MIT Information Systems supports several levels of web access restrictions on the server web.mit.edu: it can serve web pages to the entire Internet without restriction, can restrict to the MIT community, or can restrict to groups or individuals within the MIT community. The methods of access control provided by web.mit.edu were added in the Autumn of 1999, and are more powerful than the restrictions possible on the older "MIT-mostly" server tute.mit.edu.
Existing URLs beginning "http://web.mit.edu/" continue to have the same access as before, however, it is now possible to change access to restrict to holders of MIT personal certificates, either as individuals, groups of individuals, or to all holders of certificates.
Web pages served from web.mit.edu reside in lockers on Athena's Andrew File System (AFS). Under AFS, access to all files and directories is handled with ACLs. By default, all files stored in the www directory of an AFS course locker are viewable by the entire Internet, so if there are files you don't want to share with the world, you should take care to restrict them appropriately by setting the directory ACLs. For general information about AFS ACLs see Controlling Access to Athena Lockers; for information specific to Athena course lockers and the Web, see Controlling Access section of this guide. For information about MIT's policy on protecting student information see Section 7 of MIT's Student Information Policy.
To restrict access to your web pages and files to particular individuals or groups, you must take three steps:
mitwebacls.
The .htaccess.mit is a restricted version of the more
general .htaccess file you may read about or have used on
other web servers. It must begin with
<limit GET>
and end with
</limit>
, and contain require
lines in between. The require
lines may be
require valid-user
to allow anyone with an MIT
personal certificate; or any number of
require user
lines with one or more usernames each; or
any number of require group
lines with one or more
groups each. You cannot mix group and user access control.
If you run your own web server, you can use it to serve files that are stored in AFS lockers, but you will not be able to limit access to these pages because in order for your web server to see the files you will need to open access to allow anyuser read. This would allow web.mit.edu and therefore anyone in the world to read them as well, in spite of any restrictions you impose with your web server (.htaccess files, or restrictions in httpd.conf). So if you want to restrict files, you'll need to store them on a local disk, and assume responsibility for keeping them backed up.
The next section describes how to run your own web server, based on the Apache web server. See the Apache FAQ for more info on restricting access to directories and files on your own web server.