How to Setup Web Access Control


Introduction

Access control restricts web access to one or more directories using a personal list of usernames and passwords. Access control at San Francisco State University comes in two levels:
  1. Web Access Password Controlled

    2. Restricts web access to one or more directories using a personal list of usernames and passwords.

    Note: This does not prevent SFSU account holders from accessing your files.

  2. Domain Based

    3. Restricts access to specific domains, IP patterns or host patterns so only the domain has permission to view your protected web directory. To learn more about domain based restrictions see the nsconfig documentation.

    Note: This does not work if a student uses their own Internet Service Provider.

Picture of popup username and password screen
Return to top

Overview

Picture of htaccess overview

To learn how to setup password access control you can follow our examples. The password file and directory names can be different to those used in our examples. Access Control will only work if the .nsconfig filename and the htpasswd program are used.

Note: Before uploading all your sensitive restricted access files, test to ensure the access control is working.

Return to top

Setup Directions

The setup directions show how to set up one username/password that will be shared by all visitors. This user will be given permission to access a single directory in the account. To learn how to setup multiple users, multiple restricted directories, and more sophisticated access control rules please consult the examples.
  1. Login to host apollo, orion, or online (departments must log into www) using Telnet
  2. Create a directory in your account to store the password file.

    3. Note: Do not create the directory inside the public_html directory.

    Example, create a directory in your account called 'webguest'.

    apollo% cd

    apollo% mkdir webguest

  3. Change to the directory you just created to store the password file, type 'pwd' to show your directory path, and record the directory path.

    4. Note: Each account has a different path be sure to write yours down carefully, you will need it later.

    apollo% cd webguest
    apollo% pwd
    /afs/sfsu.edu/f2/weber/webguest
    [Write down /afs/sfsu.edu/f2/weber/webguest]

  4. Create a file that stores username(s) and password(s) using htpasswd. Other usernames and passwords can be added (or changed) later.

    5. Example, using the htpasswd command, create a file called class which contains a username and password for a user called 'student' and a password that you make-up

    apollo% htpasswd -c class student
    Adding password for student.
    New password:
    Re-type new password:

  5. Set read and write permissions on the password directory

    apollo% cd
    apollo% chmod -R go+rx webguest

  6. Create one or more directories inside your public_html directory to store the files with restricted access.

    7. Example, create a directory called "restrict"

    apollo% cd
    apollo% cd public_html
    apollo% mkdir restrict

  7. Store the files or folders into the password protected directory

    8. In this case, the password protected directory is called restrict.

  8. Set read and write permissions on the restricted directory

    9. apollo% chmod -R go+rx restrict

  9. Create the .nsconfig file that specifies what you want to secure and who can access it.

    10. The .nsconfig file is a very delicate file that must follow an exact syntax. Pay close attention to keeping long lines from wrapping to multiple lines. It is possible to create the .nsconfig file while logged into the server using a text editor, like EMACS, vi or Pico, but we recommend using an editor like Notepad or SimpleText to create the file and FTP software to upload the file to the public_html directory. If you already have an .nsconfig file you can add access restriction directives to your existing file.

    Example, we are keeping the files we want to restrict in a directory called restrict. The /* means that we are restricting all the files located in the restrict directory. The password file we created called class is located in the directory path /afs/sfsu.edu/f2/weber/webguest/class. The realm="Class" will appear in the username and password window like this:

    Picture of Realm screen

    Note: The .nsconfig file must be in the public_html directory and must be called:

    .nsconfig

    This is an example of an .nsconfig file that can be used as a model for your .nsconfig file.

    <Files restrict/*>
    RequireAuth userfile=/afs/sfsu.edu/f2/weber/webguest/class realm="WebClass"
    </Files>

    To create your own .nsconfig file:

  10. Highlight and copy the .nsconfig text marked in bold above. (You may also type it.)
  11. Paste the .nsconfig text in a simple editor like Notepad (Windows) or SimpleText (Macintosh).
  12. Edit the .nsconfig text to reflect:
  13. Save the .nsconfig file
  14. Transfer the file to your public_html directory using a file transfer program (FTP) like WS_FTP (Windows) or Fetch (Macintosh).
  15. If necessary rename the file you transferred to .nsconfig
  16. Test your restricted directory by opening an internet browser and entering the URL of your web site in the location or Netsite field.

Example, we will open Netscape and open the page: http://online.sfsu.edu/~weber/restrict.

Note: To make the server 're-prompt' you for a username/password, exit and restart your browser.

Return to top

Add, change, and delete users

Add usernames and passwords | Change passwords | Delete usernames and passwords

Add a username's password

To add a username and password use the htpasswd program.

Example, setup a username called "student2" using the htpasswd command and store the username and password in the existing password file called "class". Enter the password for "student2" and enter it twice. After you enter the password, the username and password will be added to the guestlist file.

apollo% htpasswd class student2
Adding password for student2.
New password:
Re-type new password:

Caution: Web based password access control does not prevent other users on our AFS System from reading the protected username/password file. For this reason, DO NOT USE SSN'S/Student ID's as usernames or passwords.

