Print this article Edit this article

Apache Web Server Authentication (using htaccess)

Web Server Authentication

The ECN web server comes with a dynamic authentication mechanism using Purdue's central identification, authentication and authorization service, I2A2. Setting restrictions on web page service is as simple as placing restriction commands into the access control file. This document describes the commands available in the access control file.

I2A2 Access Control

A web directory may contain an access control file, called .htaccess that describes access permissions to this directory, plus every directory beneath it. The access permissions in the file can be one or more of the following types:

  • require i2a2-user: require a specific I2A2 user,
  • require i2a2-char: require I2A2 characteristic,
  • require any-user: require any authenticated user.
  • require unix-group: require match in UNIX group file.

require i2a2-user

The require i2a2-user command authorizes anyone in the user list access. The command takes one or more users per line. The user can be listed as either the login name, the fully qualified name or the Purdue ID number.

Examples:

require i2a2-user cs
require i2a2-user kozl moyman nelson
require i2a2-user 0610858296

These lines indicate that authentication is required, and that the users with login names cs, kozl, moyman, or nelson are authorized to use the web directory. Additionally, the user with the Purdue ID number 0610858296 is also authorized.

Note:

When using PUID, the format must be one to ten digits, without the dash (-) character. Be careful, a mistyped PUID will be looked up as a login name and will most likely fail to match.

require i2a2-char

The require i2a2-char command authorizes anyone that has an I2A2 characteristic access. The command takes one or more characteristics per line. The characteristic can be listed the characteristic number.

The list of I2A2 characteristics are available I2A2 Characteristics.

Examples:

require i2a2-char 0
require i2a2-char 13101 3615 4197

These lines indicates that authentication is required, and that the users with the characteristic are authorized to use the web directory. The authorized user needs to be an "Employee" (0), or a type "EmployeeGroup: Admin/Professional (A)" (13101) employee. Also, the user could have characteristic 3615 or 4197 (which is an Engineering Computer Network employee).

require any-user

The require any-user commands authorizes anyone that is able to authenticate to I2A2 access to the web page. This makes it simple to verify that the user is part of the university in some way, rather than having the web page open to anonymous access.

Example:

require any-user

Note:

Remember that any requirements that passes authorization will be enough to allow access. Placing require any-user into your access control file will override all other requirements.

require unix-group

The require unix-group commands authorizes anyone that is able to authenticate to I2A2, and belongs to any of the named unix group(s), access to the web page.

Example:

require unix-group aaestaff aaefaculty

Note:

Unix groups are defined in the /etc/group file. Access is allowed if any of the unix-group names contain the authenticated user's name.

Password File Access Control

A web directory may contain an access control file, called .htaccess that describes access permissions to this directory, plus every directory beneath it. The access permissions in the file can be one or more of the following types:

require user

The require user command authorizes anyone that knows a username and password pair which you define. Before this command is used you must create a second control file (called .htpasswd) which defines the username/password.

To create an .htpasswd file use the following command from an ECN UNIX shell:

> /usr/bin/htpasswd -c [web_directory]/.htpasswd [username]

For example, to create a user called guest for the ECN entity:

$ /usr/bin/htpasswd -c .htpasswd guest

The system will prompt you to provide a password for the newly created user. Once the user is created that username and password can be required by adding the following lines to your .htaccess file.

AuthBasicProvider file
AuthUserFile [web_directory]/.htpasswd
require user [username]

Example:

AuthBasicProvider file
AuthUserFile /web/entities/cheezburgr/.htpasswd
require user guest

Note:

Purdue's Policy on Authentication and Authorization states that, "Purdue University will assign a Purdue University Identifier (PUID) and User Credentials for Identification and Authentication purposes to each individual that has a business, research, or educational need to access University IT Resources." In almost all cases a Purdue username and password should be requested through the appropriate channels for each person needing access to your data.

CAS access control

In order to restrict a web site using two-factor authentication (2FA or multi-factor authentication MFA), use the CAS authentication type. This type of authentication will prompt for authentication using the Purdue Login (formerly BoilerKey) web page, then if access matches the restriction settings, the page will display.

The simplest setting, requiring a valid Purdue account, can be enabled with the following settings:

AuthType CAS
Require valid-user

To restrict the page to a set of users, use the require user setting, and a list of career account names:

AuthType CAS
Require user kozl moyman nelson

To restrict the page to an I2A2 characteristic, use the require cas-attribute setting, and a characteristic number:

AuthType CAS
Require cas-attribute i2a2characteristics:2000021

Example:

AuthType CAS
<RequireAll>
Require cas-attribute i2a2characteristics:0
<RequireAny>
Require cas-attribute i2a2characteristics:3615
Require cas-attribute i2a2characteristics:4197
Require cas-attribute lastname:Smith
</RequireAny>
</RequireAll>
In this example, CAS authentication will be used, and will require the person logging on to have the following authorizations to see the page: Must be in the I2A2 characteristic 0 (Employee), and may be in either I2A2 characteristic 3615 or 4197 (which is an Engineering Computer Network employee) or has a last name of "Smith".

Purdue Host Access Limits

To limit access to a web site by host - more specifically, to only hosts on a Purdue network or using the Purdue VPN, use the following.

Host based access control

Enter the following IP address restrictions into the .htaccess file to limit access to a Purdue host, or a Purdue host connected to one of the VPNs.

#  Purdue University - ECN
Require ip 128.46.0.0/16
Require ip 192.5.91.0/24

# Purdue University - CS
Require ip 128.10.0.0/16

# Purdue University
Require ip 128.210.0.0/16
Require ip 128.211.0.0/16
Require ip 192.5.40.0/24
Require ip 192.5.101.0/24
Require ip 192.5.102.0/24
Require ip 192.31.0.0/24

# Purdue Unversity - Agriculture Information Technology
Require ip 204.52.32.0/19

# Local/private address space
Require ip 10.0.0.0/8
Require ip 172.16.0.0/12

# Purdue ipv6 block
Require ip 2001:18e8:800::/44
Require ip 2607:ac80::/32

Last Modified: Jun 26, 2023 10:04 am GMT-4
Created: Feb 26, 2007 8:27 am US/Eastern by admin
JumpURL:


Categories