Zentraler Informatikdienst

Directory protection

For:  employees

These user guides help you to protect directories and files of your personal website or website for organisational units from unwanted access using advanced methods.

To protect directories from unauthorised access, you can use the .htaccess file. The following examples illustrate which entries are required for this in the .htaccess file.

Notes

  • In WordPress webspaces, some access protection functions are not supported. We therefore recommend that you do not change the .htaccess file created by WordPress.
  • If you want to set up single sign-on password protection for u:accounts, see the Single sign-on for websites guide.

Protecting directories

If you want to protect access to a subdirectory of your webspace with a password, the following steps are necessary:

1. Creating the file .htaccess

Create (with a text editor such as Notepad - not with Word, OpenOffice etc.) a file with the name .htaccess and the following content and place this file in the directory to be protected:

AuthName "Access only with user name and password"
AuthType Basic
AuthUserFile /var/www/.htpasswd
AuthGroupFile /dev/null
Require valid-user

  • The value under AuthName is any text that appears when the password is requested and must be under inverted commas.

Then save this file in the directory (folder) to be protected.

The .htaccess file and, in principle, all files whose name begins with a dot are hidden and protected from web access; you always receive the reply Forbidden. For security reasons, you should name files with passwords, configuration files and the like .htpasswd, .htuser or .htconf.

Note

If the Shibboleth setting is activated in the web space admin, a file with the name httpd.conf and the content ShibCompatValidUser On must be created in the file system in the directory conf.d/ and the web space must then be restarted.

Note

If you have difficulties assigning a file name that begins with a dot under Windows, proceed as follows:

  1. Create a text file (textfile.txt). This is best done using Notepad (not Word, OpenOffice, etc.).
  2. Insert the content.
  3. Upload the file to your web space and rename it to: .htaccess or .htpasswd.

2. Creating the file .htpasswd

The file .htpasswd contains a user name and the corresponding encrypted password in each line. To make the file not accessible from the internet, create this file in the same directory as the html/ folder (base directory).

Example of an .htpasswd file:

Franz:$2y$10$1gQzatdJxDX4N5K1e.xcp.XV1DW0GgJ9v3zh..jMnH.ybVcvXtRhK
Karin:$2y$10$Yg6xRriQ1Z92EhH3asTib.B4aL5/8.5Rns.JZ.jap/bzTAYEvaWCS
Martin:$2y$10$05qzyktYWK7nat6jIu8UiuCzu228/BpCI/toXVyRKAc3tGNiB7zTu

Password generator

You can use this form to generate encrypted passwords:








  1. Type in all user names with the associated password in the rows.
  2. Click Generate passwords.
  3. You receive the coded files.

Then save the lines generated with this form in a file with the name .htpasswd in the base directory. Together with the .htaccess file, your directory is thus protected from unwanted access.

To top

Restricting access

It is possible to restrict access to a directory based on the IP address or the host name. To do this, the .htaccess file in the respective directory to be restricted must contain the following lines, for example:

# Data network Uni Vienna - IPv4
Require ip 131.130. 77.80. 78.104.
# Data network Uni Vienna - IPv6
Require ip 2001:62a::/31
# Uni Vienna hostname univie.ac.at
Require host univie.ac.at

This allows access only from computers whose IP address are from an IPv4/IPv6 address of the University of Vienna or whose host name ends with univie.ac.at. All others receive the error message: 403 Forbidden.

Note

Comments with "#" may only be entered in a separate line.

Protecting individual files

With the <Files> directive in the .htaccess file it is also possible to protect individual files from internet access.

Example:

<Files "config.php">
   Require all denied
</Files>

Listing the contents of a directory

To get an automatic listing of the contents of a directory that does not contain index.html, index.php or index.CGI (depending on the chosen webspace), you only have to enter the following into the directory's .htaccess file:

Options +Indexes
IndexIgnore *.gif datei.txt

After the optional IndexIgnore, you can specify files and/or file extensions that are excluded from the listing.

Then, after calling up the directory in your browser, the content is displayed in list form.

Note

There must be no index.html, index.php or index.CGI file in this folder (depending on the webspace created). If this is the case, the index page is displayed instead of the list.

Defininig separate MIME types

With the help of the .htaccess file, additional MIME types can also be defined. This means that on the basis of the file name extension, the server determines what type of file it is and sends corresponding information to the browser.

Depending on the configuration of the browser, a separate application can then be started, a plug-in can be activated in the browser or the file can be saved. A large number of MIME types are predefined. By means of corresponding directives, new types can be defined or existing types can be redefined. For example:

AddType application/x-wordperfect .wpi
AddType text/html .html

The last setting prevents server parsing of HTML documents, the MIME type is no longer text/x-server-parsed-html.

The entries described can also be combined in an .htaccess file.

Rewriting URLs via mod_rewrite

Example 1

The Fantasy Institute has a new website that can be reached via fantasy.univie.ac.at. In the home directory, the HTML file has changed from oldpage.html to newpage.html.

RewriteEngine On
RewriteBase "/"
RewriteRule "^oldpage\.html$" "newpage.html" [R=301,L]

The above script rewrites the URL part oldpage.html to newpage.html

Example 2

The original HTML file name should be included in the URL as a parameter. This can then be evaluated by a script, for example.

RewriteEngine On
RewriteBase "/"
RewriteRule "^(.*)\.html$" "?q=$1" [R=301,L]

The something.html will change to ?q=something.

Note

It is possible to override an existing Shibboleth directory protection with a general mod_rewrite statement. If you use Shibboleth, note that the "Shibboleth.sso" directory is excluded from the access restriction.

Example: RewriteCond defines a condition on which it depends whether the following RewriteRule rule is executed or not.

RewriteEngine On
RewriteBase "/"
RewriteCond "%{REQUEST_URI}" "!^/Shibboleth.sso"
RewriteRule "^(.*)$" "https://fantasy.univie.ac.at/$1" [R=301,L]

Forwarding URLs via redirect

If requests are forwarded by means of a Redirect in an .htaccess file, the URL part (here in the example fantasy) must be specified.

RewriteEngine On
RewriteBase "/"
RedirectPermanent "/oldpage.html" "https://fantasy.univie.ac.at"

To top