|
These are instructions for making part of your Physics website private, and only accessible to certain people. This document outlines two examples of how to do this. Before proceeding, it is reccomended that you brush up on the basics of UNIX , HTML and AFS . The first step in this process is to create the space you want to be private. All of your web documents go in the "www" folder in your home directory. To access this, first login to the physics server (if you need instructions on that, go here). <10:12am>bpohl@orcrist:~> cd ~/www
<10:12am>bpohl@orcrist:~/www> mkdir private
<10:12am>bpohl@orcrist:~/www> cd private
The first command changes the working directory to the "www" directory, which is where all documents being published to the web go. The second command creates a new sub-directory called "private" (which is the directory we are going to make private). Finally the third command then changes the working directory to the newly made "private" directory so that we can continue to work on it.
By default, any user can read things in this new directory, which is not what we want. This can be checked using the "fs" command (if you would like more information about it, please check the AFS documentation here), specifically "fs listacl ." :
<10:15am>bpohl@orcrist:private> fs listacl .
Access list for . is
Normal rights: system:administrators rlidwka system:anyuser rl bpohl rlidwka
This is not what we want, so we need to remove the rights that "system:anyuser" has to the directory. This is done with the "fs" command again, as shown below. After running "fs setacl . system:anyuser -acl none" we then run the command from the previous section, "fs listacl ." to check the new access rights. <10:15am>bpohl@orcrist:private> fs setacl . system:anyuser -acl none <10:18am>bpohl@orcrist:private> fs listacl .
Access list for . is
Normal rights:
system:administrators rlidwka
bpohl rlidwka
This shows that the general public (system:anyuser) can no longer read files in the directory. However, this also prevents the webserver from being able to read this directory. This is fixed by giving the user "www"read permissions with the command "fs setacl . www -acl rl" as shown below: <10:18am>bpohl@orcrist:private> fs setacl . www -acl rl
<10:21am>bpohl@orcrist:private> fs listacl .
Access list for . is
Normal rights:
system:administrators rlidwka
www rl
bpohl rlidwka
Now we've got our directory set up properly and we're ready to proceed to the next step. There are two options for restricting access.
- Option 1 - Restrict access based on Physics username and password
The easiest and most common thing to do is restrict access to specific users and groups within the physics department. This is the option you should use if you do not need people outside the department to be able to access these files.
Access to this directory is controled by a file called .htaccess which we will create. We will then add the users who can access this directory to this file. The .htaccess file only controls access to the directory where it resides, which in this example is "~/www/private". This is intentional as it allows you to configure access to multiple web areas (or directories) differently. Using your favorite UNIX text editor (such as emacs, pico, vi, etc...), create the .htaccess file. For this example we will use vi (keep in mind, the following commands are specific to vi). Create the file by typing "vi .htaccess" without the quotes and press Enter. Then press I. You will now be able to type in a familiar fashion. Put the following lines in the file: AuthType Kerberos
KrbMethodNegotiate Off
KrbServiceName HTTP
Krb5Keytab /etc/security/HTTP-PHYSICS.keytabKrbVerifyKDC off
AuthName "physics.unc.edu"
KrbAuthRealms PHYSICS.UNC.EDU
require user bpohl @ PHYSICS.UNC.EDU (remove spaces from around the @ sign)
SSLRequireSSL
This text is intended to be a template. A specific example of a working .htaccess file is listed later.
At this point, no users are configured to access this webspace except for myself (bpohl). By default, you will have access to any secure webspace you create in your own webspace. NOTE: Once the .htaccess file is created, the webspace is secured and can only be accessed by prefixing the URL with https:// (rather than http://). The URL for this example is https://www.physics.unc.edu/~bpohl/private. Note the "s" in the https:// above. It is critical that it be included when accessing the webpage! Now we're ready to add users and groups according to the template. Lets add the users "homer" and "marge" using your favorite UNIX text editor. AuthType Kerberos
KrbMethodNegotiate Off
KrbServiceName HTTP
Krb5Keytab /etc/security/HTTP-PHYSICS.keytab KrbVerifyKDC off
AuthName "physics.unc.edu"
KrbAuthRealms PHYSICS.UNC.EDU
require user homer @ PHYSICS.UNC.EDU (remove spaces from around the @ sign)
require user marge @ PHYSICS.UNC.EDU (remove spaces from around the @ sign)
SSLRequireSSL
Now homer and marge can access my webpage after entering their physics login and password. home and marge are not real users, obviously (hopefully), so change the users as you need to the Physics login names of those you need or want to give access to.
- Option 2 - Restrict access based on usernames and passwords you create
If we want people outside of the department to have access, it gets a little more complicated. What we effecively do is create a login name and password for our outsider(s) to use. Afterwords, we can simply tell our collegues their assigned login and password. All this talk about creating login names and password files leads to other topics like encryption and databases. Don't worry about it, you dont need to know whats going on behind the curtain. Everything is handled for you by the htpasswd program. To use this program, log in to the unix workstation login1.physics.unc.edu. Simply typing htpasswd on the command line will print out a list of options. You should note that it will create the password file for you as long as you specify a location. The password file needs to be in a secure location outside of your www directory tree. A good rule of thumb is to make a directory off your home directory and give it the exact same permissions I outlined at the beginning of this document for your webspace. Namely full access to yourself and administrators, and read look access for the www account. The following example creates the file ~bpohl/misc/.htpasswd and adds the user pacman. The -c flag indicates create (rather than update) the file. The program prompts you to enter a password. <11:55am>bpohl@orcrist:~> htpasswd -c ~bpohl/misc/.htpasswd pacman
New password:
Re-type new password:
Adding password for user pacman
To add additional users, simply drop the -c flag.
<12:57pm>bpohl@orcrist:devel> htpasswd ~bpohl/misc/.htpasswd mrspacman New password: Re-type new password: Adding password for user mrspacman
If you look at that file, you'll see the password is jibberish compared to what you typed in. This simply means its been encrypted for security reasons. <1:02pm>bpohl@orcrist:devel>more ~bpohl/misc/.htpasswd
pacman:Plwazu7dStsNY
mrspacman:4gbo26v.BUXHM
But there's a catch! We cannot simply add these users to a .htaccess file configured for physics and astronomy login (like our previous example with homer and marge). External users require a different format of the .htaccess file. The following file can be used as a template for external users. AuthUserFile /afs/physics/users/b/bpohl/misc/.htpasswd AuthGroupFile /dev/null AuthName "insert your message here" AuthType Basic
require user pacman
require user mrspacman
Regardless of which method you chose to use, at this point we only have a directory that is restricted to specific users. While this is sometimes helpful if you want to set up a secure file transfer area (a web based FTP interface, for instance), most people want specific links within a public webpage to be secure. To do this, place the source code (the html files) associated with the secure pages in the private directory we just created. Now in your public webpage (eg. ~bpohl/www/index.html), edit the source code for the link you want secured. for example: <a href="https://www.physics.unc.edu/~bpohl/private/ch11answers.html">Chapter 11 homework answers</a>
Note the "s" in the https:// above. It is critical that it be included when accessing the webpage! For more information, consult the comprehensive guide to .htaccess.
|
