Web Server FAQ

Reviewed by John Sopko 10/14/2014

Who is responsible for the department’s web server?
Why can’t I log onto the WWW server?
How do I access the WWW file space?
How do I create my own personal home page?
How do I get a link set up on one of the main web pages for a course?  Where should I put my course project web page data?  How do I let others download course documents?
How can I tell who has been accessing my pages?  Where are the server logs kept?
Where can I run CGI or PHP scripts?
What is the wwwx.cs.unc.edu web server?
How do I enable directory listings for one of my directories?
How can I redirect a page to wwwx or to a secure server?
How can I limit access to my web pages?
How can I redirect my home page to another site?
Information about our SSL certificate

 

Who is responsible for the department’s web server?
Computer services maintains the hardware, operating system and web server software.  For problems and questions not answered in this document please email help@cs.unc.edu.  The overall design and content is maintained by the department’s publications staff.  Please email the publications staff at pubs@cs.unc.edu about content questions not answered in this document.

Why can’t I log onto the WWW server?
It is not a good idea to have your main web server used as a general purpose UNIX remote login server.  This can cause performance and security related problems for the web server.

How do I access the WWW file space?
The web server is configured to access files and documents in two ways:  Some document are served from the WordPress content management system. Other documents are stored in AFS file system space.  The AFS file system space can be accessed from a Windows or Linux machine configured with the AFS file system client.

All users with a Computer Science account can access files in AFS file space.  See AFS introduction for more information. AFS file space contains directories, (folders), and files that can be accessed by the web server. The AFS document root where documents are maintained are located in /afs/cs.unc.edu/common/doc/www.  You need to have write permission to create and maintain access in the web server AFS file space.

Documents located in the http://www.cs.unc.edu/cms/ are managed by the Plone Content Management System.  You need to be given access and training in order to create and maintain documents in this space.  Please email help@cs.unc.edu describing your needs.

How do I create my own personal home page?
Please see How to Create a Personal Home Page to set up your own page.  You must have a valid Computer Science login account.

How do I get a link set up on one of the main web pages for a course?  Where should I put my course project web page data?  How do I let others download course documents?
Please see the Courses Disk Space information page.

How can I tell who has been accessing my pages?  Where are the server logs kept?
Please see the Web Server Reports and Statistics.

Where can I run CGI or PHP scripts?
CGI scripts, (Common Gateway Interface) and PHP scripts are programs that are accessed via web pages and run on the department’s web server.  Such programs can have serious security and performance implications.  CGI or PHP programs in your personal web pages will not run on the www  server.  The main reason for running CGI or php programs on www is for securing sensitive data that needs to be accessed by CGI/PHP programs and the data is only accessible on the www server.  Web pages that need to run CGI programs on www need to be approved by Computer Services.  Please email help@cs.unc.edu with a detailed request and information about the CGI scripts you want to implement on the department’s web server.  Note that you can run CGI scripts on the department’s wwwx web server; see the next topic below.

What is the wwwx.cs.unc.edu web server?
The wwwx.cs.unc.edu web server allows anyone with an account to run CGI or PHP scripts.  The web server uses the same document root as the official www server.  The main purpose of this system is to let users run PHP and CGI scripts.  The wwwx server runs the same software as the www server.  The server has been set up to allow users to run CGI and PHP programs out of their personal web space located under “wwwx.cs.unc.edu/~user_name/. See the CGI Program Information page for more information and how to debug your cgi scripts. NOTE: If you have sensitive data that you need to protect you should not use wwwx.  See question 11.

How do I enable directory listings for one of my directories?
If your web directory contains an index.html, index.htm, or index.shtml page, the server will automatically display those pages.  If you would like instead for a listing of files to show up for a particular directory, then you must create a file called “.htaccess” that contains the option entry “Options +Indexes” in the directory you want to be listed.  Note: any sub-directory under this directory will also have directory listings turned on!  To turn off directory listings in these directories use “Options -Indexes” in the .htaccess file.  Directory listings are turned off at the server level by default for security reasons, so a listing of files will not show up unless you explicitly allow this to happen.

