Department Web Server FAQ

1. Who is responsible for the department's web server?
2. Why can't I log onto the WWW server?
3. Okay, so how do I access the WWW file space?
4. How do I create my own personal home page?
5. How do I get a link set up on one of the main web pages for a course? Where should I put my course project web page data? How do I let others download course documents?
6. How can I tell who has been accessing my pages? Where are the server logs kept?
7. I would like to write some CGI (Common Gateway Interface) or PHP scripts for use on the department's www server.
8. What is the wwwx.cs.unc.edu web server?
9. How do I enable directory listings for one of my directories?
10. How to redirect www to wwwx. How to redirect a page to the www or wwwx secure https SSL server.
11. How to limit access to your web pages.

1. Who is responsible for the department's web server?

Computer services maintains the hardware, operating system and web server software. For problems and questions not answered in this document please email help@cs.unc.edu. The overall design and content is maintained by the department's publications staff. Please email the publications staff at pubs@cs.unc.edu about content questions not answered in this document.

It is not a good idea to have your main web server used as a general purpose UNIX remote login server. This can cause perfomance and security related problems for the web server.

The http://www.cs.unc.edu/ "document root" resides in UNIX AFS file space. The root document starts at "/afs/unc/common/doc/www." Most UNIX systems have a shortcut "/unc/www" that links to the same directory path. Most web documents are readable by anyone with a UNIX account. Write access to this area is limited to those identified as maintaining these documents. Most official departmental web pages contain the name or email address of the person who maintains specific pages on the web.

Please see "How to Create a Personal Home Page" to set up your own page. You must have a valid Computer Science UNIX login account. Please read the page carefully before asking for help.

Please see the Course Disk Space page.

See Web Server Reports & Statistics.

CGI scripts, (Common Gateway Interface) and PHP scripts are programs that are accessed via web pages and run on the department's web server. Such programs can have serious security and performance implications. CGI or PHP programs in your personal web pages will not run on the www server. The main reason for running CGI or php programs on www is for securing sensitive data that needs to be accessed by CGI/PHP programs and the data is only accessible on the www server. Web pages that need to run CGI programs on www need to be approved by the department. Please email help@cs.unc.edu with a detailed request and information about the CGI scripts you want to implement on the department's web server. NOTE you can run CGI scripts on the department's wwwx web server; see the next topic below.

The wwwx.cs.unc.edu web server allows anyone with an account to run CGI or PHP scripts. The web server uses the same document root as the official www server. The main purpose of this system is to let users run PHP and CGI scripts. The wwwx server runs the same software as the www server. The server has been set up to allow users to run CGI and PHP programs out of their personal web space located under "wwwx.cs.unc.edu/~user_name/public_html space. directory. The wwwx server can also be used as a backup server if you cannot access the www server. See the "CGI Program Information" page for more information and how to debug your cgi scripts. NOTE: If you have sensitive data that you need to protect you should not use wwwx. See question 11.

If your web directory contains an index.html, index.htm or index.shtml page the server will automatically display those pages. If you would like instead for a listing of files to show up for a particular directory, then you must create a file called ".htaccess" that contains the option entry "Options +Indexes" in the directory you want to be listed. Note: any sub-directory under this directory will also have directory listings turned on! To turn off directory listings in these directories use "Options -Indexes" in the .htaccess file. Directory listings are turned off at the server level by default for security reasons; we do not want a listing of files to show up in a directory if you do not explicitly want this to happen.

There are times when you want to redirect a web page to the wwwx server from the www server. Ther are also times when you want to redirect your page to a secure https server if it is being accessed by the non secure http server.

For example you may want to run a index.php page out of your home directory. As described in question 8 you can only run PHP on the wwwx server. You want to advertise your home page as http://www.cs.unc.edu/~userid and you need to redirect to http://wwwx.cs.unc.edu/~userid which will allow you to run PHP. Add the following to the .htaccess file in your public_html directory:

<IFDefine !WWWX>
   RedirectMatch (.*)$ http://wwwx.cs.unc.edu$1
</IFDefine>

Computer Services runs 4 web servers:

http://www.cs.unc.edu/
https://www.cs.unc.edu/
http://wwwx.cs.unc.edu/
https://wwwx.cs.unc.edu/

Each web server has several "Define" variable associated with it that you can use to test that you are on that server. If you are not on that server then you redirect the URL to that server using a Define statement in a .htaccess file. The !VAR name means if the variable is NOT defined then redirect to the server where it is defined:

WWW defined on http://www.cs.unc.edu/
WWWS defined on https://www.cs.unc.edu/
WWWX defined on http://wwwx.cs.unc.edu/
WWWXS defined on https://wwwx.cs.unc.edu/

Redirect to https://www.cs.unc.edu:

<IFDefine !WWWS>
   RedirectMatch (.*)$ https://www.cs.unc.edu$1
</IFDefine>

Redirect to https://wwwx.cs.unc.edu:

<IFDefine !WWWXS>
   RedirectMatch (.*)$ https://wwwx.cs.unc.edu$1
</IFDefine>

The available defined variables on our web servers:

http://www.cs.unc.edu  => INSECURE NOPHP WWW
https://www.cs.unc.edu => SECURE NOPHP WWWS

http://wwwx.cs.unc.edu  => INSECURE PHP WWWX
https://wwwx.cs.unc.edu => SECURE PHP WWWXS

The Apache web server software provides several methods for limiting access to your web pages: You can limit access by Internet domain names or internet addresses, or you can create own password file with usernames:passwords to limit access to your web pages.  You can also combine these methods.

