Stanford University School of Earth Science
 
Home
News
New Users
Policies
Email
Network File Server
Web Hosting
    Personal Setup
   Email Form
   Other Resources
Get Help
Net Connections
Macintosh
Windows PC
Unix/Linux System
Pangea Server
School Resources
Using Unix

Limit access to certain computers

Last revision July 20, 2004

Make your .htaccess file with the lines specified below, but substituting values that are appropriate to your case wherever you see italicized keywords.

AuthType Basic
Order deny,allow
Deny from all
Allow from IP_or_domain

The Order directive line just says that when the web server is checking to see whether to allow access to a viewer on a particular computer, it will first check to see if any Deny directives apply, and then look to see if any Allow directives apply. The next line, the Deny from all directive, then says the basic default condition is to not let any computer have access. This default denial can then be overridden by giving permission to specific computers.

You can now put in one or more Allow from directives to allow access by specific computers. You can specify either a single IP address, a range of IP addresses, a single complete host name, or a domain of hostnames. You can have multiple Allow from directives to mix and match among these formats.

Here are examples of various Allow from directives showing how to limit access with the different formats.

Allow from 171.64.168.69
Says that a computer with the specific IP address 171.64.168.69 will be allowed to access the files in this directory. If the viewer who is requesting these pages is not coming from a computer with this specific address, then he will be denied access (by the Deny all directive), unless his computer matches another Allow from directive in the same .htaccess file.

Allow from 171.64.168.0/21
Says to allow access from any computer that has an IP address in the range that has been allocated to the School of Earth Sciences network. Allowing access by a range of IP addresses like this is a little tricky, because you have to understand how to specify the base address of the range, and then the "netmask bits" that indicate how many possible addresses can follow that base. Generally, you should only use IP address ranges to restrict access to a small set of computers, where the network manager can supply the correct base address and netmask bits for you. To limit access to an entire organization (such as all of Stanford), you should use the domain method, below.

Allow from gondwana.stanford.edu
This example allows access from the computer whose IP hostname is gondwana.stanford.edu . The web server will actually contact network name servers to find out which IP hostname is associated with the IP address of the computer that is requesting the page (IP addresses are included in all network packets). So this method only works if your computer is properly registered with a name server (as all computers on the Stanford campus are).

Allow from stanford.edu
This example allows access from any computer in the stanford.edu network domain, which corresponds to all computers on the Stanford University campus (and some off-campus sites).

For a complete example, suppose the pangea user with account name "joe" wants to put some html files in his personal web directory and limit access to only computers at Stanford. His personal web directory is the subdirectory WWW in his home directory. He is in the Geological and Environmental Sciences department, so the full Unix directory path of this directory on pangea is /home/ges/joe/WWW. The web URL for this directory is simply http://pangea.stanford.edu/~joe. Joe makes a sub-directory within WWW to store his restricted files, and calls that sub-directory personal. Its complete Unix path is /home/ges/joe/WWW/personal, and its URL is http://pangea.stanford.edu/~joe/personal/. Within that personal directory, Joe makes the file .htaccess with the following lines:

AuthType Basic
Order deny,allow
Deny from all
Allow from stanford.edu

 


Comments?

Stanford University    |