White dot for spacing only
The Dice Project


Restricting Access to www.dice.inf pages

Due to the operational nature of some of the content on our web site, it is sometimes wise to limit its access. In the basic case this can be limited in two ways.

  1. By location/IP address
  2. By who the browser is

Due to problems when we moved to Cosign of incorporating both these access methods into a single .htaccess file, at the Operation Meeting in June 2011 it was decided to use a separate accessfile for HTTPS connections. This way location based restrictions can go in the normal .htaccess files, but who (Cosign) restrictions can go in a .sslaccess file.

Important Note

Having two different access files - .htaccess for HTTP and .sslaccess for HTTPS - does mean that you should always create both if limiting access, otherwise if you only place your restrictions in the .htaccess file, then people will be able to get unrestricted access via the HTTPS URL. Or vice-versa.

Example

Say you want to limit access to the /private URL to machines in EdLAN, or any Informatics user. Then you'd checkout the directory as normal and then create .htaccess and .sslaccess files with the following contents.

.htaccess

Order Allow,Deny
Allow from 129.215

.sslaccess

CosignProtected On
CosignRequireFactor INF.ED.AC.UK
AuthType Cosign

Require valid-user

The .htaccess will let any browser on EdLAN access the pages over HTTP, outside of EdLAN they will be denied.

Over HTTPS connections will be allowed from everywhere, but only if the user can Cosign authenticate. If you were to miss out the CosignRequireFactor line, then it would allow iFriends to also authorise. As anyone can self-register for iFriend, it effectively makes it world readable.

If you wanted to limit a section to certain users regardless of where they were accessing it from, then you have to deny all HTTP access in the .htaccess file - hint replace Allow from 129.215 with Deny from all. And then only publicise the HTTPS URL, and replace the Require valid-user with one of the one of the following:

  Require user neilb gdutton squinney ...
or to use an existing capability:
  AuthGroupFile /liveroot/conf/access/group.capabilities
  Require group role/sysman

That's it, but remember to cvs add and commit your .htaccess and .sslaccess files. Those more familiar with apache config, can refine these restrictions to only certain files within a folder by using things like the <files> directive.

NeilB 27/7/2011


 : Doc 

Mini Informatics Logo - Link to Main Informatics Page
Please contact us with any comments or corrections.
Unless explicitly stated otherwise, all material is copyright The University of Edinburgh
Spacing Line