You are here
Restricting web access to local users
This page explains how to protect a web page so that it can only be seen by people using local (inf.)ed.ac.uk machines and by people with a DICE account.
Sometimes web authors are required to limit access to certain web content to local users only. In the past it was simplest just to limit the content to web browsers on the Informatics or the University's network (EdLAN). However, this means that staff or students at home or mobile have some extra hoops (some non-trivial) to go through to be able to see the content.
Rather than simply denying access to people outwith the University/School network, it would be better to allow access to the authorised person, regardless of where they choose to access the content from.
It is possible to do this using the following configuration in an .htaccess file in the appropriate directory. In this example we want to allow straightforward access to browsers within EdLAN. Typically this means the host IP will be 129.215.*.* and/or resolve to a *.ed.ac.uk address. If the browser doesn't meet those criteria, the user will need to provide their Informatics login (username and password) via Cosign.
In the directory or container to be protected, create an .htaccess
file containing:
# Allow access to only Informatics users, not including iFriends CosignProtected On CosignRequireFactor INF.ED.AC.UK AuthType Cosign <RequireAny> Require host ed.ac.uk Require valid-user </RequireAny>
Someone accessing the content from outside ed.ac.uk will fail the Require host line, and so they will redirected to the usual weblogin.inf.ed.ac.uk page to satisfy the Require valid-user line. Assuming the user enters their DICE username and password they will then be able to access the restricted content.
The user may be automatically authenticated at weblogin.inf (and hence redirected) if they've authenticated to the service already, or if their machine and browser are configured for Cosign SPNEGO.
If you need more details, please contact computing support.