iHost – Controlling Access

You can limited access to your website using any of the followings methods by putting a .htaccess file under the required directory:

  1. Central Authentication Service (recommended)
  2. Domain
  3. Basic Password and Group Protection

Enabling Access Control

To restrict access from web browsers, you should set up the following file(s), depending on the type of access control you would like to use:

.htaccess (required)

This type of file affects the directory it is in and all sub-directories. To protect all your web pages, put a .htaccess in your “public_html” directory. Sub-directories of a directory with a .htaccess file will be under its control unless they have their own .htaccess file.

.htpasswd (optional)

This is necessary if you are using the “Basic” authentication method. Each line of this file contains a username and an encrypted password.

.htgroup (optional)

This file allows you to assign sets of users to named groups.

1. Controlling Access By CAS

CAS registration (limited to CSC) is required before you can use the CAS service. Please register before you can protect your website / application using CAS.

Webhost users are recommended to use the phpCAS Library. Since CAS3.0 supports phpCAS::getAttributes() function, you may get the following attributes by the function call, e.g. phpCAS::getAttributes(“employeeType”):

Attribute

Value

eduPersonAffiliation

e.g. staff, student

voPersonAffiliation
e.g. Undergraduate, Postgraduate
 

departmentNumber

e.g. ITSC

name

e.g. Chan xxxx yyyyy (display name)

Another way is using the .htaccess file. There are two phases in granting access. The first phase is authentication where CAS verifies that the user’s credentials are valid. The second phase is authorization where a ldap module (“mod_authnz_ldap”) determines if the authenticated user is allowed access to the resource in question.

The .htaccess file below allows access to your web pages only to people with a valid ITSC Network Account and password. This .htaccess file does not require a .htpasswd file:

AuthType CAS

require valid-user

You can restrict your pages to specific people with an ITSC Network Account by adding these accounts after "require user".

AuthType CAS

require user john peter ben

There are other flexible ways to specify groups of authorized people through "require ldap-filter" directives.

AuthType CAS

require ldap-filter &(departmentnumber=CSE)(voPersonAffiliation=Postgraduate)

The above .htaccess file restricts access to postgraduate students in the Department of Computer Science and Engineering only. The user attributes’ list for constructing a "ldap-filter" is available here.

 

2. Domain

You can allow or deny access according to the name of the machine doing the browsing. This can be done at either the domain or host name level. For example, it could set up as world, HKUST machines only, or only your machine.

Setting up access control by domain

The .htaccess file shown below allows access from machine within HKUST domain only.

order deny,allow
deny from all
allow from .ust.hk

Understanding the Syntax

Access directives

The following three access directives are used for domain protection. You will always need order first, followed by the other two:

  • order order

    Specify allow,deny for “everyone but those” and deny,allow for “only these”. Spaces are not allowed next to the comma.

  • deny from host host …

    Specify either all, a domain name, or a host name.

  • allow from host host …

    Specify either all, a domain name, or a host name.

3. Basic Password and Group Protection

For greater control, you can restrict access to a set of users, each of whom must enter a valid username and password to look at your pages. You create the username and password, and inform your users to grant them access. This username and password pair is completely separate from those used to access ITSC general services or other services.

Setting up access control by user-defined username and password file

The .htaccess file shown below limits access to the web page to users in the given password file.

AuthUserFile /var/www/vhosts/<"username">/public_html/.htpasswd
AuthName ByPassword
AuthType Basic

require user usera userb userc ...

Assuming your account is cc_test and you would like to limit the access to john, peter and ben, your .htaccess file will looks like:

AuthUserFile /var/www/vhosts/cc_test/public_html/.htpasswd
AuthName ByPassword
AuthType Basic

require user john peter ben

The .htpasswd contains list of users and UNIX encrypted passwords pair in following format:

usera:QDFpR/cbBgJ8Q
userb:HQxv/8uQHe.Qk
userc:BASZJcujRHRyk
...

We provide a simple web interface here to generate the encrypted passwd with a cleartext one. If you are using UNIX timesharing system, an .htpasswd file can be created through the htpasswd program. For example:

htpasswd -c .htpasswd usera

The program will then ask for usera‘s password and add it to the newly created password file. When you want to add userb, leave out the “-c” switch:

htpasswd .htpasswd userb

Group file .htgroup is a text file with lines that consists of a group name followed by a list of users. For example:

friends: usera userb
webmaster: usera userb userc

You can add the directive AuthGroupFile in .htaccess as below, to limit access to specific group of users:

AuthUserFile /var/www/vhosts/<"username">/public_html/.htpasswd
AuthGroupFile /var/www/vhosts/<"username">/public_html/.htgroup
AuthName ByPassword
AuthType Basic

require group friends
Understanding the Syntax

Configuration directives

  • AuthType type

    Must be Basic

  • AuthName name

    The symbolic name of this access file. It apppears when a user is prompted for a password. Specify whatever you think is appropriate.

  • AuthUserFile file

    Specifies the absolute path of the user’s password file.

  • AuthGroupFile file

    Specifies the absolute path of the user’s group access file.

Access Directives

  • require valid-user

    Allow all users in the AuthUserFile file access upon providing a valid password.

  • require user user1 user2

    Specify which users (separated by spaces) in the AuthUserFile file are allowed access upon providing a valid password.

  • require group group1 group2
 

Specify which groups of users in the AuthGroupFilefile are allowed access upon providing a valid password.