You are here: Foswiki>TIG Web>WebServices>HtaccessHints (18 Sep 2015, andersk)EditAttach

Restricting access with .htaccess

The below formulas can be included in an .htaccess files on any of the CSAIL standard Web servers (people, groups, projects, courses). See also Sending redirects.

Jump to:

Requiring CSAIL certificates

The below formula will require that all pages are accessed as https://... using non-expired CSAIL certificates. Attempts to access via http://, even if certificates are installed, will result in a 403 Forbidden error.

   # Use this line only if a script cares about the identity of the client:
   SSLOptions +OptRenegotiate +StdEnvVars
   # Otherwise, comment out the previous line and uncomment the following line:
   # SSLOptions +OptRenegotiate
   SSLRequireSSL
   SSLVerifyClient require
   SSLVerifyDepth 3
   SSLRequire %{SSL_CLIENT_S_DN_O} == "MIT Computer Science & Artificial Intelligence Laboratory"

Alternatively, you can redirect people who arrive at the http:// URL, by using the below formula in its place. Replace /PATH/TO/HERE and SERVER.csail.mit.edu appropriately.

   RewriteEngine on
   RewriteBase /PATH/TO/HERE
   # Use this line only if a script cares about the identity of the client:
   SSLOptions +OptRenegotiate +StdEnvVars
   # Otherwise, comment out the previous line and uncomment the following line:
   # SSLOptions +OptRenegotiate
   SSLVerifyClient require
   SSLVerifyDepth 3
   SSLRequire %{SSL_CLIENT_S_DN_O} == "MIT Computer Science & Artificial Intelligence Laboratory"
   RewriteCond          %{HTTPS} !=on
   RewriteRule          (.*) https://SERVER.csail.mit.edu/PATH/TO/HERE/$1

Restricting access to specific users

Replace the above SSLRequire line with:

   SSLRequire %{SSL_CLIENT_S_DN_O} == "MIT Computer Science & Artificial Intelligence Laboratory" \
      && %{SSL_CLIENT_S_DN_Email} in {"alice@CSAIL.MIT.EDU", "bob@CSAIL.MIT.EDU"}

Note 1: This mechanism is case-sensitive. All of the elements must be given exactly as shown, the name of the Lab and the CSAIL.MIT.EDU domain name in particular. Using all lower case is a common cause of difficult-to-diagnose errors.

Note 2: If using CGI or FastCGI scripting, you can dynamically restrict access based on the value of the SSL_CLIENT_S_DN_Email environment variable. SSL_CLIENT_S_DN_CN will contain the full name. (For PHP, prepend REDIRECT_ to the names of those environment variables.)

Restricting access using "digest" authentication (recommended password method)

Digest authentication is more secure than using plaintext passwords (described in the next section). If your site is accessed by older tools or very old browsers that don't support digest authentication, try using "basic" (plaintext password) authentication with SSL as described in the next section.

To limit access to a directory using digest authentication (also called "secure password authentication"), put the following in your .htaccess file:
AuthUserFile /path/to/your/directory/.htdigest
AuthGroupFile /dev/null
AuthName "Ben Bitdiddle's private files"
AuthType Digest
AuthDigestProvider file
AuthDigestDomain /URL/path/to/your/directory
Require valid-user
Be sure to replace the AuthUserFile, AuthName, and AuthDigestDomain with the real information! AuthUserFile is the complete path to the .htdigest file (which you will create below). AuthName is a message that will be displayed at the password prompt. AuthDigestDomain is the URL path to the directory being protected. (For example, if you are protecting http://people.csail.mit.edu/bitdiddl/private/, the directive should read AuthDigestDomain /bitdiddl/private/.)

Next you need to run the htdigest command, available on public login servers, to create the password file you referenced in the above .htdigest file. For example, if you specified /afs/csail/.../public_html/testing/.htdigest as the password file, you would first ssh to a CSAIL login server then run:
$ htdigest -c ~/public_html/testing/.htdigest "Ben Bitdiddle's private files" bitdiddl
Adding password for bitdiddl in realm Ben Bitdiddle's private files.
New password: 
Re-type new password: 
Leave off the -c option for the second and subsequent users. The command means "Create the .htdigest file if it doesn't exist or overwrite it if it does—that's what the -c does—and create a user called bitdiddl using digest authentication." Note that the passwords are specific to the "realm" you specify, which must be identical to the name specified in the AuthName directive in the .htdigest file.

(If you name your password file something other than .ht*, then you should store it outside of your web file tree. The server contains special access controls to prevent people from downloading these files, which will not apply if you call the password file something else.)

Note that the server will be accessing the .htaccess and .htdigest files, which means it needs to have permission to access them. The directory where you put .htdigest, being a subdirectory of your web directory, will likely inherit the permissions of the web directory, so the web server should already be able to read it. However, if you put .htdigest in another directory, it may not be readable by the web server unless you use the fs setacl command (e.g., fs sa DIR www read where DIR is the directory containing .htdigest).

