Department of Electrical Engineering and Computer Science



Protecting Web Pages

This document describes how to protect your Web page (or parts of it) using a password. When visitors attempt to view your password-protected documents, they will be asked to provide a valid user name and password to continue; otherwise, they will be denied access to those documents.

For authentication of web applications with UT NetID and password, please see Protecting Web Applications.

 

Quick Overview (Experts)

Configuring Password Protection

Access using EECS User Names and Passwords

This method of password protection allows authorized users to access the protected pages using their regular EECS user names and passwords. This is useful if all your users are EECS students, staff or faculty and so already have EECS credentials.

  1. Make sure you have created your EECS web space.
  2. Log into an EECS/Linux machine (e.g. one of our Linux lab systems).
  3. cd into the directory you wish to protect, e.g.:

    # cd ~/webhome/protected
  4. Use the eecs-htaccess to generate a .htaccess file that will grant password protection for that directory. If you run the command without any options, you will get a usage summary. See below for details on running this command.
  5. Review the file contents. If you wish to add additional users to your file protection, simply add their user names to the line that begins with Require ldap-user.
  6. Rename the file from "htaccess" to ".htaccess":

    # mv htaccess .htaccess
  7. Test your protected web space.

After password-protecting a directory, users can only access it if they meet both of the following criteria:

  1. The user must have a valid EECS account, and
  2. The user must be in the Require ldap-user line of the .htaccess file.

Note: In addition to protecting your web site, the .htaccess file generated by the method outline above will also force access to the protected site to go through secure HTTP (HTTPS). This prevents passwords from traveling over the internet in unencrypted clear text.

Usage of the eecs-htaccess command

The syntax for the eecs-htaccess command is

eecs-htaccess filename uri

The filename should point to a simple text file that contains one or more user names per line. (If multiple user names are listed on the same line, they must be separated by a single whitespace character.) If you prefer to type or paste the user names into the terminal, use a - (hyphen) character for the filename parameter, which will then allow the user list to be read from standard input; finish your input by hitting Control-D.
The uri parameter is the Web Address (URI or URL) for the protected documents.
For example, suppose you want to password-protect your personal Web page (i.e., your main webhome directory) so that only you and two of your friends can access it. First, create a file called usernames:

myusername
friend1
friend2

Next, run this eecs-htaccess command:

eecs-htaccess usernames https://web.eecs.utk.edu/~myusername

Note that you must specify the https:// prefix in the URI for security reasons.
If you have any problems, contact the EECS IT staff.

Input file formats

The following are examples of valid input files to eecs-htaccess:

user1
user2
user3
user1 user2
user3

The following examples are not valid input:

user1user2
user3
user1/user2
user3

Access Using Arbitrary User Names and Passwords

There are situations where protecting a page using EECS user names and passwords is not feasible; for example, you may wish to share your web page with colleagues at other universities that do not have EECS credentials. In such a case, you can set up arbitrary user names and passwords to protect your web page.

In the above example, replace the URI on the "ErrorDocument" line with the URI of the page you want to protect. Also, replace username with your user name. Important: Use an https URI, not http, or you will cause an error. Replace "user1" and "user2" with any number of user names, separated by a space. When users attempt to access your protected space, they will be prompted with "Authorized Users Only" (or whatever text you put on the AuthName line).

  1. Create passwords for your users. If you have never used this method of authentication, create an empty file called .htpasswd at the top level of your home area (not inside your webhome directory). This file has to be "world-readable" just like web pages; it will, however, not be visible through the web. For example:

    # cd ~
    # touch .htpasswd
    # chmod 644 .htpasswd

    If you have used this method before, you may already have an .htpasswd file – if so, you can omit this step (though it will not cause any harm).
  2. Use the htpasswd command to generate passwords for your users. For example, if you are giving access to "user1" and "user2", you would run:

    # htpasswd ~/.htpasswd user1
    New password:
    Re-type new password:
    Adding password for user user1
    # htpasswd ~/.htpasswd user2
    New password:
    Re-type new password:
    Adding password for user user2

    You can read the manual page for htpasswd for more options such as batch processing for large numbers of users.
  3. To remove a user from the .htpasswd file, simply edit the file and remove the line that starts with the user's user name.

Your directory is now protected based on the passwords you created. (Be sure to add a user name for yourself.) To add additional users to your protected page, edit the appropriate .htaccess file to add their user names and create passwords for them as outlined. To remove access for a user, just remove that user's entries in both .htaccess and .htpasswd.

Note: This method uses a single .htpasswd file for all web pages that use this protection method. You can keep all passwords in that file and give access to specific directories to specific users by listing them in the appropriate .htaccess files.

You cannot "mix-and-match" authentication methods – individual directories can either be protected based on EECS credentials or based on user names and passwords you create. However, you can use one method in one directory and the other in another directory.
If you need any help, please contact the IT Staff.

Protecting your web page from local users

Setting up an .htaccess file as described above will protect your web page from being viewed on a web browser without proper authentication. However, local EECS users can still cd into your web directory and view your raw HTML or PHP files. This may be unacceptable for pages containing homework solutions, tests, etc. that need to be kept secret from local users.

You can use Access Control Lists (ACLs) to grant the webserver access to your files but no one else. In order to do that, simply give the userweb user read permissions (and execute permissions for directories) to the files you want accessible in a browser (and make sure not to let anyone else have permission!).

Alternately, you can contact EECS IT Support if you need certain files/directories protected in the old-style way (by making the files group-readable to the userweb group).


 

The University of Tennessee, Knoxville. Big Orange. Big Ideas.

Knoxville, Tennessee 37996 | 865-974-1000
The flagship campus of the University of Tennessee System