How can I redirect a page to wwwx or to a secure server?
There are times when you want to redirect a web page to the wwwx server from the www server.  There are also times when you want to redirect your page to a secure https server if it is being accessed by the non secure http server.  For example, you may want to run an index.php page out of your home directory.  As described in question 8, you can only run PHP on the wwwx server.  You want to advertise your home page as www.cs.unc.edu/~login_name, and you need to redirect to wwwx.cs.unc.edu/~login_name which will allow you to run PHP.  Add the following to the .htaccess file in your public_html directory:

<IFDefine !WWWX>
RedirectMatch (.*)$ http://wwwx.cs.unc.edu$1
</IFDefine>

Computer Services runs four web servers:

http://www.cs.unc.edu/
https://www.cs.unc.edu/
http://wwwx.cs.unc.edu/
https://wwwx.cs.unc.edu/

Each web server has several “Define” variable associated with it that you can use to test that you are on that server.  If you are not on that server then you redirect the URL to that server using a Define statement in a .htaccess file.  The !VAR name means if the variable is NOT defined then redirect to the server where it is defined:

WWW defined on http://www.cs.unc.edu/
WWWS defined on https://www.cs.unc.edu/
WWWX defined on http://wwwx.cs.unc.edu/
WWWXS defined on https://wwwx.cs.unc.edu/

Redirect to https://www.cs.unc.edu:

<IFDefine !WWWS>
RedirectMatch (.*)$ https://www.cs.unc.edu$1
</IFDefine>

Redirect to https://wwwx.cs.unc.edu:
<IFDefine !WWWXS>
RedirectMatch (.*)$ https://wwwx.cs.unc.edu$1
</IFDefine>

The available defined variables on our web servers:

http://www.cs.unc.edu => INSECURE NOPHP WWW
https://www.cs.unc.edu => SECURE NOPHP WWWS

http://wwwx.cs.unc.edu => INSECURE PHP WWWX
https://wwwx.cs.unc.edu => SECURE PHP WWWXS

How can I limit access to my web pages?
The Apache web server software provides several methods for limiting access to your web pages:  You can limit access by Internet domain names or internet addresses, or you can create own password file with usernames:passwords to limit access to your web pages.  You can also combine these methods.

Examples are given below for limiting by domain name, limiting with a usernames:passwords file, and using a combination of these two methods.  Unfortunately, you cannot combine using your own local password file and the department’s Kerberos server; they are mutualy exclusive.

NOTE: If you use the usernames:password access method, you should use our secure SSL https://www.cs.unc.edu/ server when specifying links to protected pages, as shown in the example. This way users’ passwords will be encrypted when entering their password information. The Kerberos method of authentication only works on our secure https SSL web servers!

If the following examples do not satisfy your needs see password protected directory using basic authentication.  Use this method if you want to configure your own username:password authorization file.  The “htpasswd” command is located on our public linux machines and is required to create your own user:password file.

With each of the methods, the first step is to create a file in the web directory you want protected and call the file “.htaccess”.  The web server will process this file if it exists in any directory that is being accessed.  All directories and files under the protected directory will be protected using the directives you specify in your .htaccess file.

Important note: To protect your documents so only the www web server can read your files, you need to configure your AFS file permissions appropriately.  Otherwise someone can read your files in the AFS filesystem or write a CGI or PHP program on the wwwx server to read your files.  You must give the special “web-server” AFS group access to your directory with the following afs command: “fs setacl your_web_dir web-server rl”.  This gives the special group “web-server” read/list access to your files.  The web-server group is the www.cs.unc.edu web server only.  Make sure you do not give permissions to the special groups “system:anyuser”, “system:authuser”, “cs-machines” or any other users you do not want to view your files.  Use “fs listacl your_web_dir” to see who has permissions on your directory.  The special “web-server” group allows only the www server, (not the wwwx server), to read your files.  If you wish to give the wwwx server permissions to read or write files use the special afs group “wwwx-server”. You can give the wwwx-server afs write permissions to a directory so cgi programs that are executed can write to a particular directory. There is also a special afs group called wwwp-server for the server used for web programming courses.  Note this can be a security issue since others can write cgi scripts to write or delete in your directory.  See AFS file security for more info on afs permissions.  Also, if someone in the department is running a web server and pointing to our web document root in AFS, your pages may be accessed via their web server.  In that case, web crawlers, like Google, will catalog them from someone else’s web server, which could be problematic.  Please email help@cs.unc.edu for assistance with AFS permsissions.

