Securing Content by Machine IP Address
Before adding or requesting password protection for your Web content, make sure you have read and understood the difference between access security and transaction security in our introduction to Password Protection for Your Site.
Restricting access by IP is a simple way to limit access to a site to computers within the Stanford Medical Center, or any specific range of networked computers by specific IP addresses or ranges.
General Instructions | IPs Only | IPs Plus WebAuth | IPs Plus BasicAuth | Using
Instructions for installing IP security on Stanford Medicine Web Sites
Access to files is controlled at the directory level. This means that all the files in a given directory will be restricted. It's a good idea to provide an unsecured "landing page" where users are instructed on who is permitted, and how to request access.
To protect a given directory with WebAuth, you will need to include a file in that directory named ".htaccess". The .htaccess file tells the Web server how to authenticate users. You must use Dreamweaver to place the file. If you are a Contribute user, contact Web Help.
- Within your local site files as defined in Dreamweaver, create a new file within the directory to be protected and name or re-name the file ".htaccess"
- Replace all the text in the file code with the appropriate directives, depending on who you wish to allow (see links below to jump to a specific approach).
- Upload the file to your site, and test the protection through your Web browser.
Restricting access to specific IP ranges
The following text is an example of the syntax. Allow can be set to specific full IPs (for one machine) or ranges of IPs, as in this example, which includes all of the IP ranges for the Medical Center campus. New ranges are added from time to time, so test from sample machines. Be sure to have a blank line after last line of text.
<Limit GET POST>
order deny,allow
deny from all
allow from 171.65
allow from 10.50
allow from 10.248
allow from 10.250
allow from 10.251
allow from 10.252
allow from 10.253
allow from 10.39
allow from 152.130
allow from 152.131
allow from 152.132
allow from 152.133
</Limit>
Breakdown of IP ranges:
- 171.65.x includes every Stanford Medicine network, plus some SHC networks (but these particular SHC nets tend to have mainly Stanford Medicine users on them)
- 10.50 is only LPCH networks
- 10.248 is SHC wireless
- 10.250-253 are primarily SHC, but also some LPCH
- 10.39 is School of Medicine Wireless
- 152.130-133 are for the VA Palo Alto facility
IP control can be combined with either WebAuth or BasicAuth (not both) so that on-campus users enter unchallenged, but off-campus users must log in with a password.
Be sure to have a blank line after last line of text.
AuthType WebAuth
<Limit GET POST>
order deny,allow
deny from all
allow from 171.65
allow from 10.50
allow from 10.248
allow from 10.250
allow from 10.251
allow from 10.252
allow from 10.253
allow from 10.39
allow from 152.130
allow from 152.131
allow from 152.132
allow from 152.133
require valid-user
satisfy any
</Limit>
The above example uses general WebAuth, and will allow in anyone with a SUNet ID. For tighter restrictions, change valid-user to the appropriate code.
require sunetid1 sunetid2 sunetid3
for specific sunet ids; all must be on one line to functionrequire privgroup organization:groupname
for a workgroup you have established through workgroup.stanford.edu
Please see the WebAuth page for a more detailed discussion of options for WebAuth.
Contact Web Help first to request installation of your login/password as described in the BasicAuth page. Let us know you want to combine it with IP control, and so need the path to the .htpasswd file.
AuthType Basic AuthUserFile /d/web/path/to/securefolder/.htpasswd AuthName YourDepartmentName <Limit GET POST> order deny,allow deny from all allow from 171.65
allow from 10.50
allow from 10.248
allow from 10.250
allow from 10.251
allow from 10.252
allow from 10.253
allow from 10.39
allow from 152.130
allow from 152.131
allow from 152.132
allow from 152.133
require user login satisfy any </Limit>
In the code above, replace /d/web/path/to/securefolder/ with the actual path to your .htpasswd file, as provided by Web Help. Most times this will be the same path as the .htaccess file. Replace YourDepartmentName with anything you want. Usually, we make it the same as the login, as a reminder to the user. Replace login with the specific login you are permitting in.
Using protected pages
To protect the full transaction between the user's browser and the server, one should always use "https://" rather than "http://" to access a WebAuth-protected page or directory, and an absolute URL using the long med.stanford.edu domain name. So, even if you're protecting a directory in a site with the custom domain URL "yoursite.stanford.edu" you must still link to the protected files using a full https URL, i.e.
"https://med.stanford.edu/yoursite/protected/securepage.html"
You might also be interested in how to restrict pages with WebAuth (for users with SUNet IDs) or basic authentication (i.e. an arbitrary, non-SUNet ID, username and password).
IRT Confluence Wikis