Header left.png

Web Services

From Systems Group
Revision as of 12:08, 13 November 2018 by Tylermarshall (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

The ODU CS Department provides faculty and students the ability to host simple web pages from their CS Unix account.

Secure HTML

ODU CS users can use their secure html directory as their "mini website" using the following steps.

  1. Login to one of the Linux servers
  2. Creating a secure_html Directory

Accounts are now created with a secure_html directory. If your account doesn't have this directory (or it gets destroyed), you can create one by typing typing the mkdir secure_html command while you are in your home folder. This creates a directory called secure_html and that will become your directory for all of your web related documents

You can then start creating HTML files in this directory file, using the index.html page as an introduction and a place to put links to your files. Once you complete your HTML information and put it in your secure_html directory, you can tell people to find your homepage (index.html) at: http://cs.odu.edu/~<your_username>, where <your_username> is your CS Unix account username.

Common Issues

403 Forbidden

This issue is caused by permission issues on your secure_html folder. To set the proper permissions use the following command:

chmod o+rx ~/secure_html 

If you still experience issues - contact root@cs.odu.edu.


If all the pages at a Web site pertain to a select group of people - for example, a society with restricted membership - the provider might limit access to members so that the information is kept private. Another person might have two or more categories of information with different audiences. Someone else might have general information and additional subsets of information, intended for specific groups (only). The general information would be open to all visitors, but only specific persons would be allowed to view the subset(s) meant for the groups alone.

Limiting access with a password The "password" must be recognizable as a string of characters. Generally the password has an associated "login". For example, I might want to know if you are a member of one of my clubs and know the password for it, or I might want to know who you are as well as have your password, or I might allow anyone from a machine whose address ends in "cs.odu.edu" to enter, in which case the person's IP address could act as the "login".

What to do to limit access There are at least two steps required to "lock" files from access by the general visitor to your Web site. The first step is to set up a login/password pair that will act as a key to the restricted set of files. The second step is to create a file called ".htaccess" - that is "dot-htaccess" - and position it properly so that it can police your visitors.

How to create the login/password pair Here, you must know enough about the UNIX operating system that you can give UNIX commands and move around the file system. The examples here are about as simply structured as possible, but nonetheless this step cannot (yet) be carried out in any way other than by logging onto the computer that holds your Web pages. The command to create the login/password pair is htpasswd and has two different forms: one for creating the file that will hold the encrypted entries, and the other for adding additional pairs once the file exists. To create an authorization file named ".htpasswd" with a login for "friend", you type something similar to this:

htpasswd -c .htpasswd friend

The computer will ask you for a password that will then be paired with the login "friend". To create another pair, let's say for those on your swim team, whether immediately or at some later date, use a command similar to this:

htpasswd .htpasswd swimmer

You will be similarly asked for a password that will be paired with the login "swimmer".

The login/password combinations are encrypted so they will not be useful to someone who might get a look at the file. It is up to you to remember the passwords - the file is of no help. In this example, the login/password pairs were friend/mybuddy and swimmer/frog. Use the command more .htpasswd to see the contents of the file. You should see the logins, friend and swimmer, each followed by a colon (:) and some nonsense string of characters similar to this:

/home/user_id $ more .htpasswd

Where to put the authorization file It is best not to have the file in the secure_html directory with your Web pages - that directory is wide open from a security standpoint. At least put the authorization file at the same level in your UNIX account's tree as the secure_html file. For most users, this will be at the login directory level with a location similar to "/home/user_id", where user_id is the owner's user_id, as in the above example.

