Web publishing: How to restrict public_html web pages using htaccess

Note: As of 02/14/2017, new Unix accounts will no longer be provisioned with a "public_html" folder.

You may want to restrict access to all of your files or to only selected files on your Central File server public_html folder. For example, you might have a course Web page which can be viewed by anyone in the world, but assignment pages which should be viewed only by people at Princeton. You can use a special file named .htaccess to restrict access in a variety of ways which can require that users authenticate with their Princeton netID and LDAP password.

On a Windows computer or Mac, use a text editor such as Notepad or SimpleText to create the file. The file must not contain any word processing codes, so do not use a word processing program like MS Word, which can put invisible codes into your file.

The SSLRequireSSL directive should be added in all examples using passwords. This will require an https connection before passwords are requested. Without it, clients will be able to transmit netIDs and passwords in the clear. If it is not an https connection, you will get an access denied page.

Note: A user's root directory(/u/netid) is assigned default permissions of 711. If the permissions have been changed, you must either reset the root directory permissions to 711 or locate the .htpasswd file in a different folder with permission set to 711. See Solution 8820 for instructions.

Below you will find information on how to:

Restrict access to all Princeton users
Restrict access to specific Princeton users
Restrict access to computers in the Princeton.edu domain
Restrict access to specific Princeton and/or non-Princeton users
Restrict access to particular files
Advanced security options
Code for custom error page for incorrect login

1. Restrict access to Princeton users
To insure that only people at Princeton can view all your files, include a new file in your public_html Unix directory called .htaccess. Or you can restrict access just to certain folders, in which case include the .htaccess file in those subdirectories.

Be sure the .htaccess file itself has permissions set to 644 (chmod 644 .htaccess) and that the remainder of your folders have appropriate permissions. For more information about restricting access, read more about the Limit directive.

The contents of the .htaccess file are shown below. Note that the methods listed in the Limit directive -- such as GET, POST, or PUT -- must be all UPPERCASE.

SSLRequireSSL
AuthType Basic
AuthName "Provide netID and LDAP password"
require valid-user

Note: An https connection is required. Without https at the beginning of the URL, users you will receive the following error message "Forbidden. You don't have permission to acesss /folder/file on this server."

2. Restrict access to specific Princeton users
You can limit access to a specific list of Princeton users by adding the list of users to the htaccess document.

SSLRequireSSL
AuthType Basic
AuthName "Use LDAP Acct/Password"
require user userid
require user AddALineForEachUser

For example, to restrict access to users "bobh12" and "harrys", you would code:

SSLRequireSSL
AuthType Basic
AuthName "Use LDAP Acct/Password"
require user bobh12
require user harrys

3. Restrict access computers in the Princeton.edu domain
You can restrict accesss to computers in the Princeton domain. Wildcards with '?' matching any single character and "*" matching any sequence of characters can also be used for individual pages. For more information see Apache Access Control by URL information.

The .htaccess file must have the following contents:

order deny,allow
deny from all
allow from princeton.edu

4. Restrict access to specific Princeton and/or non-Princeton users
You can limit access of your documents to a specific list of Princeton and non-Princeton users. In the directory containing the files to be restricted add 3 files:

.htaccess file
.htpasswd file: a list of users and encrypted passwords
.htgroup file: a file identifying the athorized 'group' and its members.

Examples are below:

.htaccess: The following example shows the contents of a "limiting to specific users" .htaccess file. Note that if the AuthName string contains blank characters -- like spaces between words -- that string must be enclosed in quotation marks.

AuthType Basic
AuthName "By Secret Password Only!"[displayed on browser form]
AuthUserFile /u/userid/.htpasswd [absolute address]
AuthGroupFile /u/userid/.htgroup [absolute address]
require group groupname

The userID is your netID (or the ID of the account that has the documents you want to restrict), and groupname is the name you assign in the .htgroup file to the group which will be given access.

Note: If you are putting restrictions on a cgi program called from a form using PUT, then a similar set of lines with PUT substituted for GET must also be added. The require statement needs the word "group" followed by the groupname which matches the groupname in the .htgroup file.

.htpasswd: The .htpasswd (Users file) contains the user/password pairs for authorized access. They are in the form:

userid1:encrypted password
userid2:encrypted password

Note: Do not put spaces before or after the colon.

See the Generating Encrypted Passwords section for more information on generating encrypted passwords. This file should not be in your public_html folder; otherwise, anyone can see it and attempt a "brute force" attack to learn the passwords.

.htgroup: The .htgroup (Group file) contains the group name and identifications in the form:

groupname1: userid1 userid2 userid3
groupname2: userid4

Note: In the above, do not put spaces before the colon, but put a space after the colon.

Note for Unix users: Your .ht files must have the permissions set so they are world readable (chmod 644). Special considerations have been added to our server so they are not displayable for viewing through a web browser. When testing be sure to note that you will only receive the password request once. Reloads will not cause the security check to occur again; you can force it to reoccur by typing a different or invalid user name (for example https://abc@www.princeton.edu), and you will be prompted for a new user name and password.

Note: Be advised that any Princeton user with advanced knowledge of Unix commands and permissions can connect to your account and view files in your public_html account, but for web purposes the above is satisfactory. If you want to allow people outside of Princeton to have password-protected access to your web pages, you will need to add each user's username and password to your .htpasswd file.

If you want to authenticate with a custom .htpasswd file and then fall back to LDAP authentication, you can place the following inside your .htaccess file:

AuthAuthoritative off

and that will use the password file you specify with the AuthUserFile directive and then fall back to LDAP authentication. This will work in combination with the other access methods presented above (such as require valid-user, require user username, and require group groupname).

5. Restrict access to particular files
Note that the .htaccess file applies to the directory it is in as well as all subdirectories. To restrict access only to particular files, you need to use the Files directive. For example, if you want to allow users to only access particular files in a directory, create a .htaccess file in the directory in the following format:

AuthType Basic
AuthName "Enter your netID/password"
AuthUserFile /u/netid/.htpasswd

SSLRequireSSL
require user user1
require user user2

It will restrict access to any file named "restricted.html" in that directory, and all subdirectories, to those users who have a username/password combination in the .htpasswd file. To restrict access to all files ending in "restricted.html", replace "restricted.html" with "*restricted.html". By placing the SSLRequireSSL directive inside the Files block, you allow users to access all other files with just an http connection, but you require an https connection to access restricted.html. Note that you can also place group information inside the Files block:


SSLRequireSSL
require group group1
require group group2

This will also work with the AuthAuthoritative off command.

6. Advanced security options
Note that .htaccess files will only restrict who can view the files by going to www.princeton.edu/~netID. Users with knowledge of Unix commands can still access your files. To prevent this from occuring:

Open up your H: drive from a Windows computer (for instructions, see Solution 9347).
Right-click on your public_html folder and click on Properties. Select the Security tab. In the Group or user names: area, select Everyone and click on Remove.
Then, click on Add..., make sure that From this location: has pu.win.princeton.edu (if it doesn't, select Locations..., select pu.win.princeton.edu, and click OK).
In the text box, type Web Public and click OK.
Then, make sure that in the bottom pane, Read & Execute, List Folder Contents, and Read are checked.
Click OK.
Your files should now only be readable by you and the OIT Web Servers, and whoever else you have granted access to.

7. Code for custom error page upon incorrect login
If you want to have a custom error document when users can't supply a correct username/password combination, use the following line in the .htaccess file:

ErrorDocument 401 /~netid/notauthorized.html

and it will display the notauthorized.html file.