Skip to main content.
 

There are several factors to consider when restricting access to SLAC web pages or entire web sites. Our computing environment has traditionally been very open and, as a result, our production web servers are by default accessible to the entire Internet community. Therefore, you (as a web author) must take positive action to restrict access to SLAC web pages or sites.

Access Levels

 

Authentication and Encryption

Since we are using our SLAC Windows usernames and passwords to access SLACONLY and GROUPONLY subdirectories on the Windows web server (authentication), we also require encryption so the passwords and the requested data are not sent over the network in clear text. Encryption is enabled using SSL (Secure Socket Layer). A SSL enabled Unix server is also available for use, but authentication through standard usernames and passwords is not available.

By convention, links to pages/sites that use SSL require the https protocol, rather than http. In practical terms this means that if you were using a relative link to a page (such as <a href="/owner/mcdunn">McDunn</a>), you need to invoke SSL by replacing the link with an absolute reference (such as <a href="https://www-internal.slac.stanford.edu/owner/mcdunn">McDunn</a>).

Enabling Restricted Access

The mechanics behind restricting access on our web servers depends on the web server you are using. There are trade offs in ease of and use vs. offsite accessibility vs. encryption/authentication between the two servers. The following is a summary of the two types of web servers.

  Unix (Apache) Windows/IIS
Authentication No Yes, to SLAC domain Windows accounts only. SSRL domain accounts do not work.
Encryption Optional. A secure server is available. Required.
Restriction Based on IP address of browsing computer. Based on authentication.
Set-up The characters "slaconly" need to be in the path or filename. No administrative set up required. Space requests on the secure Windows server are handled by www-admin@slac.stanford.edu.  There will be separate web sites for restricted and public web space.
Grouponly .htaccess directive used to allow or deny access to a subdirectory. No subdirectory naming convention has been established. Global Windows group established and granted browse access to a specific subweb named "grouponly" on the secure server.

Viewing Restricted Web Pages at SLAC

Unix Web Server (www.slac.stanford.edu)

Our Unix web server is, by default, open to the Internet community. Pages that are in "individual" home space (that is, within a public_html subdirectory in a AFS Unix account and accessed via www.slac.stanford.edu/~username) are not indexed by our internal search robot and external robots are excluded by use of a robots.txt file (unfortunately, not all search/indexing robots respect the robots.txt convention).

SLACONLY

Web pages on the Unix server can be restricted so they can only be viewed by computers that have a SLAC recognized IP address (essentially 134.79.*) simply by putting "slaconly" in the file name or path. For example, the following files are restricted using this method:

Using "slaconly" within the name of a script that generates dynamic content (through cgi-wrap) may not, however, work as expected.

GROUPONLY

Restricting access to Unix web space to a specific group of users is accomplished by using the .htaccess directive for the Apache web server. The basics of this system is to create a configuration file (.htaccess) and then create the username/password connection.

NOTE: These usernames passwords must not be the same as your Windows or Unix usernames.

For a very simple example, try to access the following subdirectory:

When prompted, use "testing" as the username "protect" as the password. This restriction was enabled by creating the .htaccess file and then setting a password for the username.

The .htaccess file case looks like this (and is located at /afs/slac/u/is/mcdunn/public_html/protect/):


AuthUserFile /afs/slac/u/is/mcdunn/passwords/.htpasswd
AuthGroupFile /dev/null
AuthName EnterPassword
AuthType Basic

<LIMIT GET>
require user testing
</LIMIT>

Then I created a subdirectory named "protect" at /afs/slac/u/is/mcdunn/passwords/protect. Then I created the password for the "testing" username by running the following command.

htpasswd -c /afs/slac/u/is/mcdunn/passwords/.htpasswd testing

You will then be prompted to type in the password - twice - for that username.

For more information about the .htaccess, see the the article "htpasswd or the Equivalent".

Windows Web Servers

SLACONLY and GROUPONLY restricted webs on the Windows servers are can only be set up on our intranet server at https://www-internal.slac.stanford.edu/. This web server is encrypted (using SSL and 128 bit encryption) and authenticated (to the SLAC Windows account username and password). Specific subdirectories within a web on this server space can be setup with browse access to a given Windows group. You can log into this server on any computer connected to the internet using a browser that has 128 bit encryption enabled, and using your Windows account name (sometimes you need to enter as SLAC\username) and password.


Last update: