MIT

Web Guide is no longer being maintained and the information on this page may be out of date. For assistance with managing course materials, please visit MIT's Stellar course management system.

ACS Academic Webpage Creation Guide


Publishing Your Pages > Restricting Access to Your Pages

Restricting Access to Your Pages

Note: the "MIT-mostly" server tute.mit.edu will be retired on September 30th, 2001. Please contact f_l@mit.edu if you have questions or need help with the transition.

MIT Information Systems supports several levels of web access restrictions on the server web.mit.edu: it can serve web pages to the entire Internet without restriction, can restrict to the MIT community, or can restrict to groups or individuals within the MIT community. The methods of access control provided by web.mit.edu were added in the Autumn of 1999, and are more powerful than the restrictions possible on the older "MIT-mostly" server tute.mit.edu.

Using Access Control Lists (ACLs) and Certificates to Restrict Access

Existing URLs beginning "http://web.mit.edu/" continue to have the same access as before, however, it is now possible to change access to restrict to holders of MIT personal certificates, either as individuals, groups of individuals, or to all holders of certificates.

Web pages served from web.mit.edu reside in lockers on Athena's Andrew File System (AFS). Under AFS, access to all files and directories is handled with ACLs. By default, all files stored in the www directory of an AFS course locker are viewable by the entire Internet, so if there are files you don't want to share with the world, you should take care to restrict them appropriately by setting the directory ACLs. For general information about AFS ACLs see Controlling Access to Athena Lockers; for information specific to Athena course lockers and the Web, see Controlling Access section of this guide. For information about MIT's policy on protecting student information see Section 7 of MIT's Student Information Policy.

ACLs and .htaccess.mit

To restrict access to your web pages and files to particular individuals or groups, you must take three steps:

  1. Create a file named .htaccess.mit in the directory you wish to protect.
  2. Manually set the AFS permissions to limit access to files in that directory or use the script mitwebacls.
  3. Make any links to your restricted pages using https rather than http for instance: https://web.mit.edu/lockername/www/

The .htaccess.mit is a restricted version of the more general .htaccess file you may read about or have used on other web servers. It must begin with <limit GET> and end with </limit>, and contain require lines in between. The require lines may be require valid-user to allow anyone with an MIT personal certificate; or any number of require user lines with one or more usernames each; or any number of require group lines with one or more groups each. You cannot mix group and user access control.

Examples of .htaccess.mit files

Other information about restricting access to web files under web.mit.edu

Using Your Own Web Server

If you run your own web server, you can use it to serve files that are stored in AFS lockers, but you will not be able to limit access to these pages because in order for your web server to see the files you will need to open access to allow anyuser read. This would allow web.mit.edu and therefore anyone in the world to read them as well, in spite of any restrictions you impose with your web server (.htaccess files, or restrictions in httpd.conf). So if you want to restrict files, you'll need to store them on a local disk, and assume responsibility for keeping them backed up.

The next section describes how to run your own web server, based on the Apache web server. See the Apache FAQ for more info on restricting access to directories and files on your own web server.