RESTRICTING ACCESS TO WEB PAGES
If you have web pages which you think should only be seen by people within Imperial College, or even just particular groups of users within the Department, this can be done via the web server's .htaccess mechanism:
GENERAL INSTRUCTIONS
-
Create a new directory within your public_html directory, e.g.mkdir public_html/secure
-
Make this readable and executable by all in the usual way:chmod a+rx public_html/secure
-
Create a file in this directory called .htaccess (Note: There is a dot at the beginning of the name of this file!), readable by all (so:chmod a+r .htaccess) containing the lines:
SSLRequireSSL AuthType KerberosV5
Your web-page will only be accessible as:
https://www.doc.ic.ac.uk/~yourusername after the above change.
http://www.doc.ic.ac.uk/~yourusername will not work.
RESTRICTING ACCESS TO IMPERIAL STAFF AND STUDENTS ONLY
Append the following lines to the .htaccess file you just created:
AuthName "Imperial only"
require valid-user
This means that to gain access to the pages you put in this directory, the user will be prompted for a Kerberos (so, either Imperial, or DoC Linux) login and password before they can gain access. On current DoC Linux systems, if you already have a Kerberos ticket (which you most likely will if you are using X) then Firefox will use that automatically instead of prompting you. Rest assured that secure authentication still occurs.
RESTRICTING ACCESS TO A PARTICULAR SET OF USERS
Pages can also be set to only be accessible to particular users, or to a Departmental Unix user group, by appending one or both of the following require lines enclosed in a <RequireAny> block to .htaccess instead of the above:
<RequireAny> require user user1 user2 user3 require group groupname1 groupname2 </RequireAny>
To restrict access to staff only, then you should use the following line instead:
require group doc-staff
RESTRICTING ACCESS BASED ON IP ADDRESS
CSG no longer recommend restricting access based on IP address (for example, allowing access to particular web pages if the visitor is on a DoC workstation). However, if you have a particular need for this, please contact us and we will provide you with an .htaccess recipe.
WEB-SPECIFIC PASSWORDS
Up to now, all the secure authentication has been using Kerberos logins. Frankly, we recommend this as it makes sense within DoC and Imperial.
However, you can also protect files with password access with separate, web-specific, passwords that you set yourself. This might be useful to share secure access with people outside of Imperial, because -- of course -- you should never tell anyone a real DoC password!
To do this, the .htaccess file should contain something like:
AuthType basic AuthName "Password Protected Area" AuthUserFile /homes/your-username/protected/list require user username
The AuthUserFile is a list of names and encrypted passwords. It should be stored outside your public_html directory, and be publicly readable. To make a password file, use the htpasswd program:
shell1% htpasswd --help Usage: htpasswd [-c] passwordfile username
The -c flag creates a new file.
The program will prompt you for the password twice and will add it to the file (or create the file if you use -c).
You can link to the files using both http and https.