Today's Topic: Server-Side Authentication

Today we’ll discuss basic web server operation—what gets sent back and forth between a client and a server, and what’s the order of operations.

Then I’ll cover how to create an .htaccess file to restrict access to a directory on your site (server side authentication), as well as to create a custom 404 error page, or change the way the server handles various file types.

Server-Side Authentication: In-Class Exercise

Using Server-Side Authentication on Grace

The apache web server includes a program called htpasswd that allows you to create users and associated passwords for access restrictions on web directories. To password-protect a directory you need to do two things—first, use the htpasswd program to create a user and associated password in a world-readable file, and second, create an .htaccess file in the directory you want to restrict that references the password file.

If you’ve never created a password file before:

1. Create a directory in your home directory (not your www directory) to put the password file in.
2. Change the permissions on the directory you just created to 755
3. Make sure you’re in the directory you just created, and run the htpasswd program with the -c flag to create a new password file. You can name your password file whatever you’d like, but I suggest “hiding” it by starting the name with a period. You also must specify a user name to include in the password file when you first create it. (You’ll be prompted for a password for that username.)
   
   htpasswd -c password_file_name username
4. Change permissions on the new password file (whatever you put for password_file_name in the above command) to 644

If you have a password file, but want to add a new user to it:

1. Make sure you’re in the directory where the password file is located.
2. Run the htpasswd program without the –c flag, specifying the name of the existing password file, and the new username to add.
   
   htpasswd password_file_name username2

To restrict a web directory to a user specified in the password file:

Create a world-readable file called .htaccess in the web directory you’re protecting, with the following contents:

The AuthUserFile path should be the full UNIX path to your password file. (To find the path, change to the directory the password file is in, and type “pwd”.)

The AuthGroupFile should be left as /dev/null

AuthName is the label that will appear in the password prompt box; it can be whatever you’d like, but it cannot have spaces in it.

AuthType should be left as basic

Replace “username” in the last line with one or more users you’ve added to your password file using htpasswd. (The example uses two usernames.)

To restrict a web directory using DCE authentication:

On Grace, you can also use the .htaccess file to restrict access using DCE usernames rather than your own password file. You can only use DCE authentication through the secure (SSL) server, which means your page will have to be referenced using the https protocol, i.e. https://www.rit.edu/~abc1234/protected_directory/

To limit access to any RIT user with a valid DCE userid, use the following .htaccess syntax:

To limit access to only specific DCE user(s), use the following .htaccess syntax: