Apache Htaccess Files

The Apache web server allows for per-directory configuration through the use of .htaccess files. The CS configuration allows for many aspects of web server behavior to be configured using these files.

Please note that to be recognized by the web server, the access file name must be correct. The file name is all lower-case, is preceded by a period (.) and has no trailing file extension.

The .htaccess file can control many of the aspects of how the web server display the contents of a directory. A full discussion of the configuration options available can be found on the Apache organization's Htaccess tutorial page. This document will only deal with it's use in restricting access to web accessible files, on a per directory basis.

IP restricted access

To restrict a directory so that it can only be seen by computers within the CS network, create an .htaccess file in the directory with the following lines.

	order allow,deny
	allow from cs.duke.edu

You can allow access from other departmental networks, individual machines or even outside networks by adding additional allow lines. Network and machine access can be either by name or by numeric IP. Note that if you add a netowrk, then all subsets of that network automatically have access. Adding duke.edu would automatically allow access from the cs.duke.edu network.

This last condition can cause a problem if you are trying to restrict access to within the Duke network. Duke OIT currently operates a web crawler which indexes pages within the Duke network; this can lead to IP-restricted pages being indexed and made available via caching to people outside of the Duke network. If your pages are of a sensitve nature, you might want to consider all the options for restricting your content.

To prevent this using IP restriction, you can specifically exclude the Duke web crawler from your pages by using the following .htaccess file:

	order allow,deny
	allow from duke.edu
	deny from google-01.oit.duke.edu
	deny from google-02.oit.duke.edu

If you want to also allow access from the Duke wireless network, then include this line:

	allow from wireless.duke.local

Additionally, it's possible that some devices within Duke will not be registered in DNS; i.e., their IP address will not map to a text host.domain. If you're trying to be Duke all-inclusive and you wish to also include these for allowed access, then you could make your .htaccess file look more like this: 

	order allow,deny
	allow from duke.edu
	allow from wireless.duke.local
	allow from 152.3
	allow from 152.16
	allow from 167.159.64.0/18
	allow from 10.176.0.0/12

Password protected access

For more detailed information on this subject please see the Apache 2.2 authentication page. You can use .htaccess files to limit access, on a per directory basis, to users who provide a correct username and password. There are currently three methods supported:

  1. Apache Basic Authentication, a built-in method, which will work for any visitor. However this requires more setup and maintenance on the part of the web page maintainer.
  2. Shibboleth, a method supported by Duke OIT, which allows people to authenticate using their Duke NetID. This method can support a limited list of users as well as allowing access for any person with a valid NetID. Shibboleth is now the preferred method for web-based NetID authentication
  3. Webauth, a similar authentication, based on Duke NetID. Webauth is now deprecated in favor of Shibboleth.