Thursday, November 17, 2016

Restricted Web Access with HTaccess

1. What is Restricted Access and HTaccess?
1. Username/password level access authorization. This method requires a user to enter a valid username and password to access a certain web page.

2. Rejection or acceptance of connections based on Internet address, hostname or domain name of the Web client.

3. A combination of both above.

Access is having restrictions on who is able to access a certain directory in a site. One of the ways of doing it is using HTaccess. HTaccess uses two ways to restrict access:

* Note: Neither of these ways is foolproof.

2. Single User Access
1. Create a file called .htaccess (the dot is required), in the directory Personal, with the following format:

AuthUserFile fullpathname/.htpasswd AuthGroupFile /dev/null AuthName "AnyNameYouWant" AuthType Basic <Limit GET POST> require user mysecret </Limit>

AuthUserFile-- Replace fullpathname with the full path name of the directory in which the password file (which will be created after this) resides. To find out the full path name of a certain directory, type pwd at the prompt.
AuthGroup File--For a single user access, a .htgroup file does not exist. So, we specify /dev/null which is the standard UNIX way to say this file does not exist.
AuthName-- This can be anything. It will be displayed on the browser when the password is prompted. If nothing is entered, it will default as ByPassword. The name(s) must be between double quotes.
AuthType-- This should be set to Basic, since we are using Basic HTTP Authentication. This means that the password is passed over the network not encrypted but not as plain text either.
In the LIMIT directive, only the method GET is restricted in this example. Other methods (especially in CGI directories) can also be limited by specified by putting a space between each of them. For example:
<Limit GET POST PUT> require user mysecret </Limit>
2. After creating the .htaccess file, create a .htpasswd file by typing this command below in the restricted directory or in this case in the Personal directory.

htpasswd -c .htpasswd mysecret

3. After typing this command there should be instructions that require you to type in the password for the user twice. In this example, we will type in dontell twice. If you open up the file, it should look something like this:

mysecret:vlCg6/UxAqH9M

4. Now change the permissions of the files that you just created so that the world can read it (necessary to have it working) by typing the following commands:

chmod 744 .htaccess
chmod 744 .htpasswd

Suppose you want to restrict access in a directory named Personal to a single user with a username mysecret and password dontell. Below are the instructions on how to do it.

Example .htaccess
AuthUserFile /web/decs/web/single/.htpasswd
AuthGroupFile /dev/null
AuthName Single_User
AuthType Basic

<Limit GET>
require user mysecret
</Limit>

Example .htpasswd
mysecret:EQbTKu5OI7p5I

3. Multiple Users Access
1. Add additional users to the .htpasswd file.

Use the htpasswd command again but this time without the -c flag. For example you want to add tom, dick and harry to the list of people accessing that directory. Just type the following command at the prompt:
htpasswd fullpathname/.htpasswd tom
htpasswd fullpathname/.htpasswd dick
htpasswd fullpathname/.htpasswd harry

fullpathname is just the full path name of the directory in which the .htpasswd file is in. If you are already in that directory, fullpathname is not required.

*You can have different passwords for each member of the group or just one password for all the members.
2. Create a group file called .htgroup (remember the dot).

The .htgroup should look something like this:
my-users : tom dick harry

Where tom, dick and harry are the people to whom you want to give access. You can replace my-users with any name you like for a group.

3. Then, modify your .htaccess file.

Below is an example of a .htaccess file for a group.
AuthUserFile fullpathname/.htpasswd AuthGroupFile fullpathname/.htgroup AuthName AnyNameYouWant AuthType Basic <Limit GET> require group my-user
</Limit GET>

AuthGroupFile--This should be the full path name of your .htgroup file

Change user mysecret to group my-user (any the name of your group) so that only people in that specific group can gain access.

4. Don't forget to change the permissions to 744.

The way to have multiple username/password pairs is the same as having a single username/password pair, but just with a few additional steps.
Do the following extra steps:

Example .htgroup
mybuddy: tom dick harry

Example .htaccess
AuthUserFile /web/decs/web/multiple/.htpasswd
AuthGroupFile /web/decs/web/multiple/.htgroup
AuthName Multiple_User
AuthType Basic

<Limit GET>
require group mybuddy
</Limit>

4. Domain Name Access
Besides providing access to only single or multiple users, you can also give access to clients from a certain domain for example, egr.msu.edu. This is an example of how the .htaccess should look like:

AuthUserFile /dev/null AuthGroupFile /dev/null AuthName
AllowFromEgrMsuOnly AuthType Basic <Limit GET> order deny, allow deny from all allow from 35.9 </Limit>

Example .htaccess
AuthUserFile /web/decs/web/single/.htpasswd
AuthGroupFile /dev/null
AuthName Single_User
AuthType Basic

<Limit GET>
require user mysecret
</Limit>

5. Domain Name Access - Exclusion
You may just want to exclude clients from just one domain. Then, the .htaccess file would look like this:
AuthUserFile /dev/null AuthGroupFile /dev/null AuthName
DenyFromEgrMsuOnly AuthType Basic <Limit GET> order allow, deny allow from all deny from 35.9 </Limit>

Example .htaccess
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName DenyFromEgrMsuOnly
AuthType Basic

<Limit GET>
order allow,deny
allow from all
deny from 35.9
</Limit>

6. Combinational Access
To get a combination of the three kinds of access methods, the .htaccess should look something like this:

AuthUserFile fullpathname/.htpasswd AuthGroupFile
fullpathname/.htgroup AuthName AnyAccess AuthType Basic order deny, allow deny from all allow from egr.msu.edu require group mybuddy satisfy any

Use 'satisfy all' to restrict access by domain/addresses AND passwords.

No comments:

Post a Comment