Translated using DeepL

Machine-translated page for increased accessibility for English questioners.

Page in original, Czech language.
This page can be used as a stepping stone in implementing web access restrictions. If you are serious about security, it is essential to study the issue in more detail, at least on the Apache website.

Securing sites with passwords

In the directory whose contents you want to password-protect, create a file .htaccess:

AuthName "restricted area name"
AuthType Basic
AuthUserFile /path/to/the/file/with/the/passwords
Require valid-user
The AuthName entry specifies the name of the protected area that will be displayed to accessing clients when they request the password (the multi-word string must be enclosed in quotes). The entry AuthUserFile refers to the file where all allowed access names and passwords are defined. For the sake of illustration, suppose that .htaccess with the following content is located in the directory /home/xnovak99/public_html/censored: 
AuthName "Libri prohibiti"
AuthType Basic
AuthUserFile /home/xnovak99/public_html/.htpasswd
Require valid-user
Then it is specified that access to files in the subtree security (the URL thus starts with https://www.fi.muni.cz/~xnovak99/security) is only authorized after a valid username and password have been entered according to the information in the aforementioned file .htpasswd.

The file referenced via AuthUserFile has the following text form:

login1: encoded_password1
login2: encoded_password2
...
Set the contents of the .htpasswd file using the command htpasswd: 
$ htpasswd /home/xnovak99/public_html/.htpasswd login1
New password: 
Re-type new password: 
Adding password for user login1

The password file must be accessible to the WWW server, i.e. readable by the user apachefi. In your case, it can therefore be implemented with the permission r for others and must be located in a directory that is already accessible from the root ( /) with the permission x for others. A more secure way is to use the ACL: setfacl -m u:apachefi:r .htaccess. Of course, the same applies to files in the password protected area - they must be accessible in the file system, just like the unsecured pages. So it's obvious that this type of protection only applies against people who don't have a Unix account on FI. If you want to secure something against these users as well, you can use the aforementioned ACL or other more sophisticated methods.

Kerberos

GSSAPI/Kerberos is a system used on faculty machines or on Fadmin to authenticate users. There is nothing stopping you from using it to authenticate your site users as well. The only restriction is that they must have a valid login. A faculty password will be used.

Example configuration .htaccess: 
AuthType GSSAPI
AuthName "My secret documents"
Require user login1 login2

Using Require valid-user would successfully authenticate anyone with a valid FI login. See also the description of the mod_auth_gssapi module configuration options. However, the module is already preconfigured to work with faculty authentication.

On classroom faculty machines, we try to ensure that browsers can take advantage of existing graphical session authentication via Kerbera - so you may find that you can get protected pages to work without logging in. In that case, it helps to discard Kerbera tickets by calling kdestroyin the terminal.

Kerberos + LDAP

If you want to make the site available to members of certain faculty groups (there must be a Unix group, see aisa$ getent group), you must use LDAP authorization (authentication remains Kerberos). The configuration for Kerberos looks the same as in the previous example.

Access to groups or individual users can be added using a combination of RequireAny, Require ldap-user and Require ldap-group. The web server is already preconfigured to look up the users and groups entered in this way in the faculty LDAP. For example:

<RequireAny>
    Require ldap-group cn=GROUP_NAME,ou=Group,dc=fi,dc=muni,dc=cz
    Require ldap-group cn=OTHER_GROUP_NAME,ou=Group,dc=fi,dc=muni,dc=cz
    Require ldap-user USER_LOGIN
</RequireAny>

Control access to pages by client address/name.

In the directory you want to treat this way, create a file .htaccess and add the following lines:

Require ip IP1 IP2 …
Require host hostname1 hostname2 …

Only clients explicitly identified by Require …will be able to access this subtree of the site. There can be any number of parameters (separated by a space). A parameter can be

  • For Require ip
    • IP address: 10.0.0.240
    • Address prefix: 10.0.0 (same meaning as 10.0.0.0/24)
    • IP address with mask: 10.0.0.0/255.0.0.0
    • CIDR syntax address: 10.0.0.0/8
    • IPv6 address: 2001:718:801:235::b
    • IPv6 address with mask: 2001:718:801:230::/64
  • For Require host
    • Domain name or its suffix: fi.muni.cz (thus corresponds to clients " fi.muni.cz", " node2.fi.muni.cz", but does not correspond to " fifi.muni.cz" - an imaginary dot is always considered before the specified suffix, unless it is explicitly stated there)

If, on the other hand, you need to allow access to all but some selected machines/domains, the directive <RequireAll> is available. Denying access from the nekde.cz domain would look like this:

<RequireAll>
    Require not host somewhere.org
    Require all granted
</RequireAll>

See the Apache 2.4 documentation for more details.