Web Publishing Reference Guide
Protecting Content
Limited and secure access to content over https (encrypted web connection) is available, allowing web publishers to restrict access to specific users or groups. This is done through two controls: an .htaccess.mit file and an access control list (system:htaccess.mit read) in each directory that needs to be restricted. These controls are put into place on Athena; if you are not familiar with Athena and need help with securing content on web.mit.edu, please contact web-help@mit.edu.
Caveats
Please note that access restrictions are provided with the following caveats. The information provider understands that:
- We encourage you to publish information openly, without restricted access, whenever possible.
- Members of the MIT community can forward information in electronic form to many outsiders. It is much easier to spread electronic information than bound, printed information, e.g. the MIT directory.
- It is up to the information provider to assess the risk involved in publishing information on a Web page. If the information shouldn't be printed in a local newspaper, think carefully before publishing that information on a web page.
How to Restrict Access via https
Restricting access to a list of users or a group has three steps.
- In the restricted directory, create an .htaccess.mit file listing the group(s) or list of people who should have access. The format for an .htaccess.mit file is similar for a list of users, a group, or for any MIT community member with a certificate. (These files are case-sensitive in both name and content, so be sure to name the file using lowercase letters, and uppercase only the word GET within the file, as shown below.)
Restrict access via https
Restrict to: all MIT certificate holders a list of users a group Format of .htaccess.mit file: <limit GET>
require valid-user
</limit><limit GET>
require user username
</limit>
Example:
<limit GET>
require user lisanti jlreed tgriffin
</limit><limit GET>
require group groupname
</limit>
Example:
<limit GET>
require group network web-team
</limit>
Notes- The web server does not allow you to combine group names and user names in the same .htaccess.mit file. You can combine multiple usernames or multiple groups on the same require line. Also, if you have a very long list of names or groups, put them on separate lines in the file - the .htaccess.mit files are very sensitive about soft line breaks, and may not behave consistently if lines wrap.
- If there are subdirectories within your restricted directory, you need not maintain a separate .htaccess.mit file within each subdirectory. As long as you set the access permissions correctly within each subdirectory (see next section), they will all use the parent .htaccess.mit file.
- If you do not create a .htaccess.mit file, access to the directory will not be limited, even if you correctly set the permissions as below.
- Change the access control listing to only allow access to people in the .htaccess.mit file. There is a script called mitwebacls you may use to change your access control listings automatically. To change your access control with mitwebacls:
- cd to the directory you wish to restrict
- Type:
add cwis; mitwebacls .
mitwebacls foo
If you prefer to change your access privileges by hand, use the following instructions:
- Remove, if it exists, acl permission for system:anyuser.
fs sa . system:anyuser none - Add, or leave, acl list and read permission for .htaccess.mit.
fs sa . system:htaccess.mit read
- Review settings for your permissions by typing
fs la
cat .htaccess.mit
No matter which method you use, always test your work by going to the secure page on https://web.mit.edu/ and having a user on the .htaccess.mit file and a user not on the .htaccess.mit file go to your secured web page.
IS&T Service Desk
Monday-Friday
Telephone/Online: 8am - 6pm
Walk-In (N42) 9:15am - 5pm
Web: IS&T Service Desk
Email: computing-help@mit.edu
Phone: 617.253.1101
