Carnegie Mellon University

Restrict Website Access

Anyone with an Internet connection can read your published personal or course web pages. However, you can restrict access to them by IP address or hostname, or by Andrew userID.

When you restrict access to your website by IP address or hostname, you control which machines can access your pages. However, you cannot control the individuals who use those machines. This restriction method is not secure and becomes less relevant as university affiliates connect to Carnegie Mellon services from remote sites. For these reasons, Computing Services discourages the use of IP address restriction.

Follow these steps to create an .htaccess file and restrict access to all or part of your web site.

  1. Configure your site files for authenticated publication (UserWeb KWPublish), then test publish them.
  2. Create and save a text file called .htaccess in the directory where you want to restrict access.

    Note: If you want to restrict access to your entire site, store the .htaccess file in the top level of your www directory. If you want to allow access to the top level, store the file in a sub-directory of your www directory to restrict access to only that sub-directory.
  3. Enter syntax similar to the following example:
    <limit GET OPTIONS>
    deny from variablename
    allow from variablename
    </limit>
    where variablename is the name of each variable you want to set. Follow the IP address syntax notes and examples below to determine the correct syntax.
  4. Save the .htaccess file without a file extension; the User/CourseWeb publishing server does not recognize file extensions

    For example, if you create a .htaccess file in Notepad, save it by selecting File > Save As, then type the file name .htaccess. Next, select the Save as file type as All Files. Finally, click Save
    Save the .htaccess file
  5. Use an SFTP client to transfer the .htaccess file to the appropriate level of the www collection, then publish your files using authenticated publication (KWPublish).

IP Address Syntax: Notes and Examples

Full or partial IP address or full or partial domain name defines this limitation. In either instance, use the deny and allow directives, along with the IP address or domain name.

deny from variablename

 

This directive defines who cannot access, or is denied access, to the web pages; variablename is the full or partial IP address or domain name denied access.

allow from variablename

 

This directive defines who can access the web pages; variablename is the full or partial IP address or domain name allowed access.

Important: By default, deny directives are evaluated before allow directives, regardless of the order in which they appear in the .htaccess file.

In the example below, access is denied to all individuals, then allowed to those using a 128.2 IP address or within the andrew.cmu.edu domain.
<limit GET OPTIONS>
deny from all
allow from 128.2.
allow from .cmu.edu
</limit>

When you restrict access to your website to a specific set of Andrew userIDs, you require each person who visits your website to log in to view the published site.

Follow these steps to create the .htaccess file and restrict access by userID.

  1. Configure your site files for authenticated publication (UserWeb KWPublish), then test publish them.

  2. Create and save a text file called .htaccess in the directory where you want to restrict access.
    Note: If you want to restrict access to your entire site, store the .htaccess file in the top level of your www directory. If you want to allow access to the top level, store the file in a sub-directory of your www directory to restrict access only to that sub-directory.

  3. Enter syntax similar to the following examples:

    • To allow access to a list of Andrew userIDs
      AuthType shibboleth
      require shib-user username1@andrew.cmu.edu
      require shib-user username2@andrew.cmu.edu
      require shib-user username3@andrew.cmu.edu
      Where username is the userID of the individual you want to allow access and "andrew.cmu.edu" is in all lowercase letters.

    • To allow access to ALL Andrew userIDs
      AuthType shibboleth
      require valid-user

  4. Save the .htaccess file without a file extension; the User/CourseWeb publishing server does not recognize file extensions.

    For example, if you create an .htaccess file in Notepad, save it by selecting File > Save As; File name - .htaccess; Save as type - All Files and click Save.

    Save the .htaccess file

  1. Open an SFTP client and transfer the .htaccess file to the appropriate level of the www collection, then publish your files using authenticated publication (UserWeb KWPublish).