Where to put the .htaccess file In the simplest case - when your entire Web site is to be password-protected, put the .htaccess file in the secure_html directory. A listing of the home directory would probably show these files and directories along with many others:

/home/user_id $ ls
......... ......... .......... .htpasswd secure_html
/home/user_id $ cd secure_html
/home/user_id/secure_html $ Ls -a
4 drwxr-xr-x 2 user_id usr 4096 Oct 11 1998 ./
8 drwxr-xr-x 3 user_id usr 8192 Jun 28 12:02 ../
4 -rw-r--r-- 1 user_id usr 135 Jun 28 12:01 .htaccess
4 -rwxr-xr-x 1 user_id usr 2438 Jun 10 1998 home.html*
4 -rwxr-xr-x 1 user_id usr 483 Jun 10 1998 test.cgi*

A second, differently constructed example that has protected subdirectories for our friends and swimmers might look something like this:

/home/user_id/secure_html $ Ls -a
4 drwxr-xr-x 2 user_id usr 4096 Jun 7 13:12 ./
8 drwxr-xr-x 3 user_id usr 8192 Jun 28 12:02 ../
4 -rwxr--r-- 1 user_id usr 2438 Jun 10 1998 home.html
4 drwxr-xr-x 2 user_id usr 4096 Jun 7 13:12 pals/
4 drwxr-xr-x 2 user_id usr 4096 May 14 16:35 swimteam/
4 -rwxr-xr-x 1 user_id usr 483 Jun 10 1998 test.cgi*

Note that there is no .htaccess file at the secure_html level. Any visitor can use or view the files "home.html" and "test.cgi". The .htaccess files are now going to be in their respective subdirectories whose listings might appear thus:

/home/user_id/secure_html $ cd pals
/home/user_id/secure_html/pals $ Ls -a
4 drwxr-xr-x 2 user_id usr 4096 Jun 7 13:12 ./
8 drwxr-xr-x 3 user_id usr 8192 Jun 28 12:02 ../
4 -rwxr--r-- 1 user_id usr 135 Oct 11 1999 .htaccess
4 -rwxr--r-- 1 user_id usr 2438 Jun 10 1998 home.html
4 -rwxr--r-- 1 user_id usr 2438 Oct 11 1999 club.html
4 -rwxr-xr-x 1 user_id usr 483 Jun 7 13:12 test.cgi*
/home/user_id/secure_html/pals $ cd ../swimteam
/home/user_id/secure_html/swimteam $ Ls -a
4 drwxr-xr-x 2 user_id usr 4096 May 14 16:35 ./
8 drwxr-xr-x 3 user_id usr 8192 Jun 28 12:02 ../
4 -rwxr--r-- 1 user_id usr 135 Jan 28 10:12 .htaccess
4 -rwxr--r-- 1 user_id usr 2438 Jan 20 09:48 home.html
4 -rwxr--r-- 1 user_id usr 2438 May 14 16:35 schedule.html
4 -rwxr-xr-x 1 user_id usr 483 Mar 5 08:03 test.cgi*

What text is in the .htaccess file? There are several "authorization types" that must be named so that http protocol connections know where to and how to protect your files.

Example 1 Allow ONLY users whose connections come from the ".cs.odu.edu" domain. The file /home/user_id/secure_html/.htaccess contains the following attributes:

AuthUserFile /home/user_id/.htpasswd
AuthGroupFile /dev/null
AuthName AllowFromCSODU
AuthType Basic
order deny,allow
deny from all
allow from .cs.odu.edu

Note that the first action is to deny everyone, but continue to check and, if the address contains ".cs.odu.edu", to allow access.

Example 2 Allow ONLY users who know the "friend/mybuddy" pair to access the files in /home/user_id/secure_html/pals. The .htaccess file.in the secure_html/pals directory.needs these attributes:

AuthUserFile /home/user_id/.htpasswd
AuthGroupFile /dev/null
AuthName ExampleAllowFriends
AuthType Basic
require user friend

Note that there is nothing magic about AuthName. This is just an "identifier" that helps the reader to know what the purpose of the .htaccess file is.

These examples rely on the information in the authorization file named ".htpasswd". When a person clicks on a URL in the swimteam subdirectory, a window pops up with two text fields - one in which to type the login, the other in which to type the password.