You are here

Restricting web access to local users

Printer-friendly versionPrinter-friendly version

This page explains how to protect a web page so that it can only be seen by people using local (inf.)ed.ac.uk machines and by people with a DICE account.

Sometimes web authors are required to limit access to certain web content to local users only. In the past it was simplest just to limit the content to web browsers on the Informatics or the University's network (EdLAN). However, this means that staff or students at home or mobile have some extra hoops (some non-trivial) to go through to be able to see the content.

Rather than simply denying access to people outwith the University/School network, it would be better to allow access to the authorised person, regardless of where they choose to access the content from.

It is possible to do this using the following configuration in an .htaccess file in the appropriate directory. In this example we want to allow straightforward access to browsers within EdLAN. Typically this means the host IP will be 129.215.*.* and/or resolve to a *.ed.ac.uk address. If the browser doesn't meet those criteria, the user will need to provide their Informatics login (username and password) via Cosign.

In the directory or container to be protected, create an .htaccess file containing:

# Allow access to only Informatics users, not including iFriends
CosignProtected       On
CosignRequireFactor   INF.ED.AC.UK
AuthType              Cosign
Require host ed.ac.uk
<If "%{HTTPS} == 'on'">
  Require valid-user
</If>

Someone accessing the content from outside ed.ac.uk over HTTP will get a "NOT AUTHENTICATED" web page containing a link to the "login page". This will take them to the usual weblogin.inf.ed.ac.uk page. Once the user enters their DICE username and password they will be taken to another page containing an HTTPS link to the protected content, which they will then be able to access.

The user may be automatically authenticated at weblogin.inf (and hence redirected) if they've authenticated to the service already, or if their machine and browser are configured for Cosign SPNEGO.

If you need more details, please contact computing support.

Last reviewed: 
13/06/2017

System Status

Home dirs (AFS)
Network
Mail
Other services
Scheduled downtime

Choose a topic