Finding Your Way
How Do I ... Request and Maintain a Restricted Web Site
- What is a Restricted Web Site?
- How do I create one?
- What will the site look like?
- Maintaining the Restricted Site
A restricted web site or web area is a site that is only available for viewing by a certain group of people, such as members of a department. Restrictions can be made according to the IP number, subnet or domain of machines (e.g. people can only view the site from a certain location), or by user name and password (e.g. only those people in the access list can view the page, no matter where they are viewing it from).
Restricted web sites on www.uwo.ca are available for UWO username/password accounts and the restricted area has to be setup by ITS staff. They are not available for publish.uwo.ca sites due to the different configuration of the personal site.
Restricted sites on instruct.uwo.ca are available for UWO username/password accounts and the restricted area has to be setup by ITS staff. WebCT is the area where course sites that need restriction to individuals, whether with a UWO username or not, are now handled.
The actual original set up and creation of the restricted area can only be performed by the web administrator of the web server who has special privileges. If you need a restricted area on www.uwo.ca or instruct web server, please complete and submit the Restricted Site Request form. This request will be processed by Web Admin. You will need to specify:
* Your name and e-mail address
* Name and e-mail address of maintainer (if other than yourself)
* The URL of the site you wish created. This should be inside a site you already own and should not exist.
* The type of restriction you wish to have. The choices are
o Restricted to campus (only on-campus machines have access)
o Restricted by password (must have a valid e-mail login/password)
o Restricted to campus or by password (for those not on campus)
o Restricted to campus and by password
o Restricted to specific users (e.g. a class)
* OPTIONAL: You can request a class list using the form in http://www.uwo.ca/its/accounting/classlist/. A password file with the names in the class list will be created for you by the webadm.
Web admin will create the site for you and set up the restrictions you requested. Any page that you add to this area will only be accessible to those specified by the restrictions.
* The new directory that is the restricted area will have the world readable rights to this directory removed. This means that only the owner of the files can look at them through the file system.
* The ownership of the directory will be the maintainer and the group ID set to guest.
* There will be a special file called .htaccess containing the restrictions that are required. Do not delete or move this file.
* If the site is to be restricted by password, there will be a password file, usually called passwords. If you sent in a class list (see previous section), then the password file will be populated with these entries.
* There will be a dummy index.html file in the area.
* A redirect will be added at the server level to ensure https secure connections
* When viewing the restricted site, most web browsers will indicate that this is a secure site (e.g. in Netscape, the Security lock icon will be highlighted and closed and the icon of the lock at the bottom left of the window will also be closed; in Internet Explorer, an icon of a lock will appear in the bottom right corner).
See the next section for a description of what to do to start using the site.
1. You should modify the file index.html so that it describes the area.
Then the information pages or image files can be added as usual (e.g. using an SFTP client). If you need to create any subdirectories in the restricted area, don't change the default permissions of the new directories.
2. If access is restricted by password, you need to edit the password file. The password file is a list of users you wish to allow or deny access. Currently, authentication is done against the ITS Unix systems, so we only require the login names. The name of the password file can be found from the first line of the .htaccess file. For example,
where passwords is the name of the password file, found in the directory its/restricted. A valid user is denoted by +loginname and someone you want to specifically deny access is denoted by -loginname. For example, to give access to user 'Jane Doe' , add the following line to the password file:
Add as many users as desired. If the person does not have a Western email address, contact the webadmin. If you want everyone who has a valid Western username and password to have access, use the line (* is a wildcard character signifying "all"):
This password file needs to be kept up to date, adding and deleting users as needed.
NOTE: If you sent in a class list with your request for the restricted area, the password file will already be set up with these people. Check to see if any need to be added or removed.
3. Anyone accessing this area should use the URL https://... (notice the s). Notify those who will be using this site of this information, as well as any other sites that are linking to this site.
4. Follow these rules for linking to restricted sites to maintain the security:
* Links to a restricted page or file from a non-restricted page - use https
* Links to a restricted page or file from a restricted page - use https or a relative path
* Links to a non-restricted page or file from a restricted page - use http
* Loading images into a restricted page (no matter where they are located) - use https or relative path
* Running a CGI script from a restricted site - use https
5. Remember the following:
* Do not change any of the ownerships, rights or group ID in this area and any areas under it.
* Do not delete, move or modify the file .htaccess
* Do not delete or move the password file.