Password lock a web page

From CVL Wiki

(Difference between revisions)
Jump to: navigation, search
(Option 1: htpasswd)
 
(4 intermediate revisions by one user not shown)
Line 1: Line 1:
There are several different way to protect a web page.  With all of these, you create a HyperText Access file ('''.htaccess''') in the directory that you want to password protect. This file will password protect all of the files (web pages) in that directory and all files (web pages) in any subdirectories.
+
To add password protection to your website hosted on the ECE webserver, you can create a HyperText Access file ('''.htaccess''') in the directory that you want to password protect. This file will password protect all of the files (web pages) in that directory and all files in any subdirectories.
  (Note that the name of this file starts with a period.)
+
*'''Please note that the file must start with a period "."'''
  
There is three ways that people usually might like to password protect a web page:
+
More information about .htaccess files here: https://httpd.apache.org/docs/2.4/howto/htaccess.html
  
* Creating a Username and Password that is not tied to any other authentication mechnism.
+
There are two methods of password authentication that can be employed to protect your webpage.  
* Using the campus PID/Password.
+
* Using CVL accounts for login.
+
  
=VT PID Login=
+
==Option 1: htpasswd==
 +
This is a flat file that sits in your home directory and contains a list of usernames and password hashes. You can use the [https://httpd.apache.org/docs/2.2/programs/htpasswd.html htpasswd] command to add users to the file. This option has the benefit of not being tied to any particular user account (local or ldap). You can even create a single user/pass and share it with anyone.
 +
*We strongly recommend NOT putting the htpasswd file under the public_html folder, but instead in your home directory root. This prevents accidental access to the file via the website
 +
 
 +
Here is the format of the .htaccess file for this option
  
 
  AuthType Basic
 
  AuthType Basic
  AuthName "Virginia Tech ED-Auth (PID/pass)"
+
  AuthName "Password Required"
  AuthLDAPURL  ldaps://authn.directory.vt.edu:636/ou=People,dc=vt,dc=edu?uupid
+
  AuthUserFile /home/<ECEUSER>/password.file
  require user valid-user
+
  require valid-user
  
This will change shortly when we transition to a new server
+
==Option 2: VT PID==
 +
This option uses Virginia Tech's PID and password authentication. You can allow all valid PID's, or provide a list of specific usernames.
 +
 
 +
Here is the format of the .htaccess file for this option (all valid PID's)
  
 
  AuthType Basic
 
  AuthType Basic
Line 24: Line 29:
 
  require valid-user
 
  require valid-user
  
=Creating a Username and Password=
+
To allow only specific users, change the '''require valid-user''' line to a space delimited list
 +
require user pid1 pid2 pid3
  
Using this method you can make up any username password pairs you want, they do not need to be tied to computer accounts or the campus PID system.  Why might you want
+
==Option 3: ECE Accounts==
to use this?  You might want to have one password for all people who want to access this web page.
+
*'''This option is untested!'''
  
'''.htaccess'''
+
This follows the same basic structure for Option 2, but uses the ECE ldap instead of the VT ldap
  
AuthName "buzz off"
 
 
  AuthType Basic
 
  AuthType Basic
  AuthUserFile /home/jkh/public_html/secure/.htpasswd
+
  AuthBasicProvider ldap
 +
AuthzLDAPAuthoritative Off
 +
AuthName "ECE Account Credentials"
 +
AuthLDAPURL ldap://auth.ece.vt.edu:/ou=people,dc=ece,dc=vt,dc=edu?uid
 
  require valid-user
 
  require valid-user

Latest revision as of 08:22, 19 September 2014

To add password protection to your website hosted on the ECE webserver, you can create a HyperText Access file (.htaccess) in the directory that you want to password protect. This file will password protect all of the files (web pages) in that directory and all files in any subdirectories.

  • Please note that the file must start with a period "."

More information about .htaccess files here: https://httpd.apache.org/docs/2.4/howto/htaccess.html

There are two methods of password authentication that can be employed to protect your webpage.

[edit] Option 1: htpasswd

This is a flat file that sits in your home directory and contains a list of usernames and password hashes. You can use the htpasswd command to add users to the file. This option has the benefit of not being tied to any particular user account (local or ldap). You can even create a single user/pass and share it with anyone.

  • We strongly recommend NOT putting the htpasswd file under the public_html folder, but instead in your home directory root. This prevents accidental access to the file via the website

Here is the format of the .htaccess file for this option

AuthType Basic
AuthName "Password Required"
AuthUserFile /home/<ECEUSER>/password.file
require valid-user

[edit] Option 2: VT PID

This option uses Virginia Tech's PID and password authentication. You can allow all valid PID's, or provide a list of specific usernames.

Here is the format of the .htaccess file for this option (all valid PID's)

AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative Off
AuthName "Virginia Tech ED-Auth (PID/pass)"
AuthLDAPURL ldaps://authn.directory.vt.edu:636/ou=People,dc=vt,dc=edu?uupid
require valid-user

To allow only specific users, change the require valid-user line to a space delimited list

require user pid1 pid2 pid3

[edit] Option 3: ECE Accounts

  • This option is untested!

This follows the same basic structure for Option 2, but uses the ECE ldap instead of the VT ldap

AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative Off
AuthName "ECE Account Credentials"
AuthLDAPURL ldap://auth.ece.vt.edu:/ou=people,dc=ece,dc=vt,dc=edu?uid
require valid-user
Views
Personal tools
Support