How to secure your Home page

Introduction

There are ways to secure one's home page (or a part of it!) by using the built-in password protection mechanisms. In the Math Dept., we use the APACHE Web Server. The following describes ways to secure your homepage on the Math server. The same can be followed for the Mathpost server or any other server where APACHE is installed.

Using User Authentication

There are two ways of restricting access to documents:

Either by the hostname of the browser being used, or
by asking for a username and password.

The former can be used, for example, to restrict document access to inside a company. However, if the people who are allowed to access the documents are widely scattered, or the server administrator needs to be able to control access on an individual basis, it is possible to require a username and password before being allowed access to a document. This is called user authentication.

Setting up user authentication takes two steps: first, you create a file (called ".htpasswd" containing the usernames and passwords). Second, you tell the server which resources are to be protected (by creating a restricted directory and placing the ".htaccess" file in it) and which users are allowed (after entering a valid password) to access them.

Thus there are four components to making a particular HTML/PS/PDF/text or any file protected from general net access:

.htaccess ; defines the rules or directives to be followed for the access to the files in the directory where this file resides. It also contains the location of the .htpasswd file.
.htpasswd; contains the valid users and the encrypted passwords, referred to in the .htaccess file
A directory containing the resources to be protected.
resources(s) to be protected. These could be any type of file which can be accessed via the net.

Let's see the above steps in further detail. To make part of your website password-protected do the following :

Make a directory, say 'restricted' under your public_html directory.
For eg. ssh to the math server and type in the following commands:
> cd public_html
> mkdir restricted
> cd restricted

Download the following .htaccess file into the directory.
Here is a brief explanation of the contents of the file:
AuthUserFile HOME_DIR/public_html/restricted/.htpasswd
This line specifies the password file to use, here .htpasswd. NOTE that you HAVE to give the whole path to the .htpasswd file. Replace the $HOME_DIR variable by the path for your public_html directory.
AuthName "Restricted Area Name"
This line specifies the string which will appear in the dialog box when any contents of the restricted directory are accessed.
AuthType Basic
require valid-user
These directives place a restriction on the current directory by requiring a valid user with basic authentication.
For more details on these and for more advanced directives look at the APACHE User Authentication Page.
Create the .htpasswd file thus:
> /usr/bin/htpasswd -c .htpasswd username
This command will create a new .htpasswd file (because of the '-c' option) and prompt you for a password for the user called 'username'.
For more details read the Apache documentation Page.

Take a look at the .htaccess file and verify that it refers to the correct path to the .htpasswd file.
Please edit the 'Restricted Area Name' to any string you want.
You can add additional usernames and passwords to the .htpasswd file by executing the htpasswd command but without the '-c' option. i.e:
> /usr/bin/htpasswd .htpasswd another_username
Typically the contents of the .htpasswd file look like the following (you need not be concerned about the contents of the .htpasswd file, except, of course, to know the username and the password you gave): The first field in the .htpasswd file refers to the username you specified while creating the .htpasswd file using the '/usr/bin/htpasswd' command and the second field is the encrypted version of the password you typed in.

________________________________________________________________________

tony:aXYBugr1Auyh

guest:Pl.AJqYMyMKeM

________________________________________________________________________

IMPORTANT: since both '.htaccess' and '.htpasswd' files start with a '.', they are hidden when you do an 'ls' comand in the restricted directory. To see these file listed you should do : 'ls -al' instead.
IMPORTANT:Make both the files '.htaccess' and '.htpasswd' web-readable by setting the file permissiosn to 644 i.e.,
chmod 644 .htaccess
chmod 644 .htpasswd

TEST it out!

OK, so you created the files and put in passwords for one or more usernames. Now suppose you created a user 'math' with the password 'passwd' and also put in a sample HTML page (called, say, sample.html) in the restricted directory. Now open NETSCAPE and type in the following URL: http://math.asu.edu/~loginname/restricted/sample.html [login_name refers to your Math Server Login user name !] and a dialog box should pop up asking you for a USERNAME and PASSWORD.

$passwddialog box image$

Type in 'math' and 'passwd' respectively and it should work and allow you to view the sample HTML page that you created. If either the USERNAME or PASSWORD is wrong, it will show the following error message saying that you are not authorized to view the contents of the URL/link.

____________________________________________________________________________________________________
Authorization Required

This server could not verify that you are authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.
_____________________________________________________________________________________________________

So now you can put personal pages, class tests, homeworks, solutions, research papers on the net (by simply dumping them into the restricted directory) without worrying about some unauthorized person having access to them.