Password Protecting EECS User Web Pages

Many web applications use some sort of password protection or other sign-on mechanism to protect all or part of the site. In general, this form of “authentication” is handled internally by the application. This is known as 'form-based authentication'.

However, for simple web sites, the web server itself can provide an authentication mechanism, known as Basic Access Authentication. This document describes how to let the web server protect a directory in your personal EECS web page using this method. When visitors attempt to view your protected directory they will be asked to provide a valid user name and password to continue; otherwise, they will be denied access to the documents in the protected directort.

1. Make sure you have set up your EECS Personal Web Page
2. Log into an EECS/Linux machine (e.g. one of our Linux lab systems).
3. cd into the directory you wish to protect, e.g.:

   # cd ~/webhome/protected

When the web server process looks at a directory in your webhome directory to serve it out on the WWW, it looks for a file called .htaccess (the leading period is important). The web server will alter its behavior based on the instructions on this file such as prompting visitors for a username and password.

Below are templates for .htaccess files for two methods of protecting your web pages. When you create a .htaccess file, you need to make sure the server can read the file itself (e.g. by making it “other” readable). See the File Permissions section of the personal web page instructions. However, since you will not be storing any of the passwords themselves in the .htaccess file, it should be safe to give everyone read access to the file:

chmod 644 .htaccess

This method of password protection allows authorized users to access the protected pages using their regular EECS user name (i.e. NetID) and passwords. This is useful if all your site visitors are EECS students, staff, or faculty and thus already have login credentials.

.htaccess

# Prevent the server from serving the .htaccess file
<Files ".htaccess">  
  Require all denied
</Files>
# Require the page to be accessed via SSL (https)
SSLRequireSSL
# SUBSTITUTE Error Document with the URL you wish to protect. This will redirect any non-https requests to the correct https version.
ErrorDocument 403 https://web.eecs.utk.edu/~netid/protected
 
AuthType Basic
# AuthName sets the "authentication realm" and is sometimes presented to the user by the browser
# as part of the password prompt. 
# SUBSTITUTE this as desired
AuthName "Authorized Users Only"
 
AuthBasicProvider ldap
AuthLDAPURL ldap://ldap.eecs.utk.edu/ou=People,dc=cs,dc=utk,dc=edu STARTTLS
# SUBSTITUTE netid1, netid2, with a list of all users that should have access
Require ldap-user netid1, netid2

Make the appropriate substitutions for ErrorDocument, AuthName, and Require ldap-user. Don't forget to add your own user name to the list of authorized users. Your directory should now be password protected.

There are situations where protecting a page using EECS user names and passwords is not feasible; for example, you may wish to share your web page with colleagues at other universities that do not have EECS credentials. In such a case, you can set up arbitrary user names and passwords to protect your web page. However, this process is somewhat more complicated and has more security implications

In addition to a .htaccess file, you will also need a file listing user names and (encrypted/hashed) passwords for each user. This file should be named .htpasswd and it is important that this file be properly protected from both remote and local access.

If you have used this method before, you may already have an .htpasswd file – if so, you may omit this step and modify your existing file.

1. Create a blank .htpasswd file in your Linux home directory, not in your webhome directory or any of its sub-directories:

   touch ~/.htpasswd

2. Limit local access to the file to just your user account:

   chmod 600 ~.htpasswd

3. Use an NFSv4 ACL to give the EECS Web Server user (called userweb) read access to the file:

   nfs4_setfacl -a "A::userweb@eecs.utk.edu:R" ~/.htaccess

4. Use the htpasswd command to add passwords for your users. I recommend that you read the htpasswd man page if you wish to use batch operations etc.
   1. Create a password for a user named user1:

      htpasswd ~/.htpasswd user1
      New password:
      Re-type new password:
      Adding password for user user1

   2. Delete user named user1:

      htpasswd -D ~/.htpasswd user1
      Deleting password for user user1

The .htpasswd file is a simple text file. You can use a normal text editor to remove lines in bulk or to copy lines from another compatible htpasswd file:

cat .htpasswd
user1:$apr1$erQa7x7F$46.as7Xld0ZOYsH5tMbeK1
user2:$apr1$hBQqGkPL$81cAbigVQxJY4QppTbu4k/

As with authentication using EECS usernames, you will need a .htaccess file in the directory you wish to password protect. Modify the following template to suit your needs:

.htaccess

# Prevent the server from serving the .htaccess file
<Files ".htaccess">  
  Require all denied
</Files>
# Require the page to be accessed via SSL (https)
SSLRequireSSL
# SUBSTITUTE Error Document with the URL you wish to protect. This will redirect any non-https requests to the correct https version.
ErrorDocument 403 https://web.eecs.utk.edu/~netid/protected
 
AuthType Basic
# SUBSTITUTE your NetID for "username" below
AuthUserFile /home/username/.htpasswd
AuthGroupFile /dev/null
 
# AuthName sets the "authentication realm" and is sometimes presented to the user by the browser
# as part of the password prompt. 
# SUBSTITUTE this as desired
AuthName "Authorized Users Only"
 
#SUBSTITUTE user1, user, with a list of all users from your .htpasswd
# file that should have access
Require user user1 user2

Again, make the appropriate substitutions for ErrorDocument, AuthUserFile, AuthName, and Require user. Please note that only the users listed in the Require user line will have access to this directory even if your .htpasswd file lists additional users. This gives you the ability to use the same password file for multiple directories, potentially with different user lists.

Be sure to test your website protection using the URL of the protected page, e.g. https://web.eecs.utk.edu/~username/protected. Your browser should prompt you for a user name and password similar to this:

Be sure to test both a correct user name and password combination as well as an incorrect one to make sure your settings are correct.

You cannot “mix-and-match” authentication methods – individual directories can either be protected based on EECS credentials or based on user names and passwords you create. However, you can use one method in one directory and the other in another directory.

Setting up an .htaccess file as described above will protect your web page from being viewed on a web browser without proper authentication. However, local EECS users can still cd into your web directory and view your raw HTML or PHP files. This may be unacceptable for pages containing homework solutions, tests, etc. that need to be kept secret from local users.

You can use NFSv4 Access Control Lists (ACLs)to grant the userweb user access to your files but no one else. As always, please contact EECS IT Support for help.

If you web application needs to know which user authenticated, Form-Based Authentication is usually preferable. However, many web programming languages such as PHP can access the user name of the authenticated user. For more information on PHP and HTTP Authentication, see https://www.php.net/manual/en/features.http-auth.php. The user name, for example, can be accessed using the $_SERVER['PHP_AUTH_USER'] variable. So the following code would display the currently authenticated user:

<?php
if (isset($_SERVER['PHP_AUTH_USER'])) {
    echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
}
?>