skip to content

Access protection

The data of the web server as well as the project servers are normally visible worldwide without restrictions using HTTP and additionally visible for the users of the central RRZK computers as long as they have an AFS token. (For the terms see glossary)

Access can be restricted for confidential data or data that is not released under licensing law. This is usually done for a whole directory including its subdirectories. There are 5 (described in more detail below) different options for protection. Variants 3 and 4 can be set up by any web administrator. In all other cases, the responsible persons contact webmasters for this purpose, specifying the directory and the desired protection.

  1. Restriction to the UKLAN, the university network: This is sufficient, for example, if the license to a documentation is given only for the university. It is also useful for lists of employees of an institute or participants of an event, if local communication via the network is required and there is no consent for worldwide distribution. Since AFS access is already restricted to local users, only HTTP access from outside needs to be prevented.
  2. Restriction to certain domains, subdomains or computers: For example, pages can thus only be seen in a certain institute. Webmasters are to specify the numeric Internet addresses and whether AFS access should be restricted to those with write permission.
  3. Restriction by password: This is useful if only a small group of people should have access. These people are given the password, and they can see the data regardless of their domain. Confidential data for a larger circle of people can hardly be protected in this way, however, since experience shows that the password is quickly passed on. You can set up this protection yourself in your directory using .htaccess files. You can find instructions at SelfHTML. The password should not be guessable. Instead of the password you have to use its encrypted version. You can get it under Unix (for example on the server dialog) with the command

    perl -e 'print crypt("password","from"),"\n"'

    where "from" is a fixed parameter (so-called "salt"). In the SelfHTML tutorial, another way to get the password encrypted is provided with a website.

  4. Authentication against LDAP, i.e. using a employee account:  Attention: This only works in web projects, not on the static web server! Also in this case you create a .htaccess file, but give it the following content (in the example for the accounts "muellerxy" and "maierabc"):

    AuthBasicAuthoritative off
    AuthName "IhrProjektname"
    AuthType Basic
    AuthBasicProvider ldap1 ldap2
    require user muellerxy maierabc

  5. Two-level access protection: As an alternative to the separate methods "accessible within UKLAN" and "password protection", you can also set up a directory in such a way that access within UKLAN (or another specific IP range) is always guaranteed, but a password is required from outside.

If you have any questions or problems, please contact the RRZK-Helpdesk