Vhosts: .htaccess and security

Common .htaccess files configurations people use for vhosts.

Restricting Access can be necessary to ensure that only certain users can view or edit files. These practices should work with CAE vhost sites.

These MUST be done in a https-only directory, or WITH the https-only emulation below! Otherwise, the passwords will be sent unencrypted between the client and the webserver, where they can be easily eavesdropped upon.

You can protect files with password access with passwords you set yourself. There are two primary parts to creating your own access restricted pages. First, create a password file and populate it with usernames and passwords. Second, limit the access using your own password file.

  1. Setting your own passwords

    You can protect files with password access with passwords you set yourself. Your password file will contain a list of names and encrypted passwords. It should be stored outside your public_html directory, and be readable by the web-editing-group user for your site.
    To make or modify a password file use the htpasswd program:
    # htpasswd passwordfile username

    The -c flag will creates a new file. htpasswd will prompt you for the password twice and will add it to the file (or create the file if you use -c). The command should also be used to modify password for users already with a password in the file.

    Example: In the directory you wish to protect, create a password file named .htpasswords for the usernames: bucky and guest. Set the access to the passwordfile readable by the web-editing-group user for your site.
    tux-123% cd /home/vhosts/your.site.name/etc
    tux-123% htpasswd -help
    Usage: htpasswd passwordfile username
    tux-123% htpasswd -c .htpasswords bucky
    New password:
    Re-type new password:
    Adding password for user bucky
    tux-123% htpasswd .htpasswords guest
    New password:
    Re-type new password:
    Adding password for user guest
    The initial cd command is to ensure the working directory is the directory you want to protect. The htpasswd command will create a file named .htpasswords and add a password for bucky. Another password is added to the file for guest. Additional htpasswd commands should not include the -c option. Don't worry, the server is configured not to give out any files starting with .ht.
  2. Limit the access to your web pages.

    With the password file created, you are now read to start restricting access to your web pages using this file.

    Create a file in this directory called .htaccess (note that there is a dot at the beginning of the name of this file) which should be readable by the web-editing-group user for your site. It should contain something like:

    AuthType basic
    AuthName "Password Protected Area"
    AuthUserFile /home/vhosts/your.site.name/etc/.htpasswords
    Require valid-user
    Header merge Cache-Control private

    The .htpasswords file is the previously created password file. Be sure to specify the full path to this file. This means that to gain access to the pages you put in this directory the user must enter a valid username and password from the your password file.


    Pages can also be set to only be accessible to particular users, by putting the following Require lines in .htaccess instead of the above:

    Require user user1 user2 user3
    Be sure you have a password defined in your password file for the specified users.

UW-only emulation

On the CAE server, you can create a folder called uw-only. Anything inside that folder will be automatically restricted to on-campus computers, including WiscVPN.

If you would like to add this restriction to your virtual host without creating a different directory, add this to a .htaccess file. Anything in that folder (including subdirectories) will be restricted.

Note: permissions must be set correctly otherwise the server will always give an error message stating that you are not on the UW campus (even if you are).

Order deny,allow
Deny from all
Allow from .wisc.edu 72.33. 144.92. 128.104. 128.105. 146.151.0.0/17 146.151.128.0/17 192.12.224. 192.160.134. 198.133.224. 198.133.225. 198.51.254. 128.104.25. 128.104.76.0/23 128.104.224. 128.104.225. 144.92.18. 144.92.44.64/29 144.92.81.128/25 144.92.89.96/27 144.92.92. 130.11.167.0/25 130.11.161. 10.128.0.0/11 2607:f388::/32
Header merge Cache-Control private
Please note that DoIT maintains a list of IP Address ranges that you may wish to consult if you desire a stricter restriction.
https-only emulation

Much like above, there is the ability to create a folder called https-only. This will force anything in that directory to be forced to use secure HTTP (https). If you would like to add that without creating a separate directory, add the following to your .htaccess file:

RewriteEngine On
RewriteOptions inherit
RewriteCond %{SERVER_PORT} !^443$
RewriteRule (.*) https://%{SERVER_NAME}%{REQUEST_URI}
If you have questions

If you have questions, and are using CAE's Virtual Website Service, please let us know at webserver AT cae.wisc.edu.

Note to those not using webedit.cae.wisc.edu

Note to people not using CAE's Virtual Website Service: This may or may not work for you, depending on your local configuration. Please see your local administrator for further assistance.

See Also:




Keywords:vhost vhosts htaccess secure password protect https   Doc ID:6960
Owner:Jeff B.Group:Computer-Aided Engineering
Created:2008-01-16 19:00 CDTUpdated:2015-01-26 10:26 CDT
Sites:Computer-Aided Engineering
Feedback:  3   1