|
Often times people want to restrict who has access to certain parts of their public webspace. This document outlines an example of how to do this. Before proceeding, it is reccomended that you brush up on the basics of UNIX , HTML and AFS . Okay then, lets get started. I'm going to make a private area within my public webspace. The first step is to create a subdirectory beneath your www directory. <10:12am>bpohl@orcrist:~> cd ~/www
<10:12am>bpohl@orcrist:~/www> mkdir private
<10:12am>bpohl@orcrist:~/www> cd private
First we need to check the AFS permissions.
<10:15am>bpohl@orcrist:private> fs listacl .
Access list for . is
Normal rights: system:administrators rlidwka system:anyuser rl bpohl rlidwka
Right away, you'll notice that everyone has read and look permissions to this directory (the system:anyuser rl statement above). If we'd like a private area on the web, then this is not what we want. <10:15am>bpohl@orcrist:private> fs setacl . system:anyuser -acl none <10:18am>bpohl@orcrist:private> fs listacl .
Access list for . is
Normal rights:
system:administrators rlidwka
bpohl rlidwka
Now the general public (system:anyuser) is kept from snooping around in my directory. However, the machine which is the webserver needs to be able to read this directory. This is done by giving the user www read and look permission. <10:18am>bpohl@orcrist:private> fs setacl . www -acl rl
<10:21am>bpohl@orcrist:private> fs listacl .
Access list for . is
Normal rights:
system:administrators rlidwka
www rl
bpohl rlidwka
Now we've got our directory set up properly and we're ready to proceed to the next step. There are two options for restricting access.
- Option 1 - Restrict access based on Physics username and password
The easiest and most common thing to do is restrict access to specific users and groups within the physics department. We'll go over how to do this now and cover more advanced configurations later. Access to this directory is controled by a file called .htaccess which we will create. We will then add the users who can access this directory to this file. The .htaccess file only controls access to the directory where it resides. This is intentional as it allows you to configure access to multiple web areas (or directories) differently. Using your favorite UNIX text editor (such as emacs, pico, vi, etc...), create the .htaccess file according to the following template (you can simply cut and paste this text into the file). The text below is intended to be a template. A specific example of a working .htaccess file is listed later. <10:38am>bpohl@orcrist:private> ls -la .htaccess
-rw------- 1 bpohl support 108 May 20 10:37 .htaccess
<10:38am>bpohl@orcrist:private> more .htaccess
AuthType Kerberos
KrbMethodNegotiate Off
KrbServiceName HTTP
Krb5Keytab /etc/security/HTTP-PHYSICS.keytab KrbVerifyKDC off
AuthName "physics.unc.edu"
KrbAuthRealms PHYSICS.UNC.EDU
require user bpohl @ PHYSICS.UNC.EDU (remove spaces from around the @ sign)
SSLRequireSSL
At this point, no users are configured to access this webspace except for myself (bpohl). By default, you will have access to any secure webspace you create in your own webspace. NOTE: Once the .htaccess file is created, the webspace is secured and can only be accessed by prefixing the URL with https:// (rather than http://). The URL for this example is https://www.physics.unc.edu/~bpohl/private. Note the "s" in the https:// above. It is critical that it be included when accessing the webpage! Now we're ready to add users and groups according to the template. Lets add the users homer and marge using your favorite UNIX text editor. <10:58am>bpohl@orcrist:private> more .htaccess
AuthType Kerberos
KrbMethodNegotiate Off
KrbServiceName HTTP
Krb5Keytab /etc/security/HTTP-PHYSICS.keytab KrbVerifyKDC off
AuthName "physics.unc.edu"
KrbAuthRealms PHYSICS.UNC.EDU
require user homer @ PHYSICS.UNC.EDU (remove spaces from around the @ sign)
require user marge @ PHYSICS.UNC.EDU (remove spaces from around the @ sign)
SSLRequireSSL
Now homer and marge can access my webpage after entering their physics login and password. Yay!
- Option 2 - Restrict access based on usernames and passwords you create
If we want people outside of the department to have access, it gets a little more complicated. What we effecively do is create a login name and password for our outsider(s) to use. Afterwords, we can simply tell our collegues their assigned login and password. All this talk about creating login names and password files leads to other topics like encryption and databases. Don't worry about it, you dont need to know whats going on behind the curtain. Everything is handled for you by the htpasswd program. To use this program, log in to the unix workstation login1.physics.unc.edu. Simply typing htpasswd on the command line will print out a list of options. You should note that it will create the password file for you as long as you specify a location. The password file needs to be in a secure location outside of your www directory tree. A good rule of thumb is to make a directory off your home directory and give it the exact same permissions I outlined at the beginning of this document for your webspace. Namely full access to yourself and administrators, and read look access for the www account. The following example creates the file ~bpohl/misc/.htpasswd and adds the user pacman. The -c flag indicates create (rather than update) the file. The program prompts you to enter a password. <11:55am>bpohl@orcrist:~> htpasswd -c ~bpohl/misc/.htpasswd pacman
New password:
Re-type new password:
Adding password for user pacman
To add additional users, simply drop the -c flag.
<12:57pm>bpohl@orcrist:devel> htpasswd ~bpohl/misc/.htpasswd mrspacman New password: Re-type new password: Adding password for user mrspacman
If you look at that file, you'll see the password is jibberish compared to what you typed in. This simply means its been encrypted for security reasons. <1:02pm>bpohl@orcrist:devel>more ~bpohl/misc/.htpasswd
pacman:Plwazu7dStsNY
mrspacman:4gbo26v.BUXHM
But there's a catch! We cannot simply add these users to a .htaccess file configured for physics and astronomy login (like our previous example with homer and marge). External users require a different format of the .htaccess file. The following file can be used as a template for external users. AuthUserFile /afs/physics/users/b/bpohl/misc/.htpasswd AuthGroupFile /dev/null AuthName "insert your message here" AuthType Basic
require user pacman
require user mrspacman
Regardless of which method you chose to use, at this point we only have a directory that is restricted to specific users. While this is sometimes helpful if you want to set up a secure file transfer area (a web based FTP interface, for instance), most people want specific links within a public webpage to be secure. To do this, place the source code (the html files) associated with the secure pages in the private directory we just created. Now in your public webpage (eg. ~bpohl/www/index.html), edit the source code for the link you want secured. for example: <a href="https://www.physics.unc.edu/~bpohl/private/ch11answers.html">Chapter 11 homework answers</a>
Note the "s" in the https:// above. It is critical that it be included when accessing the webpage! For more information, consult the comprehensive guide to .htaccess.
|
