University of Melbourne home page
[[technique:restricting_access]]
 
You are here: start » technique » restricting_access
Table of Contents

Restricting access to websites

There are a number of variables to consider when restricting access to websites. The main factors are:

  • the level of restriction you wish to apply
  • the type of server your site is on
  • what sort of access you have to configure your server

Levels of restriction

There are three basic levels of restriction normally applied to websites.

  • Within Unimelb : where a user on the unimelb network (including labs) can access the site without restriction or password. Users outside the network are forbidden from viewing pages unless they use the inbound proxy server. The University search engine will still index the page, but Google (and any other external search engine) will be prevented.
  • Simple Password : where users are prompted for a password. Users and passwords are manually maintained in a simple .htaccess file. This is not sustainable for large numbers of users but might be adequate for a shared resource where you can give out a common password to a number of users. This will prevent Google and the University search engine from indexing the page.
  • Directory based password : where users are prompted for a password which a script or the .htaccess file checks against a central database via LDAP or Active Directory. This is the most secure and can be configured to allow defined groups (eg: staff) to use their own username and password to enter the restricted area, however, there are a number of complications.
    • The method will depend on the server. Usual methods are .htaccess or .config files, though there are alternatives using php. IIS servers have their own methods
    • University policy requires that pages that request user credentials from the central (LDAP/AD) records should do so via an encrypted (SSL) connection. So, using this method requires that the server be set up with a certificate and configured to switch to https at least for the authentication page.
    • The central university directory may not contain the information required to target small, specific groups, and offers no way of creating and managing custom groups.
    • Using the central university directory means that permission to external users is based on that user being a staff member in Themis.

Types of server

Basically, there are two types of server in common use around the university; Apache and Microsoft IIS.

Apache Servers can be configured with all three levels of protection via the .htaccess file or the server config file. Which method you use is basically down to the preference of the server admin and the level of access you have to make changes. For example, the current central webserver, www-publish, allows users to create .htaccess files for simple authentication, but not directory based authentication.

All three methods should also available on Microsoft servers, however I don’t have any information on how these servers are configured. FIXME

If your server has a scripting language installed such as php, it can also be used to provide password protection to pages via a simple password or via directory lookup.

FIXME Don’t forget - the university search engine is on the university network, so it will get by ‘IN_UNIMELB’ htaccess restrictions and index any pages it finds. Use a robots.txt file to exclude it.

 
technique/restricting_access.txt · Last modified: 2007/04/23 13:04 by aharris
 
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki