Restricting Access to a Web Directory Using Network IDs

Access to content on Lafayette's Web server (ww2) can be restricted through the use of a special configuration file known as .htaccess.

An .htaccess file is a simple text file that allows you to password-protect directories in your account on ww2. The file is structured in a specific manner that tells the server where to look for user credentials. A user clicking a link to a file in an .htaccess-protected directory or subdirectory is presented with an authentication dialog. If appropriate credentials are supplied, the user is allowed access; if authentication fails, the user is denied access.

Access can be restricted to individuals or groups. The instructions that follow rely on the Lafayette Network ID and password for authentication. Other authentication schemes can be used with .htaccess but are beyond the scope of this document.

Restricting access to the Lafayette Community

Create a new text file. (On Windows, use Notepad; on Mac OSX, use TextEdit).
Make sure that the editor's "Word Wrap" feature is off.
Add the following text to the file:
```
AuthName "text that describes the protected content"
AuthType Basic
LDAP_Server lafnwauth.lafayette.edu
LDAP_Port 389
Base_DN "o=lafayette"
UID_Attr uid
require valid-user
```
Notes:
- Each line of information must appear on its own line (as above).
- The value for AuthName (the text that describes the protected directory) will be used by the browser in the authentication dialog. Unfortunately, every browser displays this information in a different context and there is no way to tailor the browser display. Whatever value you use must appear within double-quotes in the .htaccess file.
- There is no way to force the browser to tell the user what credentials to use. If you think users will be confused, you can include text in the AuthName value. For example, instead of...
```
AuthName "My Private Stuff"
```
  ...you could use...
```
AuthName "My Private Stuff [Use Lafayette Network ID to log in]"
```
Save the text file with the name htaccess.txt
Using an FTP client, upload the file to the directory on ww2 to which you would like to restrict access.
Once uploaded, rename the file to:
```
  .htaccess
```
- Note: when renaming the file a period must be inserted before the "h" in htaccess, and the .txt extension must be removed. (Think of the file's entire name as "dot htaccess".) If you cannot see the file on the server, try applying the -al file mask.
Test access to any file in the directory by typing the URL for a file into your browser's address/location bar. You should be prompted to log in.

Supplying a valid Network ID and password should reveal the file.

Restricting access to specific people at Lafayette

You can also choose to limit access to a directory's content to specific members of the Lafayette community. The process is similar to that outlined in "Restricting access to the Lafayette Community", but the file's last line is slightly different:

Follow the instructions above and create a file along the lines of:

AuthName "text that describes the protected content"
AuthType Basic
LDAP_Server lafnwauth.lafayette.edu
LDAP_Port 389
Base_DN "o=lafayette"
UID_Attr uid
require user [usernames]

In the last line, replace [usernames] with a valid username or list of usernames. Multiple usernames should be separated by a space, e.g.:
```
  require user coolj smitha
```
Remember that Word Wrap must be turned off in your text editor. If a long list of usernames wraps to another line, the .htaccess file will not work.

Editing the .htaccess file

To edit your .htaccess file, ITS recommends copying the original .htaccess file on the live site, renaming the file "htaccess.txt", and then downloading it to your computer for editing. Note that if you do not rename the file, you may not be able to see it when you download it to your computer, as Windows and Mac OS X by default hide files whose names begin with a period. (Experienced Windows users can see the file by turning on the "Show Hidden Files" setting in Windows Explorer. Mac OSX users can see the file by launching a Terminal window and typing "ls -la" to view all files. Some FTP programs will also allow you to view hidden files on the local computer.)

Mac users can edit the file using vi (or the command line tools for BBEdit); Windows users can edit the file using Notepad. After editing the file, upload it to the server and change its name back to .htaccess (see steps 5–7 above).

Linking to a protected directory

Linking to content in a protected directory is like linking to any other Web content, except for one difference: to secure the connection and encrypt user credentials, ITS recommends that you use the "https" protocol in the link URL instead of "http".

If your users will be accessing the protected content from another Web page, it's a good idea to inform them on that page that the Network ID and password should be used to log in.

Disabling the .htaccess file

To disable an .htaccess file permanently, delete the file. To disable it temporarily:

FTP to your Web site.
Change to the directory that has the .htaccess file.
Rename the ".htaccess" file something else, for example, "disabled-htaccess". This will prevent the file from working. (Access to the directory's content will no longer be restricted.)

1/22/09

Navigation