Restricting Access to Your Web Pages

Pages that you publish on the web are normally available to anyone. You can, however, restrict access to your web pages to the U-M community or to groups and/or individuals within it. Those who wish to view your pages must first log in with their uniqname and UMICH password. This document tells you how to publish web pages that only the U-M community — or specific groups and individuals in that community — can access.

Restricting Access to the U-M Community

Create a Private HTML Directory

1. Open a web browser and navigate to http://mfile.umich.edu/make-webspace.

2. Authenticate using your uniqname and Kerberos password.

3. Based on your membership in certain groups, you will see a list of available webspaces that can be restricted.

   

4. Click the checkbox next to the webspace you want to make private, and then click prepare selected webspaces.

   

5. A private HTML directory (your private web space) — with all the necessary access privileges already set — will be created for you.

   

6. Logout of the Make Webspace page when finished.

Put Your Web Files in the Private Directory

To restrict access to your web pages to the U-M community, you'll need to put the files for those pages into your private HTML directory (or folder). Inside your IFS home or group directory is a Private folder. Inside that is a folder called html. Put the files for the web pages inside the html folder.

HINT: If you had already published the Web pages, you will need to move those files from the html folder in your Public folder to the new html folder in your Private folder.

Use MFile for an easy-to-use, secure, web-based method of transferring files. You can also use WinSCP to access your IFS file storage space. You can obtain the following SFTP programs at no cost from the U-M Blue Disc:

• Windows. Use WinSCP. For information about obtaining and using WinSCP, refer to: Use WinSCP to Transfer Files with sftp [Windows] (S4387).

• Mac OS X. We recommend that you use the Fugu program, which provides a graphical user interface to the secure file transfer capability of the Mac OS.

Accessing the Restricted Pages

To access your restricted web pages, use a web browser to connect to the appropriate URL:

• For your personal restricted-access web pages, use

  https://www-personal.umich.edu/~<uniqname>

  where you have substituted your own uniqname for uniqname (do not type the angle brackets).

• For your group restricted-access web pages, use

  https://www.umich.edu/~<groupname>

  where you have substituted the name of your group for groupname (do not type the angle brackets).

HTTPS: The URLs begin with https instead of http. The s stands for a secure http connection and is required.

Anyone who goes to the URL for your pages (including you) will receive a Login required screen. Log in with a uniqname and UMICH password to connect to the page.

Be sure to include a logout link on your page(s) so that people who have logged in can also log out. Here is HTML code for a sample link you can use:

<a href="https://www-personal.umich.edu/cgi-bin/logout">Logout</a>

Restricting Access to Specific Groups and Individuals at U-M

Follow the steps earlier in this document to:

• Create a private HTML directory (see instructions earlier in this document).

• Put your web files in the private directory (see instructions earlier in this document).

You can then further restrict access to individuals or groups within the U-M community by using .htaccess files.

To work with .htaccess files, you need to know how to use a Unix text editor — such as pico or vi — to create and edit files. For instructions, refer to Using the Unix Text Editor Pico (R1168) or Using the Unix Text Editor vi (R1172).

If you want to restrict access to groups of people (rather than to individuals), you also need to know how to create and work with protection (pts) groups. For instructions, see Creating and Using Protection (pts) Groups for IFS (S4033).

To further restrict access to the web files in a particular directory, create a .htaccess file in that directory that specifies who can have access.

1. Connect to the ITS Login Service (login.itd.umich.edu).

2. Use the Unix text editor of your choice to create a file named .htaccess — note the leading period.

3. The file should contain two lines of text. Make the first line:

   # Web space restriction description

   • To allow access to individuals, begin the second line with Require user. Then add the uniqnames of the individuals who will be granted access to your webspace.

     For example, if you want to restrict access to a person whose uniqname is bjensen, create a .htaccess file with the following text:

     # Web space restriction description
     Require user bjensen

   • To allow access to MCommunity Directory groups, begin the second line with Require ldap-group, followed by cn=<GROUP>,ou=User Groups,ou=Groups,dc=umich,dc=edu (where <GROUP>) is the group name.

     For example, if you want to restrict access to an MCommunity group named My Web Group, create a .htaccess file with the following text:

     # Web space restriction description
     Require ldap-group cn=My Web Group,ou=User Groups,ou=Groups,dc=umich,dc=edu

   • To allow access to U-M Friend accounts, begin the second line with Require user. Then add the e-mail address of the individuals who will be granted access to your webspace.

     For example, if you want to restrict access to an MCommunity group named My Web Group, create a .htaccess file with the following text:

     # Web space restriction description
     Require user myfriend@gmail.com

     To disable all friend accounts, type CosignRequireFactor UMICH.EDU:

     # Web space restriction description
     CosignRequireFactor UMICH.EDU

4. Save the .htaccess file inside the directory containing the web files to which you want to restrict access.
   For example, using Pico, hold down the Control key and press the letter O. When prompted for a file name, type Private/html/.htaccess then press Enter or Return. To exit Pico, hold down the Control key and press X.

ABOUT RESTRICTIONS: Restrictions are enforced on a directory-by-directory basis, so you can make a subdirectory that is more narrowly restricted than Private/html.

Using a class as an example:

You could restrict Private/html to members of the U-M community, restrict Private/html/assignment1 to just the students and teaching assistants of a class, and restrict Private/html/assignment1/grades to only the teaching assistants. Note that restrictions can be narrowed in subdirectories, but you cannot have a subdirectory that is more widely available than its parent directory.

For a more complete overview of .htaccess files, refer to Setting up Access Control for Your HTML Documents.

For information on accessing the pages that you have restricted access to, see Accessing the Restricted Pages earlier in this document.

Additional Resources

Visit ITS's Information System to obtain ITS computer documentation and other resources. A list of relevant documents follows:

• Using PuTTY to Connect to Host Computers [Windows] (S4386)
• Using WinSCP to Transfer Files with sftp [Windows] (S4387)
• Using the Unix Text Editor Pico (R1168)
• Using the Unix Text Editor vi (R1172)
• Creating and Using Protection (pts) Groups for IFS (S4033)
• Using Access Control Lists (ACLs) With IFS Directories and Folders (S4111)
• Set Up a Friend Account for Guest Access to U-M Computing Resources (S4316)

The ITS Service Center provides a variety of computing help resources.

For further help with this or any other topic, call 734-764-HELP [4357] or submit an online service request.