Due to the operational nature of some of the content on our web site, it is sometimes wise to limit its access. In the basic case this can be limited in two ways.
Due to problems when we moved to Cosign of incorporating both these
access methods into a
file, at the Operation Meeting in June 2011 it was decided to use a
separate accessfile for HTTPS connections. This way location
based restrictions can go in the normal
but who (Cosign) restrictions can go in a
Having two different access files - .htaccess for HTTP and .sslaccess for HTTPS - does mean that you should always create both if limiting access, otherwise if you only place your restrictions in the .htaccess file, then people will be able to get unrestricted access via the HTTPS URL. Or vice-versa.
Say you want to limit access to the /private URL to machines in EdLAN, or any Informatics user. Then you'd checkout the directory as normal and then create .htaccess and .sslaccess files with the following contents.
Order Allow,Deny Allow from 129.215
CosignProtected On CosignRequireFactor INF.ED.AC.UK AuthType Cosign Require valid-user
The .htaccess will let any browser on EdLAN access the pages over HTTP, outside of EdLAN they will be denied.
Over HTTPS connections will be allowed from everywhere, but only
if the user can Cosign authenticate. If you were to miss out
CosignRequireFactor line, then it would allow
iFriends to also authorise. As anyone can self-register for iFriend,
it effectively makes it world readable.
If you wanted to limit a section to certain users regardless of
where they were accessing it from, then you have to deny all HTTP
access in the .htaccess file - hint replace
Deny from all. And then only
publicise the HTTPS URL, and replace the
valid-user with one of the one of the following:
Require user neilb gdutton squinney ...or to use an existing capability:
AuthGroupFile /liveroot/conf/access/group.capabilities Require group role/sysman
That's it, but remember to cvs add and commit your .htaccess and
.sslaccess files. Those more familiar with apache config, can refine these
restrictions to only certain files within a folder by using things
Please contact us with any comments or corrections.
Unless explicitly stated otherwise, all material is copyright The University of Edinburgh