Restricting access with .htaccess

The below formulas can be included in an .htaccess files on any of the CSAIL standard Web servers (people, groups, projects, courses). See also Sending redirects.

Requiring certificates

The below formula will require that all pages are accessed as https://... using non-expired CSAIL certificates. Attempts to access via http://, even if certificates are installed, will result in a 403 Forbidden error.

   SSLOptions +OptRenegotiate
   SSLRequireSSL
   SSLVerifyClient require
   SSLVerifyDepth 3
   SSLRequire %{SSL_CLIENT_S_DN_O} == "MIT Computer Science & Artificial Intelligence Laboratory"

Alternatively, you can redirect people who arrive at the http:// URL, by using the below formula in its place. Replace /PATH/TO/HERE and SERVER.csail.mit.edu appropriately.

   RewriteEngine on
   RewriteBase /PATH/TO/HERE
   SSLOptions +OptRenegotiate +StdEnvVars
   SSLVerifyClient require
   SSLVerifyDepth 3
   SSLRequire %{SSL_CLIENT_S_DN_O} == "MIT Computer Science & Artificial Intelligence Laboratory"
   RewriteCond          %{HTTPS} !=on
   RewriteRule          (.*) https://SERVER.csail.mit.edu/PATH/TO/HERE/$1

Restricting access to specific users

Replace the above SSLRequire line with:

   SSLRequire %{SSL_CLIENT_S_DN_O} == "MIT Computer Science & Artificial Intelligence Laboratory" \
      && %{SSL_CLIENT_S_DN_Email} in {"alice@CSAIL.MIT.EDU", "bob@CSAIL.MIT.EDU"}

N.B.: This mechanism is case-sensitive. All of the elements must be given exactly as shown, the name of the Lab and the CSAIL.MIT.EDU domain name in particular. Using all lower case is a common cause of difficult-to-diagnose errors.

Restricting access using "digest" authentication

Digest authentication is more secure than using plaintext passwords (described in the next section) but is not supported on some older browsers. If your user community includes old browsers that don't support digest authentication, try using "basic" (plaintext password) authentication with SSL as described in the next section.

To limit access to a directory using digest authentication (also called "secure password authentication"), put the following in your .htaccess file:

AuthUserFile /path/to/your/directory/.htpasswd
AuthGroupFile /dev/null
AuthName "Ben Bitdiddle's private files"
AuthType Digest
AuthDigestProvider file
AuthDigestDomain /URL/path/to/your/directory
Require valid-user

Be sure to replace the AuthUserFile, AuthName, and AuthDigestDomain with the real information! AuthUserFile is the complete path to the .htpasswd file (which you will create below). AuthName is a message that will be displayed at the password prompt. AuthDigestDomain is the URL path to the directory being protected. (For example, if you are protecting http://people.csail.mit.edu/bitdiddl/private/, the directive should read AuthDigestDomain /bitdiddl/private/.)

Next you need to use the htdigest command to create the password file you referenced in the above .htaccess file. For example, if you specified /afs/csail/.../public_html/testing/.htpasswd as the password file, you would then run:

$ htdigest -c ~/public_html/testing/.htpasswd "Ben Bitdiddle's private files" bitdiddl
Adding password for bitdiddl in realm Ben Bitdiddle's private files.
New password: 
Re-type new password: 

Leave off the -c option for the second and subsequent users. The command means "Create the .htpasswd file if it doesn't exist or overwrite it if it does—that's what the -c does—and create a user called bitdiddl using digest authentication." Note that the passwords are specific to the "realm" you specify, which must be identical to the name specified in the AuthName directive in the .htaccess file.

(If you name your password file something other than .htpasswd, then you should store it outside of your web file tree. The server contains special access controls to prevent people from downloading these files, which will not apply if you call the password file something else.)

Note that the server will be accessing the .htaccess and .htpasswd files, which means it needs to have permission to access them. The directory where you put .htaccess, being a subdirectory of your web directory, will likely inherit the permissions of the web directory, so the web server should already be able to read it. However, if you put .htpasswd in another directory, it may not be readable by the web server unless you use the fs setacl command (e.g., fs sa DIR www read where DIR is the directory containing .htpasswd).

Now you might want to make sure that the file got created and that everything looks good:

$ ls -la ~/public_html/testing/
total 12
drwxr-xr-x 2 wollman wollman 4096 May 28 13:42 ./
drwxr-xr-x 3 wollman wollman 4096 May 28 13:41 ../
-rw-r--r-- 1 wollman wollman   72 May 28 13:42 .htpasswd
$ cat ~/public_html/testing/.htpasswd
bitdiddl:Ben Bitdiddle's private files:e45c96567bc278d15a942e56dead09d9

Finally test this all by trying to browse to the web page you're trying to protect. You should get a dialog prompting you for a username and password.