First configure AFS Access to your documents!  If you only want the www.cs.unc.edu web server to be able to read your documents use the following AFS set access control command.  The commands are shown on separate lines for clarity but can be used as one command:

fs setacl protected_dir cs-machines none system:anyuser none system:authuser none
fs setacl protected_dir web-server rl

If you want to give read/list to the wwwx.cs.unc.edu server:

fs setacl protected_dir wwwx-server rl

Make sure you check your AFS permissions with the following AFS command.  If you need assistance PLEASE email help@cs.unc.edu to have your AFS permissions reviewed:

fs listacl protected_dir

LIMIT BY DOMAIN ONLY

Use this method to limit pages in a directory and its sub-directories to users coming from a particular domain.  This is used for simple security especially if you do not want external search engines to catalog your web pages.  The following limits access to web clients in our “.cs.unc.edu” domain.  (Note, however, that users in our department will not be able to access such pages when using the department’s wireless network or when coming in from an ISP account.):

order deny,allow
deny from all
allow from .cs.unc.edu

Change “cs.unc.edu” to “unc.edu” to allow anyone on campus to access the pages

LIMIT BY USER NAME ONLY

The following will limit web pages to all users who have a Computer Science Windows account.  Make sure you limit access to the www and optionally the wwwx server as described above.  Otherwise, if someone is running a web server and pointing to our web document root in AFS, your pages may be accessed via their web server!  In this case, web crawlers, like Google, will catalog them from someone else’s web server!

<IFDefine !WWWS>
RedirectMatch (.*)$ https://www.cs.unc.edu$1
</IFDefine>

<IFDefine WWWS>
AuthName ‘Computer Science Login:’
AuthType Kerberos
require valid-user
</IFDefine>

The “<IFDefine !WWWS>” directive will cause your page to be sent over to our secure www https/ssl server so that passwords are encrypted.  The “RedirectMatch” directive will replace the current page being accessed with the same page using the secure server if the page was accessed with our non-secure server.

To limit access to only certain users replace the “require valid-user” line with line(s) like

require user joe@CS.UNC.EDU
require user mary@CS.UNC.EDU

This will limit access to joe and mary.  Joe and mary must have valid Computer Science Windows user ids and passwords!  You mustuse capital letters for CS.UNC.EDU!

Here is what you would put in your .htaccess if you wanted to redirect to our wwwx.cs.unc.edu server and only allow user joe access:

<IFDefine !WWWXS>
RedirectMatch (.*)$ https://wwwx.cs.unc.edu$1
</IFDefine>

<IFDefine WWWXS>
AuthName ‘Computer Science Login:’
AuthType Kerberos
require user joe@CS.UNC.EDU
</IFDefine>

LIMIT BY DOMAIN THEN USER NAME

The following .htaccess file settings will allow access to anyone coming from a web browser in our “.cs.unc.edu” domain.  If the user is coming from outside this domain then they will be prompted for their CS Windows user/password over our secure server:

<IFDefine !WWWS>
RedirectMatch (.*)$ https://www.cs.unc.edu$1
</IFDefine>

<IFDefine WWWS>
AuthName ‘Computer Science Login:’
AuthType Kerberos
Satisfy any
order deny,allow
deny from all
allow from .cs.unc.edu
require valid-user
</IFDefine>

This is the most convenient method to provide access to UNC Computer Science users.  If they are logged in to a machine in our domain, they don’t have to enter a password.   If they are logged in to some other computer, they can still access the info, but they first have to enter a password (which is encrypted for security purposes).  If it is critical that the page be protected, it is best to always require a password!

To find out more information about Apache directives (keywords) specified in the .htaccess file, see the Apache online reference manual.

USING  KERBEROS 5 ACCOUNT NAME AND PASSWORD FOR AUTHENTICATION

Our Windows Active Directory servers implement Kerberos 5 authentication.  This method still passes the user name and password in the clear from the browser to the web server.  You must use the secure server https to use Kerberos authentication.  The Kerberos authentication method is only enabled on https://www.cs.unc.edu and https://wwwx.cs.unc.edu.

There is a difference when limiting access to a list of users using the apache “require” directive and Kerberos.  You can still use “require valid-user” which will allow access to anyone that has a CS Windows user account.  To limit access to certain users in kerberos specify the users with our CS.UNC.EDU Kerberos REALM name like this:

require user login_name@CS.UNC.EDU [login_name2@CS.UNC.EDU] …

You can specify multiple “require user” lines.  The REALM name CS.UNC.EDU must be in capital letters!  See the above examples for using our Windows Kerberos server for authentication in your .htaccess file.

How can I redirect my home page to another site?
If you would like to redirect your home page to another web server, create a .htaccess file in your ~user/public_html directory that contains the following entry:

RedirectMatch permanent (.*)$ http://www.othersite.edu$1

Replace the web server name with the othersite.  Note the “$1” is required.  All content will no be redirected to the other site.

Information about our SSL certificate
Click here to get the details about our SSL certificate for the *.cs.unc.edu department. Some people like to verify the fingerprint also known as the thumbprint and other key information about our SSL certificate for verification purposes. Click here to download the PEM encoded file.