Personal Webpages

From CSWiki
Jump to: navigation, search

CS students are allowed to create a personal web page on the school's servers that are accessible only from within the university. In order to do so you must log into a Linux system and create a special directory for the web server, then put your web site's files in it. Remember, all content within your school web page must comply with school policies.

Throughout this page, we will use a fictional user a123456z for all necessary examples. Please remember to replace with your username!

Student webpages are NOT enabled by default. If you wish to have a student webpage on the CS domain, you MUST contact an administrator!!!

Contents

[edit] Creating Your Site

By default, your home directory, and all files you create, are created with permissions that prevent other users from viewing your folders and files. In order to create a working personal webpage, you must change the permissions on your home directory and webpage files, allowing others to read them.

  1. Log into a Linux machine. To do so from home see Programming From Home.
  2. Change permissions on your home directory so the web service can read them. For more info, see File Permissions
  3. Create a new directory called public_html in your home directory.
  4. Create a test file.
  5. Make sure the directory and all folders/files within it is readable by everyone.
  6. Open your favorite web browser and try to connect to your site.
$ chmod 710 ~
$ mkdir ~/public_html
$ echo '<html><body><p>Hello, world!</p></body></html>' > ~/public_html/index.html
$ chmod -R 750 ~/public_html

The address of your site will depend on your username. If your username is a123456z, then you should point your web browser at:

http://students.cs.edinboro.edu/~a123456z/

Note that any files you create will need their permissions changed to allow the group read permissions (and execute for directories). This can easily be accomplished with the following command:

$ chmod -R g+rX ~/public_html

Following the steps above will allow anyone to read your files directly from the server! This can expose any code or other hidden text in your files that would not be exposed via the web. In order to better secure your files, you must change the group owner of the directory! Contact an administrator with the group ownership change requests!

If you have followed the steps above, here are the necessary steps to secure your files so that only Apache can read them (instead of all users). Please note that you must have root access to perform these tasks.

# chgrp -R apache ~a123456z/public_html
# find ~a123456z/public_html -type d -exec chmod g+s {} \;

The first command will change the group membership to apache, allowing the web server to read the files. The second command will set the sticky bit to all directories, so that any files or folders created within the public_html directory will inherit the same group membership.

You can now create or copy files into your public_html folder to make your site. Remember that any files you create, by default, are not readable by anyone but you! You must change permissions on the files to allow people using your website to view them! To copy from home please see File Access.

[edit] .htaccess files

Some settings, such as directory listings, are disabled by default at the server level. You can optionally create an .htaccess file to override these settings.

Please note that settings made in .htaccess files will affect the directory the file is placed in, as well as all sub-directories!

In order to create an .htaccess file in your main public_html directory, do the following:

$ touch ~/public_html/.htaccess
$ chmod g+r ~/public_html/.htaccess

You will now have an empty .htaccess file which you can edit with your favorite text editor.

To allow directory listings, simply add the following line inside your .htaccess file:

Options +Indexes

[edit] .htpasswd files

You can use .htpasswd files, combined with .htaccess files, to quickly and simply restrict access to specific directories with a username and password. There are better ways to accomplish directory logins using various other methods, but this is one of the quickest and easiest to set up, and should work on all Apache web servers.

The steps to create a password protected directory is fairly simple, but note that by password-protecting a directory, you are also password protecting all sub-directories! You can remove the password protection of sub-directories with additional .htaccess files.

If you are not accessing your password protected directory via SSL (https://), your username and password are transmitted in clear text!

First, create a directory to protect, with an empty .htaccess file in it (we will assume you wish to protect a sub-directory called private in your public_html folder):

$ mkdir ~/public_html/private
$ chmod 755 ~/public_html/private
$ touch ~/public_html/private/.htaccess
$ chmod 644 ~/public_html/private/.htaccess

Now, find your home directory path by entering the following command:

$ echo $HOME
/home/students/a123456z

Next, edit the .htaccess file with your favorite text editor, and add the following lines (replacing /home/students/a123456z with the path given when issuing the echo $HOME command from above):

AuthUserFile /home/students/a123456z/.htpasswd
AuthGroupFile /dev/null
AuthName "Private Area"
AuthType Basic
Require valid-user
  • AuthUserFile is the directive that sets the location of the password file. This should be kept outside of your ~/public_html directory for security purposes.
  • AuthGroupFile sets the location of the group file. We aren't using one, so it is set to /dev/null.
  • AuthName sets the name of the private location, that will be displayed while the user is entering their credentials.
  • AuthType sets the type of authentication we use for our private folder. Basic does not encrypt the password during authentication, so make sure your links to the page use https:// instead of http://.
  • Require lists the names of users that can access the site. In this case we are allowing access to anyone with a valid username and password.

