Background

For the Unix-based NCSA and Apache web servers commonly used at Rice, access control is set on a per-directory basis by putting a ".htaccess" file in the directory. Subdirectories inherit access control rules from their parent directories, and each web server has a default set of rules which apply to any directory that contains no ".htaccess" file anywhere in its path.

There are two kinds of access control: IP-address-based and password-based.

• IP-address-based access control is the simplest form. It uses the IP address of the web client (i.e., the name or number of the computer on which the user is running a browser) to determine whether the user has permission to see a given document. It is most commonly used at Rice to restrict access to the campus (see the first sample .htaccess file below).

• Password-based access control requires the user to enter a username and password in a dialogue box before viewing a document. Password-based access control is of limited use on a shared web server in a large multi-user environment such as Owlnet or the RUF. This is because your fellow Unix users can bypass the web server's access control by reading your documents directly through the local filesystem (documents must be readable by all local users in order for the web server to see them and serve them out). Unless you run your own web server, password-based access control is probably not appropriate and should be used with caution.

Sample .htaccess files

Access from Rice campus only

# This file limits access to users on the Rice campus, including dialup
# and ISDN users.  Both the name ".rice.edu" and explicit numeric subnets
# are specified in order to accommodate machines whose names may be
# messed up in the host tables.
# 
# Because Rice numeric subnets change occasionally, be sure to refer
# back to http://www.rice.edu/web/access-control.html and watch
# the RICEWWW mailing list / rice.riceinfo.www newsgroup for updates.
#
order deny,allow
deny from all
allow from .rice.edu
allow from 128.42
allow from 192.136.146
allow from 192.136.153
allow from 192.225.19
allow from 204.1.8.162

Access from a subdomain

# This file limits access to users on the IT subdomains (subnets 30 and 42).
#
order deny,allow
deny from all
allow from 128.42.42
allow from 128.42.30

Access from the whole world

# This file allows access from everywhere (use this to get *looser*
# access control if your server is restrictive by default).
#
order allow,deny
allow from all

Notes for NCSA httpd users

The above examples are for the Apache webserver most commonly in use at Rice. If you are using the older NCSA httpd server, there is a slight difference in the required syntax of .htaccess files. Specifically, the order, deny and allow specifications must be bracketed by a <Limit> directive: <Limit GET HEAD POST> ... </Limit> . Here is an example:

# This file limits access to users on the Rice campus, including dialup
# and ISDN users.  Modified for use with NCSA httpd.
#
<Limit GET HEAD POST>
order deny,allow
deny from all
allow from .rice.edu
allow from 128.42
allow from 192.136.146
allow from 192.136.153
allow from 192.225.19
allow from 204.1.8.162
</Limit>

For more information

Using .htaccess Files with Apache

A tutorial from Apache Today. More aimed at administrators of Apache servers than authors of individual web pages, but still more friendly than the raw Apache docs.

NCSA httpd access control overview

The original definitive document on .htaccess files in NCSA httpd.

User authentication tutorial

Primarily concerned with password-based access control, this tutorial also includes examples of IP-address-based access control. Written for NCSA httpd.

Good luck. If you have questions, contact "riceinfo@rice.edu".

Back to selected WWW documentation

URL: http://www.rice.edu/web/access-control.html
Copyright 1996-2000 Rice University