June 30, 2016 | Home | What is Wiki | Adding or editing content | All documents | Disclaimer | My Lab
Recently viewed: Home > Web serving - access control
Document: Web serving - access control | Last modified: December 28, 2005
Controlling Access To Web Pages
for Apache web server
SP Jan 2005

A server computer may host hundreds of files of web pages for one or many web sites and their sub-sites. Often, there is a need to control access to certain web pages. This brief informs of the various methods that are available for such access control.

Why control access

Among others,

1. A certain section of the website may have confidential information.
2. A certain section of the website may be user-editable. For example, pages that make up 'content management systems' websites (including wikis) often can be edited by users remotely using just their internet browser. One may want to restrict such editing to the right people to avoid, for example, site defacement.
3. Robots or web crawlers that, for example, are a part of search engine, go through all pages on a web site. The links for such pages may be dynamically generated using PHP code, etc., and may pass on functions that may lead to deletion of database contents.

Indirectly controlling access

The web page files may be placed in certain sub-directory and without links on web pages elsewhere. In this case, only the administrator and those who he tells will know the address of the web page. Others are very unlikely to find the web page as there will not be a link to it anywhere. This obviously has certain drawbacks.

Another way, similar to above, allows for links to the restricted pages but depends on hiding such links. For example, users inside a certain network may be considered authorized to view a certain web page. The link to that page, say abc.htm, may be encoded using PHP, etc., so that the server first checks if the client computer is inside the network. If so, the link to abc.htm is displayed. Else, it is not. A PHP code for this can be

if (empty($_SERVER["HTTP_X_FORWARDED_FOR"]))
{$IP = $_SERVER["REMOTE_ADDR"];} else {$IP = $_SERVER["HTTP_X_FORWARDED_FOR"];}
$lh = gethostbyaddr($_SERVER['REMOTE_ADDR']);
$host=array("129.18.30.118", "129.78.47.261", "127.0.0.1", "127.98.59.186");
$test=$IP.".".$lh;
if (in_array($test, $host) || in_array($IP, $host))
{echo('<a href="abc.htm">Restricted</a>');}

Above, the file named abc.htm is served if the user clicks on the link 'Restrcited.' If the user is from an IP address different than those listed, the link will not be there to click on. However, a user who is not supposed to be thus authorised may just type in the address for the abc.htm file in the browser URL box and access the restricted page.

Directly controlling access

Certain websites use user databases (in MYSQL, etc.). A user logs in and only then is presented with all the pages that he can access. This obviously will not work if there are no such user databases.

Another way is to create an HTACCESS file. This file, a text document actually, is read by Apache and dictates if a file can be served and to whom. More below.

Using .htaccess files

.htaccess files may be located at the root folder level or may exist in a sub-directory. Their dictates are inherited in sub-directories but are superceded if a sub-directory has its own .htaccess file. These files can be set and used for various purposes, including authorization. In effect, they allow one to use different parameters than those specified in httpd.conf for different web site folders. However, they can slow down the server in case of heavy loads (not so in case of a lab web site, for example). If possible, one should (and can) implement folder-specific dictates in the httpd.conf file itself using the <Directory> directive. Go to www.apache.org for more.

For .htaccess files to work, the httpd.conf file should be such that AllowOverride is not set to NONE. Also, the AccessFileName should be .htaccess.

This text in a .htaccess file in a folder will prevent the serving of any file in that folder (and any file in any subfolder unless overridden by directives in .htaccess files in a subfolder) to anyone except those using a computer with the shown IP address -

AuthName "Restricted"
AuthType Basic
order deny,allow
deny from all
allow from 129.78.70.2

This text in a .htaccess file in a folder will prevent the serving of the file abc.htm only, and only to user with the shown IP address -

<Files abc.htm>
order deny,allow
deny from 129.78.70.2
allow from all
</Files>

This text in a .htaccess file in a folder will ask for username and password if a web page from the folder in which the .htaccess resides has to be served -

Authtype Basic
Authname anything
Authuserfile /Library/Webserver/.htpasswd
Require valid-user

Note that Authname can literally be anything. For above to work, there should be a file named .htpasswd at /Library/Webserver/ with data for usernames and passwords. Usually such files are named .htpasswd. etc. On Mac OS X, a .htpasswd file is created in the Terminal application by typing this code (dan is the new user being added). Note that the .htpasswd is outside the root folder - this prevents it from being read over the web.

htpasswd -c /Library/Webserver/.htpasswd dan

Above command will return a prompt asking to assign a password. The -c is omitted if .htpasswd already exists. There can be multiple password files. For example, this will add user leo to a password file named pwd that exists at the same location as above. Note that had we wisely named the file .pwd, it would become invisible and will not easily be tampered with. Also, that adding the -c would delete any preexisiting file named pwd file.

htpasswd -c /Library/Webserver/pwd leo

Finally, this example shows how one can automatically allow access for certain IP addresses while asking for username and password from others -

Authtype basic
Authname intranet
Authuserfile /Library/Webserver/.htpasswd
Require valid-user
Order allow,deny
Allow from 129.78.70.2
Satisfy any

Above will apply for all files in the folder (and any subfolder, unless the subfolder has a .htaccess file with different directives) that it is placed in. For the above to apply to specific files (including those in any subfolders) only - say to a.htm. b.htm and c.gif - you will have to use

<Files a.htm,b.htm,c.gif>
Authtype basic
Authname intranet
Authuserfile /Library/Webserver/.htpasswd
Require valid-user
Order allow,deny
Allow from 129.78.70.2
Satisfy any
</Files>

The same can be accomplished using the FilesMatch directive. The files to be affected are identified by name pattern matching.

<Filesmatch "(a.htm|b.htm|c.gif)">
Authtype basic
Authname intranet
Authuserfile /Library/Webserver/.htpasswd
Require valid-user
Order allow,deny
Allow from 129.78.70.2
Satisfy any
</Filesmatch>

And, below shows a way to restrict files named with gif, jpg, jpeg and png extensions.

<Filesmatch "\.(gif|jpe?g|png)$">
Authtype basic
Authname intranet
Authuserfile /Library/Webserver/.htpasswd
Require valid-user
Order allow,deny
Allow from 129.78.70.2
Satisfy any
</Filesmatch>

Note that for both Files and FilesMatch directives to work, the file must be HTTP-requested by the user's browser. A file that is included in the server itself (e.g., often, PHP includes) will not be subject to the directives.

Learn more at http://www.frognet.net/help/archives/advancedhtaccess.php
∑ accuracy, clarity, cost, ease, logic | 74 wiki pages served since a while | Admin login