There is a Web service whose purpose is to authenticate the end user (either by IP address or Bluestem id), check an authorization list, and supply the Web page if approved. All you have to do to use it is set up a configuration file that contains the authorization list.
To use this service, you must construct a configuration file. This file:
Put the allowed.netids file in the web directory that you want to protect. It will protect the directory it is in, and all further subdirectories.
Note: If you have an empty allowed.netids file present, no one will be authorized to access the files in that directory and its subdirectories, because no one is on the approved list. If you have no allowed.netids file at all, everyone is authorized, because there is no list.
The configuration file is mostly just a list of allowed NetIDs and IP addresses, with a little bit of structure that helps maintain a large-ish list. But beware that a really big, changing list (such as all members of a given department) will be a pain to maintain.
The file is divided into sections, for contact, NetIDs, groups and IP addresses. Each section is optional.
#My first allowed.netids file. #Comments start with a # sign. I love comments. <contact> <a href="mailto:email@example.com">firstname.lastname@example.org</a> # IP addresses can be numbers or names # If you give a name, it's matched as a suffix. # If you give a number, it's matched as a prefix; the *'s # remind you of this. # But you can't match in the middle: 'tigger.*.uic.edu' won't work. <allow ip> *.uic.edu 128.248.* <allow NetIDs> bobg john bob vinod adabyron <allow groups> # See example 2.
The approval process goes like this:
<contact> <a href="mailto:email@example.com">firstname.lastname@example.org</a> <allow ip> bobg.cc.uic.edu ##Allow my desktop machine via IP for speed <allow groups> all
<contact> <a href="mailto:email@example.com">firstname.lastname@example.org</a> <allow ip> *.uic.edu ## allow everyone from campus directly <allow groups> all
Just like example 2, but give everyone on campus direct access without Bluestem login, but require Bluestem login for anyone off-campus.
Bluestem is more sophisticated than just dealing with bare NetIDs. A full Bluestem id looks like NetID@domain/authmethod. (If this doesn't make sense, just ignore this section. If you need to know, someone will probably have told you.) This is important only if you want your UIC files visible to some people who authenticate in remote Bluestem domains (as of this writing, UIUC.EDU is the only such remote domain) or if the people use a non-default method of Bluestem authentication.
<contact> <a href="mailto:email@example.com">firstname.lastname@example.org</a> <allow NetIDs> ted alice <allow NetIDs domain="uiuc.edu" > ed janice <allow NetIDs > bob email@example.com <allow groups > firstname.lastname@example.org
Now that you have made your allowed.netids file, does it work? All you have to do is put the allowed.netids file in the directory you want to protect and try it out.
You're done, except for the caveats in the next section. You can change the allowed.netids file at any time, of course. But if you make a mistake, you might admit too many people. Or too few. If the file does not exist (or is not readable by the web server), everyone is let in. If it does exist but is empty, no one is let in.
Using this service described above only provides protection for your files when accessed through the web. It does not protect your files from people who have real accounts on the web server, because these people can just view your files directly.
Perhaps it's ok that anyone on the machine can view the file directly. For example, maybe web access is given to the entire campus anyway. Or maybe you want to limit access to your class, mostly, but it's ok if someone else on campus really wants to view the files. If so, you can skip this section.
If you do care, however, we need to remove public read access from your files, and give explicit read access to the web server. (Normally the web server gets access along with the public. But in this case, that won't work.) Contact email@example.com to set up a special unix group for your files (most departmental sites already have a special unix group) and to add the web server to this group. After that, you can remove public read permissions and restore group read permissions like this:
chmod o-rx,g+r *.htm*
and your files will be properly secured, locally and on the web.
September 21, 2016