Change a username's password

Changing a password includes using the htpassword program to open the existing password file called guestlist and changing the password assigned for the username you specify. The username must already be in the password file.

Example, change the password for a username called "student2" using the htpasswd command which changes the password stored in the existing password/username file called "class". Enter the password for "student2" and enter it twice. After you enter the password, the password will be changed.

apollo% htpasswd class student2
Changing password for student2.
New password:
Re-type new password:

Delete usernames and passwords

Deleting a username from a username/password file involves typing commands at the Telnet prompt or you can delete the entire username/password file.

  1. Login to host apollo, orion, or online using Telnet

    2. Example, login to the host apollo.

  2. Edit the existing password file.

    3. Example, we will edit our password file called "class"

    apollo% pico class

  3. Locate and delete the line containing the username you want to remove.
  4. Type Ctrl-X to exit. The system will confirm if you want to save your changes. Press Y to save the changes or N to cancel changes.
Return to top

Examples

  1. Multiple username/passwords for a single restricted access directory
  2. Single username/password for multiple restricted access directories
  3. Multiple username/passwords for multiple restricted access directories
Multiple username/passwords for a single restricted access directory

Method 1 - Single username/password file

Create an account for each student, group of students, or class - one password per person/group/class. Using the htpasswd program, add each username/password to a single username/password file called "class". The system will prompt you to enter the password twice for each user you create. You do not need to modify the .nsconfig - all students/groups will have the same directory access permissions.

Method 2 - Multiple username/password files
Create a new username/password file for each student, group of students, or class - one username/password per person/group/class. Using the htpasswd program with the -c parameter create multiple unique username/password files. In our example we are creating an additional username/password file called 'class2' for 'student'. Note this 'student' will have a different password to the 'student' in the 'class' username/password file.

apollo% cd
apollo% cd webguest
apollo% htpasswd -c class2 student
Adding password for student.
New password:
Re-type new password:
Then edit the .nsconfig file to reference the new username/password file.

<Files restrict/*>
RequireAuth userfile=/afs/sfsu.edu/f2/weber/webguest/class realm="Web Class"
RequireAuth userfile=/afs/sfsu.edu/f2/weber/webguest/class2 realm="Web Class"
</Files>

Note the second RequireAuth line in the .nsconfig file that references the new username/password file 'class2'.

Single username/password for multiple restricted access directories

First create a new restricted access directory called spring98 using the mkdir command.

apollo% cd
apollo% cd public_html
apollo% mkdir spring98

Then edit the .nsconfig file to reference the new 'spring98' restricted access directory.

<Files restrict/*>
RequireAuth userfile=/afs/sfsu.edu/f2/weber/webguest/class realm="Web Class"
</Files>

<Files spring98/*>
RequireAuth userfile=/afs/sfsu.edu/f2/weber/webguest/class realm="Web Class"
</Files>

Note: we added a new section to the .nsconfig file by copying the existing section and changing the directory name from 'restrict' to 'spring98'.

Multiple username/passwords for multiple restricted access directories and multiple username/password files - The works!
Create a username/password file for each student, group of students, or class - one password per person/group/class. Using the htpasswd program with the -c parameter create multiple unique username/password files

Example, create an additional username/password file called 'class3' for 'student2'.

apollo% cd
apollo% cd webguest
apollo% htpasswd -c class3 student2
Adding password for student2.
New password:
Re-type new password:
Then create two new restricted access directories called restrict2 and common using the mkdir command.

apollo% cd
apollo% cd public_html
apollo% mkdir common restrict2
Edit the .nsconfig file to reference the new username/password file and to reference the new 'common' and 'restrict2' restricted access directories.

<Files restrict/*>
RequireAuth userfile=/afs/sfsu.edu/f2/weber/webguest/class realm="Class1"
</Files>

<Files restrict2/*>
RequireAuth userfile=/afs/sfsu.edu/f2/weber/webguest/class3 realm="Class 2"
</Files>

<Files common/*>
RequireAuth userfile=/afs/sfsu.edu/f2/weber/webguest/class realm="All Classes"
RequireAuth userfile=/afs/sfsu.edu/f2/weber/webguest/class3 realm="All Classes"
</Files>

Note: We added a new sections to the .nsconfig file by copying the existing section and changing the directory name from 'restrict' to 'restrict2'. We also added a second section for the directory common that permits the students from the class and class 3 username/password files to access the files placed in the common directory.

Return to top


Glossary

username = name of the user or group who can access your restricted file or directory.

webguest = name of the directory where username/password file is placed

class = username/password file containing the username(s) and encrypted password(s)

htpasswd = program used to restrict files and directories from specific users

-c = the -c option used with the htpassword program creates a new username/password file

.nsconfig = configuration file that references the username/password file(s) and the directories they may access.

realm = The name of this collection of pages. It is used to customize the username/password pop-up window.

Return to top

For More Information

Netscape - Dynamic configuration, .nsconfig, and .htaccess

Contact the Division of Information Technology's Web Team

Return to top

SFSU Home   Search   Need Help?  

1600 Holloway Avenue, San Francisco, CA 94132 (415) 338-1111
Last modified October 16, 2006 by the Web Team