Finally, we must create the .htpasswd file, containing the username and passwords of users that are allowed to access the protected directory. When creating the first user, use the -c option to create the initial file. Omit the -c option when adding users to a .htpasswd file that already exists. Below we will create two users; user1 being the initial user, and user2 being the additional user.

$ htpasswd -c -b ~/.htpasswd user1 user1pass
Adding password for user user1
$ htpasswd -b ~/.htpasswd2 user2 user2pass
Adding password for user user2

We now have 2 users, user1 with a password of user1pass and user2 with a password of user2pass. When you attempt to access your protected directory (via https://www.cs.edinboro.edu/~a123456z/private) you will be greeted with a login prompt!

[edit] Logging Out

Unfortunately, the downside to the .htpasswd authentication method, is that there is no built in method to have someone logout. As long as they keep their web browser open, they will stay logged in. We can, however, trick them to log out by actually having them (unknowingly) log into another directory!

This does not work in all cases.

We will use the same methods as above, however we will put them into a sub directory of the protected directory that we just created. For this example, we will again use the private directory ~/public_html/private, and use a sub directory called logout.

Lets start with creating the necessary files and folders:

$ mkdir ~/public_html/private/logout
$ chmod 755 ~/public_html/private/logout
$ touch ~/public_html/private/logout/.htaccess
$ chmod 644 ~/public_html/private/logout/.htaccess

Next, open ~/public_html/private/logout/.htaccess with your favorite text editor and add the following:

AuthUserFile /home/students/a123456z/.htlogoutpasswd
AuthGroupFile /dev/null
AuthName "Logout"
AuthType Basic
Require user logout

Notice here that we are only allowing access to the user logout. This forces the web browser to use the credentials for the user logout, instead of the previously logged in user.

Now we can create the logout user:

$ htpasswd -c -b ~/.htlogoutpasswd logout logoutpass

And finally, we can add the following link on our pages to the logout directory. This will have users log in to the logout directory, thus forgetting the login credentials for the private directory!

<a href="https://logout:logoutpass@www.cs.edinboro.edu/~a123456z/private/logout">Logout</a>

[edit] Redirects

Now, instead of forcing our users to view the logout page when logging out, we can automatically redirect them to our site, where they can then log in again.

There are two methods for creating redirects that we will cover, using HTML and using PHP.

[edit] HTML Redirect

In our logout directory, we must edit our index.html file to include the following:

<html>
<head>
<title>Logout Redirect</title>
<meta http-equiv="REFRESH" content="0;url=http://www.cs.edinboro.edu/~a123456z"></head>
<body>
Click <a href="http://www.cs.edinboro.edu/~a123456z">here</a> if you aren't automatically redirected.
</body>
</html>

[edit] PHP Redirect

The PHP method of redirecting is a little easier and more transparent to the user, however it may not work on all servers.

To set up the PHP redirect we need a file called index.php in our logout directory. Create the file, and put ONLY THE FOLLOWING into the file:

<?php
header('Location: http://www.cs.edinboro.edu/~a123456z');
?>

If you have both index.html and index.php files in your logout directory, the server will decide which one to load first (depending on server level settings). If this is the case and your page isn't loading, either delete the index. file you are not using, or specify that particular file in your URL links from other pages.

[edit] Forcing SSL Connections

One of the problems with .htaccess files, as mentioned above, is that unless the link to your private directory uses https://, the username and password are transmitted over the internet in plain text. This means anyone in the right place can see your username and password! Obviously this is not a good thing, but by forcing our connections to SSL, we can prevent this from happening!

In order to do this, put the following lines at the top of your private/.htaccess file:

Options +FollowSymLinks
RewriteEngine On
RewriteBase /
SSLOptions +StrictRequire
SSLRequireSSL
ErrorDocument 403 https://www.cs.edinboro.edu/~a123456z/private

This forces our pages to require SSL, and if they are not SSL, they are redirected to an error document, which is our private directory via SSL!

[edit] Server Features

The server currently allows you to run PHP5 and CGI scripts. You can also run databases on the MySQL server. Contact Jason for database access.

[edit] More Information

Personal tools