Restricting access using "basic" authentication

To limit access to a directory using plaintext password (called "basic") authentication, put the following in your .htaccess file:

# Comment next two lines out to enable plaintext passwords over unencrypted
# connections.  Check with TIG if you are not sure whether you should.
SSLRequireSSL
SSLVerifyClient none
AuthUserFile /path/to/your/directory/.htpasswd
AuthGroupFile /dev/null
AuthName "Ben Bitdiddle's private files"
AuthType Basic
Require valid-user

Be sure to replace the AuthUserFile and AuthName with the real information! AuthUserFile is the complete path to the .htpasswd file (which you will create below), and AuthName is a message that will be displayed at the password prompt.

Next you need to use the htpasswd command to create the password file you referenced in the above .htaccess file. For example, if you specified /afs/csail/u/m/mpearrow/public_html/testing/.htpasswd as the password file, you would then run:

mpearrow@asterix:~/testing$ htpasswd -c .htpasswd testuser
New password: 
Re-type new password: 
Adding password for user testuser

This says, "Run the htpasswd command, and create the .htpasswd file if it doesn't exist or overwrite it if it does (that's what the -c does; be careful not to overwrite an existing file), and create a user called testuser."

(If you name your password file something other than .htpasswd, then you should store it outside of your web file tree. The server contains special access controls to prevent people from downloading these files, which will not apply if you call the password file something else.)

Note that the server will be accessing the .htaccess and .htpasswd files, which means it needs to have permission to access them. The directory where you put .htaccess, being a subdirectory of your web directory, will likely inherit the permissions of the web directory, so the web server should already be able to read it. However, if you put .htpasswd in another directory, it may be readable by the web server unless you use the fs setacl command (e.g., fs sa DIR www read where DIR is the directory containing .htpasswd).

Now you might want to make sure that the file got created and that everything looks good:

mpearrow@asterix:~/testing$ ls -la
total 7
drwxrwxr-x   2 mpearrow mpearrow 2048 Feb  1 20:30 .
drwxrwxrwx  18 mpearrow      502 4096 Feb  1 20:29 ..
-rw-rw-r--   1 mpearrow mpearrow   23 Feb  1 20:30 .htpasswd
mpearrow@asterix:~/testing$ more .htpasswd 
testuser:Jo/nnqFPwqQqU
mpearrow@asterix:~/testing$ 

Finally test this all by trying to browse to the web page you're trying to protect. You should get a dialog prompting you for a username and password.

Restricting Access by IP Address

If you want to limit access to a directory and its children based on IP address (e.g., just people on the CSAIL network, or MITnet, etc.) you also use a .htaccess file. For example, the following directive limits the directory and children to only MITnet and the CSAIL network:

<Limit GET POST>
order deny,allow
deny from all
allow from 18.
allow from 128.30.
allow from 128.31.
allow from 128.52.
</Limit>

Restricting access to EITHER Stata Center OR certificates

In the below, replace /PATH/TO/HERE and SERVER.csail.mit.edu with appropriate values.

RewriteEngine on
RewriteBase /PATH/TO/HERE

SSLOptions +OptRenegotiate +StdEnvVars
SSLVerifyClient require
SSLVerifyDepth 3
SSLRequire %{SSL_CLIENT_S_DN_O} == "MIT Computer Science & Artificial Intelligence Laboratory"


RewriteCond          %{REMOTE_ADDR} !^128\.(3[01]|52)\.[0-9]+\.[0-9]+$
RewriteCond          %{REMOTE_ADDR} !^18\.26\.[0-9]+\.[0-9]+$
RewriteCond          %{HTTPS} !=on
#If off   campus and no https, redirect to https
RewriteRule          (.*) https://SERVER.csail.mit.edu/PATH/TO/HERE/$1
##Other approach is to give 403 forbidden
#RewriteRule          .* - [F]

Finding out more about .htaccess magic

See the Apache .htaccess page

Troubleshooting basic authentication

If this doesn't work, you've probably put your .htpasswd file in a directory the Web server is not allowed to read. (Your home directory, for example, is a common place that people have put .htpasswd files in the past which is not readable by the Web server.)

If it still doesn't work, send email to help@csail.mit.edu and we'll help you sort it out.

Topic HtaccessHints . { Edit Attach Backlinks: Web All webs Printable History: r26 < r25 < r24 < r23 < r22 More }