IT Services

Protecting files

How to prevent access to your www directory from outside the University of Jyväskylä

Step by step

By placing a file named .htaccess with lines:

<Limit GET>
require host jyu.fi
require ip 130.234.10.216
require not host it.jyu.fi
</Limit>

to a directory you wish to limit access to, you can prevent access to the directory and all its subdirectories from anybody outside the domain jyu.fi. However, the directory will be accessible also from ip address 130.234.10.216, but not from computers in domain it.jyu.fi. In other words, access won’t be denied from, for example, jalava.cc.jyu.fi, maths.jyu.fi, but will be denied (for example) from cc.uta.fi, Helsinki.fi and hobo.mit.edu.

How to protect a directory with a password

NB! This protection applies only to any acces from the world wide web - file system level access is already limited to the owner only and users ned not worry about that: only the owner can access the web pages through the interactive use servers (jalava/halava). This is realised by not having the common practice read and execute permissions for other in the web server home directory of the user (the directory containing the directory html, ie. it's parent directory). Instead other has no permissions there and the web sever process is passed through the users home directory via a special ACL, and thus users are prevented from having any access to other users web files other than trough the www.

To protect a www directory with a username and password you will need two files: a .htaccess file (where the type of protection and files used are defined) and a users file (where the user names and corresponding encrypted passwords are stored).

The htaccess file and the users file are usually created via the interactive use servers (jalava/halava). The .htacces file needs to be in unix text file format and that can sometimes be tricky to accomplish with a Windows workstation (not impossible, though). But the commands to create the user file for login information is usually not readily available in Windows, and is thus, in practice, best done in Unix terminal.

First connect to an interactive use server (jalava/halava) with an ssh teminal program (such as Putty), then move on with cd command into the directory you wish to protect (eg. "cd html" (your www home directory) or "cd html/something"). Then you can make the .htpasswd file with an unix text editor (such as pico):

pico .htaccess

Note the dot at the beginning of the file name!

As an example, I have protected directory ~ttn/html/test, and it has been protected with a password (user account ttn, and some password ). The contents of .htaccess file in my protected directory is:

  AuthUserFile /nashome3/ttn/html/hidden/users  
AuthGroupFile /dev/null
AuthName ByPassword
AuthType Basic
<Limit GET>
require valid-user
</Limit>

The path /nashome3/ttn/html/hidden/ in .htaccess has to be the exact directory path to the corresponding users file (as the web server sees it). You can determine the first part of the path (up to /html/) on command line (ssh terminal connection) with the command:

echo $HOME

Then you can simply append "/html/hidden/users" to it to get the required AuthUserFile path, as above.

 

In the above .htaccess example you only need to edit the path on the first line to match your own home directory path. The rest of the lines can be copied as is. Ensure that everyone can read the file, if necessary with command:

chmod ugo+r .htaccess

After creating the .htaccess file in the directory to be protected, you need to make a corresponding users file. For this it is strongly recommended to create a special directory named hidden (as in the example .htaccess file above) under the directory html. The directory hidden is a special case directory that will never ever be shown in the web (nor the contents of it): it is especially restricted in the web server configuration for that purpose. Nobody will be able snoop your sensitive information from there. Note though, that the name needs to be exactly hidden and that everyone (other) still needs to have read and execute rights to it. Again ensure this with the command chmod if necessary, as below:

chmod ugo+rx hidden

This read access poses no risk of information leak neither to  other users of jalava and halava nor to the www.

You can then cd into the directory hidden and make a new users file, for example:

  htpasswd -c users ttn

In the above users is the name for the credentials file to create. It can be of any name, but the same name still needs to be in the .htaccess file like in the above example. Using the name users is just an easy convention (and may need adjusting, should you wish to have several directories protected with different usernames and passwords).

The option "-c" is needed when creating the users file for the first time or when replacing the entire contents of the file (removing all users and starting afresh). More info on using htpasswd command can be found with "man htpasswd".

The created users file (with just one login entry) looks something like this:

  ttn:k4ZVMJ8fK23yY  

The users file also needs to be readable by everyone ("chmod ugo+r users" if necessary).

NB! The path to the files in the web server (as the web server sees it) is the same as for users' home directory in halava/jalava servers, i.e. the output of the command:

echo $HOME

There is no /wwwhome (or /autowww) at the beginning of the path in the actual web server as may be displayed with pwd command in the interactive use servers: That is only a special arrangement for the for interactive use unix servers (jalava/halava) to show the user's web server contents therein: there cannot be two directories with the exact same name so the web home is shown with a slightly modified beginning of path (the web server knows nothing of it, though).