Now you might want to make sure that the file got created and that everything looks good:
$ ls -la ~/public_html/testing/
total 12
drwxr-xr-x 2 wollman wollman 4096 May 28 13:42 ./
drwxr-xr-x 3 wollman wollman 4096 May 28 13:41 ../
-rw-r--r-- 1 wollman wollman   72 May 28 13:42 .htdigest
$ cat ~/public_html/testing/.htdigest
bitdiddl:Ben Bitdiddle's private files:e45c96567bc278d15a942e56dead09d9
Finally test this all by trying to browse to the web page you're trying to protect. You should get a dialog prompting you for a username and password.

Restricting access using "basic" authentication

To limit access to a directory using plaintext password (called "basic") authentication, put the following in your .htaccess file:
# Comment next two lines out to enable plaintext passwords over unencrypted
# connections.  Check with TIG if you are not sure whether you should.
SSLRequireSSL
SSLVerifyClient none
AuthUserFile /path/to/your/directory/.htpasswd
AuthGroupFile /dev/null
AuthName "Ben Bitdiddle's private files"
AuthType Basic
Require valid-user
Be sure to replace the AuthUserFile and AuthName with the real information! AuthUserFile is the complete path to the .htpasswd file (which you will create below), and AuthName is a message that will be displayed at the password prompt.

Next you need to use the htpasswd command, available on public login servers, to create the password file you referenced in the above .htaccess file. For example, if you specified ~/testing/.htpasswd as the password file, you would then ssh to a CSAIL login server and run:
$ htpasswd -c .htpasswd testuser
New password: 
Re-type new password: 
Adding password for user testuser
This says, "Run the htpasswd command, and create the .htpasswd file if it doesn't exist or overwrite it if it does (that's what the -c does; be careful not to overwrite an existing file), and create a user called testuser."

(If you name your password file something other than .htpasswd, then you should store it outside of your web file tree. The server contains special access controls to prevent people from downloading these files, which will not apply if you call the password file something else.)

Note that the server will be accessing the .htaccess and .htpasswd files, which means it needs to have permission to access them. The directory where you put .htaccess, being a subdirectory of your web directory, will likely inherit the permissions of the web directory, so the web server should already be able to read it. However, if you put .htpasswd in another directory, it may be readable by the web server unless you use the fs setacl command (e.g., fs sa DIR www read where DIR is the directory containing .htpasswd).

Now you might want to make sure that the file got created and that everything looks good:
mpearrow@asterix:~/testing$ ls -la
total 7
drwxrwxr-x   2 mpearrow mpearrow 2048 Feb  1 20:30 .
drwxrwxrwx  18 mpearrow      502 4096 Feb  1 20:29 ..
-rw-rw-r--   1 mpearrow mpearrow   23 Feb  1 20:30 .htpasswd
mpearrow@asterix:~/testing$ more .htpasswd 
testuser:Jo/nnqFPwqQqU
mpearrow@asterix:~/testing$ 

Finally test this all by trying to browse to the web page you're trying to protect. You should get a dialog prompting you for a username and password.

Restricting Access by IP Address

If you want to limit access to a directory and its children based on IP address (e.g., just people on the CSAIL network, or MITnet, etc.) you also use a .htaccess file. For example, the following directive limits the directory and children to only MITnet and the CSAIL network:

order deny,allow
deny from all
allow from 18.
allow from 128.30.
allow from 128.31.
allow from 128.52.

Restricting access to EITHER Stata Center OR certificates

In the below, replace /PATH/TO/HERE and SERVER.csail.mit.edu with appropriate values.

RewriteEngine on
RewriteBase /PATH/TO/HERE

# Use this line only if a script cares about the identity of the client:
SSLOptions +OptRenegotiate +StdEnvVars
# Otherwise, comment out the previous line and uncomment the following line:
# SSLOptions +OptRenegotiate
SSLVerifyClient require
SSLVerifyDepth 3
SSLRequire %{SSL_CLIENT_S_DN_O} == "MIT Computer Science & Artificial Intelligence Laboratory"


RewriteCond          %{REMOTE_ADDR} !^128\.(3[01]|52)\.[0-9]+\.[0-9]+$
RewriteCond          %{REMOTE_ADDR} !^18\.26\.[0-9]+\.[0-9]+$
RewriteCond          %{HTTPS} !=on
#If off   campus and no https, redirect to https
RewriteRule          (.*) https://SERVER.csail.mit.edu/PATH/TO/HERE/$1
##Other approach is to give 403 forbidden
#RewriteRule          .* - [F]

Finding out more about .htaccess magic

See the Apache .htaccess page

Troubleshooting basic authentication

If this doesn't work, you've probably put your .htpasswd file in a directory the Web server is not allowed to read. (Your home directory, for example, is a common place that people have put .htpasswd files in the past which is not readable by the Web server.)

If it still doesn't work, send email to help@csail.mit.edu and we'll help you sort it out.
Topic revision: 18 Sep 2015, andersk
 

MIT Computer Science and Artificial Intelligence Laboratory

 

  • About CSAIL
  • Research
  • News + Events
  • Resources
  • People

This site is powered by Foswiki MIT: Massachusetts Institute of Technology