School of Earth, Energy & Environmental Sciences

Limit access to specific computers



Last revision July 10, 2009

Access Control Table of Contents:
  1. Introduction
  2. By SUNet ID
  3. By Computer
  4. By Local Password
  5. By Computer and Password
  6. By Computer or Password

Make your .htaccess file with the lines specified below, but substituting values that are appropriate to your case wherever you see italicized keywords.

AuthType Basic
Order deny,allow
Deny from all
Allow from IP_or_domain

The Order directive line just says that when the web server is checking to see whether to allow access to a viewer on a particular computer, it will first check to see if any Deny directives apply, and then look to see if any Allow directives apply.

The next line, the Deny from all directive, then says that the basic default condition is to not let any computer have access. This default denial will be overridden by Allow directives that give permission to specific computers.

You can now put in one or more Allow from directives to allow access by specific computers. You can specify either a single IP address, a range of IP addresses, a single complete host name, or a domain of hostnames. You can have multiple Allow from directives to mix and match among these formats.

Here are examples of various Allow from directives showing how to limit access with the different formats.

Allow from 171.64.168.69
Says that a computer with the specific IP address 171.64.168.69 will be allowed to access the files in this folder. If the viewer who is requesting these pages is not coming from a computer with this specific address, then he will be denied access by the Deny all directive, unless his computer matches another Allow from directive in the same .htaccess file.

Allow from 171.64.168.0/21
Says to allow access from any computer that has an IP address in the range that has been allocated to the School of Earth Sciences network. Allowing access by a range of IP addresses like this is a little tricky, because you have to understand how to specify the base address of the range, and then the "netmask bits" that indicate how many possible addresses can follow that base. Generally, you should use IP address ranges only to restrict access to a small set of computers, where the network manager can supply the correct base address and netmask bits for you. To limit access to an entire organization (such as all of Stanford), you should use the domain method, below.

Allow from gondwana.stanford.edu
This example allows access from the computer whose IP hostname is gondwana.stanford.edu. The web server will actually contact network name servers to find out which IP hostname is associated with the IP address of the computer that is requesting the page (IP addresses are included in all network packets). So this method works only if your computer is properly registered with a name server (as all computers on the Stanford campus are).

Allow from stanford.edu
This example allows access from any computer in the stanford.edu network domain, which corresponds to all computers connected to the Stanford University campus network.

For a complete example, suppose the Earth Sciences user with SUNet ID "joe" wants to put some html files in his personal web folder and limit access to computers at Stanford only. His personal web folder is the subfolder WWW in his home share on the sesfs.stanford.edu file server. The web URL for this folder is simply

http://pangea.stanford.edu/~joe/

Joe makes a subfolder within WWW to store his restricted files, and calls that subfolder personal. Its URL is

http://pangea.stanford.edu/~joe/personal/

Within that personal folder, Joe loads an .htaccess file that contains the following lines:

AuthType Basic
Order deny,allow
Deny from all
Allow from stanford.edu

Comments or Questions?