skip to content
 

The apache overrides that are typically enabled:

AllowOverride Options Indexes AuthConfig Limit

If you want to know exactly what this means then feel free to read the Apache documentation, OR you can continue to read the documentation on this page.

1) Controlling access to specific directories by userID and userName

The .htaccess file I have used for this example is like this:

 AuthType Basic
 AuthName "Password Required"
 AuthUserFile /var/www/www-arwen/password/password.file
 Require valid-user 

Note: This password file could be browsed from the web except that a .htaccess file is in /var/www/www-arwen/password/ with the following entry:

deny from all

to deny all web access.

The password file content is below (please note the password file is not in the www directory tree as you don't want the web server serving up your password file):

bob:mFOXu4tavzogU

You can generate the password part of this file (after the %userID%: bit) using this bit of perl (from the UNIX command line):

perl -e 'print(crypt("bob","mF")."\n");'

by replacing bob with your %userID%, and you can replace the mF with two different text characters if you wish such as xX.

The userID is "bob" and the password is "bob".

Note that these userids and passwords are sent in clear text across HTTP. So plaese DO NOT use a userID and password that you would use for your normal UNIX/Windows user accounts.

NB This solution is best where you're dealing with users who don't have CRSIDs - the Raven method does not require users to remember yet anther password.

2) Indexing, or not, of your directories

If you allow indexing of a www served directory then it means that if one of the default first pages (typically index.html or welcome.html) is not available, when someone browses to your directory, then a list of all the files in that directory will be served to the web browser.

Example indexing of a directory using this .htaccess file:

 Options +Indexes

No indexing of this directory using this .htaccess file:

 Options -Indexes

and just to prove it you can access a wee html file in the no_index directory:
a file in the non-indexable directory

3) Limiting access to your directories

You can limit from which domains web browsers can see one of your www directories by using settings like these in a .htaccess file (to limit access to just that from .cam.ac.uk):


 order deny,allow
 deny from all
 allow from 131.111 172.26 .cam.ac.uk

Example of limiting access to a directory

To really test it you need to try and access it from outside the cam.ac.uk domain, which can simply be done by trying to get the W3c validation service to check the page: W3 HTML Validator

4) Limiting access to your directories using the Raven Authentication Service

Examples of using Raven to limit access directories (and all sub-directories unless another .htaccess file is used):

All users of Raven (whole of Cambridge University) can access this directory


 order deny,allow
 deny from all
 AuthType Ucam-WebAuth
 Require valid-user
 Satisfy any

All members of the Chemistry Department can access this directory with a Raven account


 order deny,allow
 deny from all
 AuthType Ucam-WebAuth
 AuthzLDAPAuthoritative on
 AuthLDAPURL "ldap://ldap.lookup.cam.ac.uk:636/ou=people,o=University of Cambridge,dc=cam,dc=ac,dc=uk?uid?sub?(instID=CHEM)"
 Require valid-user
 Satisfy any

The list of people in Chemistry is determined by membership of the Chemistry Lookup group.

All users of Raven (whole of Cambridge University) OR anyone using a computer in cam.ac.uk can access this directory


 order deny,allow
 deny from all
 allow from 131.111. 172. .cam.ac.uk
 AuthType Ucam-WebAuth
 Require valid-user
 Satisfy any

A group of users (defined by Lookup) can access this directory


 order deny,allow
 deny from all
 AuthType Ucam-WebAuth
 Require LookupUserInGroup 101105 # Replace this with the correct group identifier.
 Satisfy any

A group of users (defined by the Chemistry Active Directory but using Raven passwords) can access this directory

 order deny,allow
 deny from all
 AuthType Ucam-WebAuth
 AuthzUnixgroup on
 Require group AbellUsers BalasubramanianUsers JacksonUsers KalbererUsers Klenermanusers NitschkeUsers WheatleyUsers GreyUsers wjonesusers day-users reisnerusers SurfaceScienceUsers
 Satisfy any

A group of users (defined in a file) can access this directory OR a user of a computer in cam.ac.uk


 order deny,allow
 deny from all
 allow from 131.111. 172. .cam.ac.uk
 AuthType Ucam-WebAuth
 AuthzLDAPAuthoritative on
 AuthLDAPURL "ldap://ldap.lookup.cam.ac.uk:636/ou=people,o=University of Cambridge,dc=cam,dc=ac,dc=uk?uid?sub?(instID=CHEM)"
 Require valid-user
 Satisfy any

A group of users (defined in a file) can access this directory AND if using a computer in cam.ac.uk

 order deny,allow
 deny from all
 allow from 131.111. 172. .cam.ac.uk
 AuthType Ucam-WebAuth
 AuthzLDAPAuthoritative on
 AuthLDAPURL "ldap://ldap.lookup.cam.ac.uk:636/ou=people,o=University of Cambridge,dc=cam,dc=ac,dc=uk?uid?sub?(instID=CHEM)"
 Require valid-user
 Satisfy all

A member of Chemistry can access this directory (Raven account) OR if using a computer in the Chemistry Department


 order deny,allow
 deny from all
 allow from .ch.cam.ac.uk .ch.private.cam.ac.uk .chem.pwf.cam.ac.uk
 AuthType Ucam-WebAuth
 AuthzLDAPAuthoritative on
 AuthLDAPURL "ldap://ldap.lookup.cam.ac.uk:636/ou=people,o=University of Cambridge,dc=cam,dc=ac,dc=uk?uid?sub?(instID=CHEM)"
 Require valid-user
 Satisfy any

Can't find what you're looking for?

Then you might find our A-Z site index useful. Or, you can search the site using the box at the top of the page, or by clicking here.