There are several factors to consider when restricting access to SLAC web pages or entire web sites. Our computing environment has traditionally been very open and, as a result, our production web servers are by default accessible to the entire Internet community. Therefore, you (as a web author) must take positive action to restrict access to SLAC web pages or sites.
- Open - everyone on the Internet can see the pages and most are indexed by the SLAC search robot and most external robots.
- SLACONLY - viewable by the SLAC community, defined by IP address of the requesting computer (Unix web server) or by SLAC Windows username/password (Windows web server).
- GROUPONLY - viewable by a group defined by you and access enabled by a specific username and password you create (Unix web server) or by a SLAC Windows username/password and membership in a created SLAC Windows global group (Windows web server).
Authentication and Encryption
Since we are using our SLAC Windows usernames and passwords to access SLACONLY and GROUPONLY subdirectories on the Windows web server (authentication), we also require encryption so the passwords and the requested data are not sent over the network in clear text. Encryption is enabled using SSL (Secure Socket Layer). A SSL enabled Unix server is also available for use, but authentication through standard usernames and passwords is not available.
By convention, links to pages/sites that use SSL require the https
protocol, rather than http. In practical terms this means that if you
were using a relative link to a page (such as
you need to invoke SSL by replacing the link with an absolute reference (such
Enabling Restricted Access
The mechanics behind restricting access on our web servers depends on the web server you are using. There are trade offs in ease of and use vs. offsite accessibility vs. encryption/authentication between the two servers. The following is a summary of the two types of web servers.
|Authentication||No||Yes, to SLAC domain Windows accounts only. SSRL domain accounts do not work.|
|Encryption||Optional. A secure server is available.||Required.|
|Restriction||Based on IP address of browsing computer.||Based on authentication.|
|Set-up||The characters "slaconly" need to be in the path or filename. No administrative set up required.||Space requests on the secure Windows server are handled by email@example.com. There will be separate web sites for restricted and public web space.|
|Grouponly||.htaccess directive used to allow or deny access to a subdirectory. No subdirectory naming convention has been established.||Global Windows group established and granted browse access to a specific subweb named "grouponly" on the secure server.|
Unix Web Server (www.slac.stanford.edu)
Our Unix web server is, by default, open to the Internet community. Pages that are in "individual" home space (that is, within a public_html subdirectory in a AFS Unix account and accessed via www.slac.stanford.edu/~username) are not indexed by our internal search robot and external robots are excluded by use of a robots.txt file (unfortunately, not all search/indexing robots respect the robots.txt convention).
Web pages on the Unix server can be restricted so they can only be viewed by computers that have a SLAC recognized IP address (essentially 134.79.*) simply by putting "slaconly" in the file name or path. For example, the following files are restricted using this method:
- http://www.slac.stanford.edu/grp/pao/slaconly.staffhost.visit.html (slaconly in the file name)
- http://www.slac.stanford.edu/grp/do/slaconly/allhands.html (slaconly subdirectory)
Using "slaconly" within the name of a script that generates dynamic content (through cgi-wrap) may not, however, work as expected.
Restricting access to Unix web space to a specific group of users is accomplished by using the .htaccess directive for the Apache web server. The basics of this system is to create a configuration file (.htaccess) and then create the username/password connection.
NOTE: These usernames passwords must not be the same as your Windows or Unix usernames.
For a very simple example, try to access the following subdirectory:
When prompted, use "testing" as the username "protect" as the password. This restriction was enabled by creating the .htaccess file and then setting a password for the username.
The .htaccess file case looks like this (and is located at /afs/slac/u/is/mcdunn/public_html/protect/):
require user testing
Then I created a subdirectory named "protect" at /afs/slac/u/is/mcdunn/passwords/protect. Then I created the password for the "testing" username by running the following command.
htpasswd -c /afs/slac/u/is/mcdunn/passwords/.htpasswd testing
You will then be prompted to type in the password - twice - for that username.
For more information about the .htaccess, see the the article "htpasswd or the Equivalent".
Windows Web Servers
SLACONLY and GROUPONLY restricted webs on the Windows servers are can only be set up on our intranet server at https://www-internal.slac.stanford.edu/. This web server is encrypted (using SSL and 128 bit encryption) and authenticated (to the SLAC Windows account username and password). Specific subdirectories within a web on this server space can be setup with browse access to a given Windows group. You can log into this server on any computer connected to the internet using a browser that has 128 bit encryption enabled, and using your Windows account name (sometimes you need to enter as SLAC\username) and password.