
allow from .wisc.edu 128.105 128.104 144.92
</Limit>

General use of access control

If you want to restrict access to your documents to a specific subset of machines you can do so by entering their names or IP numbers on the ``allow from'' line (see above). If you need a more detailed description you can read the NCSA httpd documentation on access control.