Access Control

Please note that all other users who have personal home pages can read all files in your public_html directory with little effort, for instance trough a PHP script. Access restrictions therefore have limited effectiveness and you should not not put any sensitive data into the public_html folder.

Access to files and directories in your public_html directory can be controlled using .htaccess files.

Authentication

Authentication via ETH login and ETH password for web applications (LDAP) is preconfigured and only needs to be activated. All that is needed is the following in a .htaccess file: 

AuthType basic
AuthName "Some description"

To grant access to all users with a valid ETH user account add the following line: 

Require valid-user

To restrict to a list of users instead add this line listing the ETH logins of the allowed users: 

Require user user1 user2 user3

Restricting to LDAP groups is also possible 

Require ldap-group cn=[IAM group name],ou=custom,ou=groups,ou=nethz,ou=id,ou=auth,o=ethz,c=ch

Available group details can be listed here. Replace [IAM group name] with the value of the nethz_group field shown in a groups properties.

For more complex configurations please refer to the relevant documentation:

Hiding Data

The only working way to protect data is to hide it and use a secret url that only you and the people who need access know. Access control can be put on top but the secrecy of the URL is key.

This is done the following way:

  1. Create a directory with a secret name somewhere in your public_html directory.
  2. Disable directory listing for the web server in the parent directory (mode 0710).

You can use the helper script web_create_hidden_directory on web-login.inf.ethz.ch to create a hidden directory. Run web_create_hidden_directory for instructions

If you put PHP code or .htaccess files in the secret location there is a chance that the secret URL is visible in the error log if there are any errors so please be careful.

Enable and Disable Access

Access to files for the web server process is controlled via ACLs. Three scrips web_allow_access, web_allow_write_access and web_deny_access on web-login.inf.ethz.ch can be used to add read or write access and remove access for the web server process to files and directories, recursively if needed.

Examples: 

web_allow_access ~/htpasswd
web_allow_access -r ~/public_html
web_deny_access ~/public_html/under_construction

Please note that granting write access to files for the web server also allows all other users who have personal home pages to write to these files.

Page URL: https://isg.inf.ethz.ch/bin/view/Main/HelpWebPersonalHomePageAccessControl
2024-11-21
© 2024 Eidgenössische Technische Hochschule Zürich