With CUWA
Restricting Web Access
To restrict web (HTTP) access to any directory in your application using CUWA 2.0, create/upload a .htaccess file to that directory with the following contents:
AuthName Cornell
AuthType All
AuthBasicAuthoritative off
#
#Use the following to restrict access
#(w/o comments) use spaces not commas
#when multiple entries are needed
#
#require valid-user
#require netid netid_name
#require permit permit_name
Details for the lines in the (uncommented) preamble are available in the CUWA 2.0 directive refernece, so we will focus on:
#require valid-user
#require netid netid_name
#require permit permit_name
These are the customizable parts of the template and are the ones most useful to anyone interested in controlling access to their LAMP site. They are commented out; the # should be removed to make the directive applicable.
Any member of the Cornell Community
require valid-user grants access to anyone with a valid Cornell NetID.
With Permits
require permit permit1 permit2 permit3 grants access to anyone listed in those permits.
More information about permits, particularly root permits, is available here. The permit administration site is here.
With Lists of NetIDs
require netid1 netid2 netid3 grants access to the users associated with those NetIDs.
Using a combination of Permits and NetIDs
To restrict to both a set of permits and a set of specific users, simply use two require lines:
require cit.foo.bar
require netid ewe2 elr32 abc123
Access will then be granted both to members of cit.foo.bar and the users ewe2, elr32 and abc123.
Restricting DAV Access
The equivalent of htaccess files for WebDAV access is available in the form of .wdaccess files. They work exactly the same way except that they apply only to DAV access. An editor is provided linked from your instance's splash page to create and manage .wdaccess files within your environment.
The editor also contains a brief summary of the information available in this wiki, and the template/example configuration available above, which is applicable both to .wdaccess and .htaccess files.
Opening Access / Removing CUWA Requirements
To remove CUWA requirements for a directory and all its subdirectories, create an htaccess as described above with the following require line, instead of require permit or require netid:
require noprompt
Subdirectories of that directory that should be closed again can then have normal CUWA rules applied via htaccesses as described in earlier sections.
Note that while this directive should work in DAV, its use there is discouraged; using this directive in WebDAV would open your source code and files to be viewable, downloadable and editable to the world.
More information on CUWA Access Control
Restricting Access With Apache Basic/Digest Authentication
HTTP Basic Authentication and HTTP Digest Authentication are available in LAMP, but currently must be configured via a request to webservices-l. If you need either of these methods set up to authenticate users to your site, please send us a request with the details.
Help! I created a .ht|.wdaccess file and now I get HTTP 500
Your logs, also available from your splash page (or your staging URL + /logs, e.g. lamp.cit.cornell.edu/logs) should contain clues on what went wrong. Usually it's a little typo that is readily fixed. If you are really stuck, feel free to contact webservices-l for assistance.
What about other .htaccess directives?
Just about any directive that the Apache documentation says is legal in .htaccess files is available to you in your environment. Use with caution and care, and enjoy.
Note that this does not apply to DAV/.wdaccess files, as most non-auth based directives don't have much meaning to WebDAV.