90 likes | 303 Views
Enhanced Web Site Design Stanford University Continuing Studies CS 22. Mark Branom markb@stanford.edu http://www.stanford.edu/people/markb/ Course Web Site: http://www.stanford.edu/group/csp/cs22. Restricting Access. Unfinished business Limiting Access. Limiting Access to webpages.
E N D
Enhanced Web Site DesignStanford University Continuing Studies CS 22 Mark Branom markb@stanford.edu http://www.stanford.edu/people/markb/ Course Web Site: http://www.stanford.edu/group/csp/cs22
Restricting Access • Unfinished business • Limiting Access
Limiting Access to webpages • Sometimes webmasters wish to restrict access to their webpages. • This is done by protecting directories/folders, and then placing the files you wish to protect into these directories. • Not all servers allow you to restrict your pages; check with your ISP first!
Step 1: Create a .htpasswd database file • Connect to your unix account • Change directory to the directory you wish to protect • Issue "htpasswd -c .htpasswd user1" • Enter the password • Enter the password a second time • If you wish to add more users/passwords, issue "htpasswd .htpasswd user2"
Step 2: Create a .htaccess file • Using a text editor, create a file called ".htaccess" AuthUserFile /path/to/restricted/folder/.htpasswd AuthName YourDatabaseName AuthType Basic <Limit GET> require valid-user </Limit> Note: Use “require user username” to restrict access to specific users
.htaccess file • The argument to AuthUserFile must be the full path of the database used to authenticate remote users. If you don't know the full path, you can use the unix pwd command to find out. • The argument to AuthName must be just one word -- if you want more than one word, you must enclose them in quotes: AuthName RestrictedPages or AuthName “Mark’s Restricted Page”but not AuthName Mark’s Restricted Page • Case counts - Limit must be Limit; GET must be in all uppercase; AuthName is all one word. • Make sure you leave a blank line at the end.
Example • http://www.stanford.edu/~markb/password/ username: stanford password: university
Other .htaccess functions • Restricting/Allowing Access by domain/IP address: order allow,deny order deny,allow allow from all deny from all deny from stanford.edu allow from stanford.edu • Restricting/Allowing Access to a specific file: <Files filename.html> <Files login.php>Order allow,deny Order deny,allowAllow from all Deny from all </Files> Allow from stanford.edu </Files> • Custom Error Documents: • ErrorDcoument 404 404.html • Redirects (better than using the <meta http-equiv=“refresh” content=“0; url=newlocation.html”> method: • Redirect 301 oldlocation http://www.newplace.com
More .htaccess functions • IndexIgnore • The IndexIgnore directive controls which files the web server will display in the directory in which the .htaccess file is placed. • For example, to hide from view all picture files in the listing of files of a directory, enter the following directive (note that this does NOT prevent visitors from displaying the file if they know it exists; it merely causes the files to not be displayed in the list of files in the directory).IndexIgnore *.gif *.jpg *.png • Prevent Hotlinking • Hotlinking is the process of embedding images or other media (sound, video, etc.) from one web site into another. Every time a visitor goes to a web site with an image on it, the web server that hosts that image is “hit” with the bandwidth needed to send and display that image. The web server that hosts the web page should be the same web server that hosts the image. You can prevent other webmasters from being able to “hotlink” your images by adding a few lines of code to your .htaccess file. • In this example, the picture located at http://www.stanford.edu/~markb/stop.gif will display on any web site that tries to hotlink any GIF or JPG files on this site that is not coming from the Stanford servers: • RewriteEngine OnRewriteCond %{HTTP_REFERER} !^http://(.+\.)?stanford\.edu/ [NC]RewriteCond %{HTTP_REFERER} !^$RewriteRule .*\.(jpe?g|gif|bmp|png)$ /~markb/stop.gif [L]