The apache overrides that are typically enabled:
AllowOverride Options Indexes AuthConfig Limit
If you want to know exactly what this means then feel free to read the Apache documentation, OR you can continue to read the documentation on this page.
1) Controlling access to specific directories by userID and userName
The .htaccess file I have used for this example is like this:
AuthType Basic AuthName "Password Required" AuthUserFile /var/www/www-arwen/password/password.file Require valid-user
Note: This password file could be browsed from the web except that a .htaccess file is in /var/www/www-arwen/password/ with the following entry:
deny from all
to deny all web access.
The password file content is below (please note the password file is not in the www directory tree as you don't want the web server serving up your password file):
bob:mFOXu4tavzogU
You can generate the password part of this file (after the %userID%: bit) using this bit of perl (from the UNIX command line):
perl -e 'print(crypt("bob","mF")."\n");'
by replacing bob with your %userID%, and you can replace the mF with two different text characters if you wish such as xX.
The userID is "bob" and the password is "bob".
Note that these userids and passwords are sent in clear text across HTTP. So plaese DO NOT use a userID and password that you would use for your normal UNIX/Windows user accounts.
NB This solution is best where you're dealing with users who don't have CRSIDs - the Raven method does not require users to remember yet anther password.
2) Indexing, or not, of your directories
If you allow indexing of a www served directory then it means that if one of the default first pages (typically index.html or welcome.html) is not available, when someone browses to your directory, then a list of all the files in that directory will be served to the web browser.
Example indexing of a directory using this .htaccess file:
Options +Indexes
No indexing of this directory using this .htaccess file:
Options -Indexes
and just to prove it you can access a wee html file in the no_index directory:
a file in the non-indexable directory
3) Limiting access to your directories
You can limit from which domains web browsers can see one of your www directories by using settings like these in a .htaccess file (to limit access to just that from .cam.ac.uk):
order deny,allow deny from all allow from 131.111 172.26 .cam.ac.uk
Example of limiting access to a directory
To really test it you need to try and access it from outside the cam.ac.uk domain, which can simply be done by trying to get the W3c validation service to check the page: W3 HTML Validator
4) Limiting access to your directories using the Raven Authentication Service
Examples of using Raven to limit access directories (and all sub-directories unless another .htaccess file is used):
All users of Raven (whole of Cambridge University) can access this directory
order deny,allow deny from all AuthType Ucam-WebAuth Require valid-user Satisfy any
All members of the Chemistry Department can access this directory with a Raven account
order deny,allow deny from all AuthType Ucam-WebAuth AuthzLDAPAuthoritative on AuthLDAPURL "ldap://ldap.lookup.cam.ac.uk:636/ou=people,o=University of Cambridge,dc=cam,dc=ac,dc=uk?uid?sub?(instID=CHEM)" Require valid-user Satisfy any
The list of people in Chemistry is determined by membership of the Chemistry Lookup group.
All users of Raven (whole of Cambridge University) OR anyone using a computer in cam.ac.uk can access this directory
order deny,allow deny from all allow from 131.111. 172. .cam.ac.uk AuthType Ucam-WebAuth Require valid-user Satisfy any
A group of users (defined by Lookup) can access this directory
order deny,allow deny from all AuthType Ucam-WebAuth Require LookupUserInGroup 101105 # Replace this with the correct group identifier. Satisfy any
A group of users (defined by the Chemistry Active Directory but using Raven passwords) can access this directory
order deny,allow deny from all AuthType Ucam-WebAuth AuthzUnixgroup on Require group AbellUsers BalasubramanianUsers JacksonUsers KalbererUsers Klenermanusers NitschkeUsers WheatleyUsers GreyUsers wjonesusers day-users reisnerusers SurfaceScienceUsers Satisfy any
A group of users (defined in a file) can access this directory OR a user of a computer in cam.ac.uk
order deny,allow deny from all allow from 131.111. 172. .cam.ac.uk AuthType Ucam-WebAuth AuthzLDAPAuthoritative on AuthLDAPURL "ldap://ldap.lookup.cam.ac.uk:636/ou=people,o=University of Cambridge,dc=cam,dc=ac,dc=uk?uid?sub?(instID=CHEM)" Require valid-user Satisfy any A group of users (defined in a file) can access this directory AND if using a computer in cam.ac.uk
order deny,allow deny from all allow from 131.111. 172. .cam.ac.uk AuthType Ucam-WebAuth AuthzLDAPAuthoritative on AuthLDAPURL "ldap://ldap.lookup.cam.ac.uk:636/ou=people,o=University of Cambridge,dc=cam,dc=ac,dc=uk?uid?sub?(instID=CHEM)" Require valid-user Satisfy all
A member of Chemistry can access this directory (Raven account) OR if using a computer in the Chemistry Department
order deny,allow deny from all allow from .ch.cam.ac.uk .ch.private.cam.ac.uk .chem.pwf.cam.ac.uk AuthType Ucam-WebAuth AuthzLDAPAuthoritative on AuthLDAPURL "ldap://ldap.lookup.cam.ac.uk:636/ou=people,o=University of Cambridge,dc=cam,dc=ac,dc=uk?uid?sub?(instID=CHEM)" Require valid-user Satisfy any