If you wish to authenticate users by system usernames and passwords or groups (ie. the usernames and passwords that people use to login to the system, or the groups that they are a member of), then you must follow these steps:

In the web directory that you wish to protect, create a .htaccess file with the following contents:

SSLRequireSSL
AuthType Basic
AuthName "Name of Web Area You Are Protecting"
AuthBasicProvider pam

If you wish to restrict access to valid system accounts, add:

Require valid-user

If instead, you wish to restrict access to specific system accounts, add for each user:

Require user <userid>

If you wish to restrict access to specific groups, add:

AuthzUnixgroup on

… and then, for each group, add:

Require group <group>

If you wish to restrict access to both system usernames and groups, you must add:

AuthzUnixgroupAuthoritative off

You may use as many “Require user” or “Require group” lines as needed. You may also add additional users or groups to one Require line, separating them by spaces.

If you use both “Require user” and “Require group”, group will be checked first and then user. If the users group is in the allowed group list, and not in the allowed user list, the user will get access. Likewise, if the user is not in the allowed group list, but is in the allowed user list, they will also get access.

Check file permissions on your .htaccess file and directory permissions on all directories leading up to .htaccess. At a minimum, your .htaccess file must be readable by the web server, which runs as user “www”:

% chmod o+r .htaccess

CAUTION: This will also enable other users on the system to also read your .htaccess file.

You will also need to ensure that all directories up to your .htaccess file are accessible by the web server. For example, if your .htaccess file is /eecs/home/example/www/.htaccess:

% chmod o+x /eecs/home/example
% chmod o+x /eecs/home/example/www

In order to better protect system usernames and passwords, the SSLRequireSSL directive in your .htaccess file only permits access to PAM authentication over https. Please DO NOT remove this directive. Access a secure web site, /eecs/home/example/www/secure like this:

https://www.eecs.yorku.ca/~example/secure

… and not like this:

http://www.eecs.yorku.ca/~example/secure

Note: Access to your secure page over http will yield a “Forbidden” error message.

(optional) If you would like to automatically redirect http accesses to your page to the secure https version, add the following code to the .htaccess file that is in the directory above the one you are protecting:

ErrorDocument 403 /cgi-bin/pamredirect.cgi

That is, if you are protecting /eecs/home/example/www/secure, you would place the line above into /eecs/home/example/www/.htaccess and not /eecs/home/example/www/secure/.htaccess.

This code takes advantage of the fact that an error 403 (Forbidden) is produced when a user accesses your secure page via http. It redefines the error handler for “Forbidden” to a CGI script that will redirect the user to the https version of your page. Since the line must appear in the .htaccess file above the directory you are protecting, you cannot use this redirection trick to protect your main web page (eg. /eecs/home/example/www), but you can use it to protect any directories beneath.

Notes:

• A utility, mkhtaccess is available for helping your build your .htaccess file (steps 1 and 2 above). See the mkhtaccess page for details.

• Full details on Apache authentication can be found in the Apache authentication documentation.

• Always be careful when using your system username and password for accessing web pages. Only use it on sites that you trust.