This document describes how to protect your Web page (or parts of it) using a password. When visitors attempt to view your password-protected documents, they will be asked to provide a valid user name and password to continue; otherwise, they will be denied access to those documents.
For authentication of web applications with UT NetID and password, please see Protecting Web Applications.
This method of password protection allows authorized users to access the protected pages using their regular EECS user names and passwords. This is useful if all your users are EECS students, staff or faculty and so already have EECS credentials.
# cd ~/webhome/protected
# mv htaccess .htaccess
After password-protecting a directory, users can only access it if they meet both of the following criteria:
Note: In addition to protecting your web site, the .htaccess file generated by the method outline above will also force access to the protected site to go through secure HTTP (HTTPS). This prevents passwords from traveling over the internet in unencrypted clear text.
The syntax for the eecs-htaccess command is
eecs-htaccess filename uri
The filename should point to a simple text file that contains one or more user names per line. (If multiple user names are listed on the same line, they must be separated by a single whitespace character.) If you prefer to type or paste the user names into the terminal, use a - (hyphen) character for the filename parameter, which will then allow the user list to be read from standard input; finish your input by hitting Control-D.
The uri parameter is the Web Address (URI or URL) for the protected documents.
For example, suppose you want to password-protect your personal Web page (i.e., your main webhome directory) so that only you and two of your friends can access it. First, create a file called usernames:
Next, run this eecs-htaccess command:
eecs-htaccess usernames https://web.eecs.utk.edu/~myusername
Note that you must specify the https:// prefix in the URI for security reasons.
If you have any problems, contact the EECS IT staff.
The following are examples of valid input files to eecs-htaccess:
The following examples are not valid input:
There are situations where protecting a page using EECS user names and passwords is not feasible; for example, you may wish to share your web page with colleagues at other universities that do not have EECS credentials. In such a case, you can set up arbitrary user names and passwords to protect your web page.
cdinto the directory you wish to protect, e.g.:
# cd ~/webhome/protected
ErrorDocument 403 https://web.eecs.utk.edu/~username/protected
AuthName "Authorized Users Only"
require user user1 user2
In the above example, replace the URI on the "ErrorDocument" line with the URI of the page you want to protect. Also, replace username with your user name. Important: Use an https URI, not http, or you will cause an error. Replace "user1" and "user2" with any number of user names, separated by a space. When users attempt to access your protected space, they will be prompted with "Authorized Users Only" (or whatever text you put on the AuthName line).
# cd ~
# touch .htpasswd
# chmod 644 .htpasswdIf you have used this method before, you may already have an .htpasswd file – if so, you can omit this step (though it will not cause any harm).
# htpasswd ~/.htpasswd user1
Re-type new password:
Adding password for user user1
# htpasswd ~/.htpasswd user2
Re-type new password:
Adding password for user user2You can read the manual page for htpasswd for more options such as batch processing for large numbers of users.
Your directory is now protected based on the passwords you created. (Be sure to add a user name for yourself.) To add additional users to your protected page, edit the appropriate .htaccess file to add their user names and create passwords for them as outlined. To remove access for a user, just remove that user's entries in both .htaccess and .htpasswd.
Note: This method uses a single .htpasswd file for all web pages that use this protection method. You can keep all passwords in that file and give access to specific directories to specific users by listing them in the appropriate .htaccess files.
You cannot "mix-and-match" authentication methods – individual directories can either be protected based on EECS credentials or based on user names and passwords you create. However, you can use one method in one directory and the other in another directory.
If you need any help, please contact the IT Staff.
Setting up an .htaccess file as described above will protect your web page from being viewed on a web browser without proper authentication. However, local EECS users can still cd into your web directory and view your raw HTML or PHP files. This may be unacceptable for pages containing homework solutions, tests, etc. that need to be kept secret from local users.
You can use Access Control Lists (ACLs) to grant the webserver access to your files but no one else. In order to do that, simply give the userweb user read permissions (and execute permissions for directories) to the files you want accessible in a browser (and make sure not to let anyone else have permission!).
Alternately, you can contact EECS IT Support if you need certain files/directories protected in the old-style way (by making the files group-readable to the userweb group).
Knoxville, Tennessee 37996 | 865-974-1000
The flagship campus of the University of Tennessee System