Examples are given below for limiting by domain name, limiting with a usernames:passwords file, and using a combination of these two methods. Unfortunately, you cannot combine using your own local password file and the departments Kerberos server; they are mutualy exclusive.

NOTE: If you use the usernames:password access method, you should use our secure SSL https://www.cs.unc.edu/ server when specifying links to protected pages, as shown in the example. This way users' passwords will be encrypted when entering their password information.  The Kerberos method of authentication only works on our secure https SSL web servers!

If the following examples do not satisfy your needs, please see the excerpt on apache authorization taken from the Apache Week web site or the Apache Web server documentation.  Especially see the excerpt if you want to configure your own username:password authorization file.  The "httpasswd" command is located on our public linux machines and is required to create you own user:password file.

With each of the methods, the first step is to create a file in the web directory you want protected and call the file ".htaccess".  The web server will process this file if it exists in any directory that is being accessed.  All directories and files under the protected directory will be protected using the directives you specify in your .htaccess file.

IMPORTANT NOTE: To protect your documents so only the www web server can read your files, you need to configure your AFS file permissions appropriately.  Otherwise someone can read your files in the AFS filesystem or write a CGI or PHP program on the wwwx server to read your files.  You must give the special "web-server" AFS group access to your directory with the following afs command: "fs setacl your_web_dir web-server rl".  This gives the special group "web-server" read/list access to your files.  Make sure you DO NOT give permissions to the special groups "system:anyuser", "system:authuser", "cs-machines" or any other users you do not want to view your files.  Use "fs listacl your_web_dir" to see who has permissions on your directory.  The special "web-server" group allows only the www server, (not the wwwx server), to read your files.  If you wish to give the wwwx server permissions to read or write files use the special afs group "wwwx-server".  You can give the wwwx-server afs write permissions to a directory so cgi programs that are executed can write to a particular directory. There is also a special afs group called wwwp-server for the server used for web programming courses. Note this can be a security issue since others can write cgi scripts to write or delete in your directory.  See howto afs-security for more info on afs permissions.  Also, if someone in the department is running a web server and pointing to our web document root in AFS, your pages may be accessed via their web server.  In that case, web crawlers, like Google, will catalog them from someone else's web server, which could be problematic.  Please email help@cs.unc.edu for assistance with AFS permsissions.

Limit By Domain Only

Use this method to limit pages in a directory and its sub-directories to users coming from a particular domain.  This is used for simple security especially if you do not want external search engines to catalog your web pages.  The following limits access to web clients in our  ".cs.unc.edu" domain (Note, however, that users in our department will not be able to access such pages when using the department's wireless network or when coming in from an ISP account.):

order deny,allow
deny from all
allow from .cs.unc.edu

Change "cs.unc.edu" to "unc.edu" to allow anyone on campus to access the pages"

Limit By User Name Only

The following will limit web pages to all users who have a Computer Science Windows account. MAKE SURE you limit access to the www and optionally the wwwx server as described above Otherwise, if someone is running a web server and pointing to our web document root in AFS, your pages may be accessed via their web server!  In this case, web crawlers, like Google, will catalog them from someone else's web server!

<IFDefine !WWWS>
RedirectMatch (.*)$ https://www.cs.unc.edu$1
</IFDefine>

<IFDefine SECURE>
AuthName 'Computer Science Login:'
AuthType Kerberos
require valid-user
</IFDefine>

The "<IFDefine !WWWS>" directive will cause your page to be sent over to our secure www https/ssl server so that passwords are encrypted.  The "RedirectMatch" directive will replace the current page being accessed with the same page using the secure server if the page was accessed with our non-secure server. See question 10. on how to redirect to one of our servers. The "<IFDefine SECURE>" directive is optional if the first RedriectMatch directive is used and adds additional security.

To limit access to only certain users replace the "require valid-user" line with a line(s) like:

require user joe@CS.UNC.EDU
requre user mary@CS.UNC.EDU

This will limit access to joe and mary.  Joe and mary must be valid Computer Science Windows user id and passwords!  You MUST use capital letters for CS.UNC.EDU!

Limit By Domain Then User Name

The following .htaccess file settings will allow access to anyone coming from a web browser in our ".cs.unc.edu" domain.  If the user is coming from outside this domain then they will be prompted for their CS Windows user/password over our secure server:

<IFDefine !WWWS>
RedirectMatch (.*)$ https://www.cs.unc.edu$1
</IFDefine>

<IFDefine SECURE>
AuthName 'Computer Science Login:'
AuthType Kerberos
Satisfy any
order deny,allow
deny from all
allow from .cs.unc.edu
require valid-user
</IFDefine>

This is the most convenient method to provide access to UNC Computer Science users.  If they are logged in to a machine in our domain, they don't have to enter a password.  If they are logged in to some other computer, they can still access the info, but they first have to enter a password (which is encrypted for security purposes).

To find out more information about Apache directives, (keywords), specified in the .htaccess file see the Apache online reference manual.

Using Windows Kerberos 5 account name and password for authentication

The department is migrating to a single Kerberos 5 user and password system.  Our Windows Active Directory servers implement Kerberos 5 authentication.  This method still passes the user name and password in the clear from the browser to the web server.  You MUST use the secure server https to use Kerberos authentication.  The Kerberos authentication method is only enabled on https://www.cs.unc.edu and https://wwwx.cs.unc.edu.  To upgrade to kerberos authentication from the old style authentication:

Remove the "AuthUserFile /var/www/.htpasswd" directive.
Replace the "AuthType Basic" directive with "AuthType Kerberos".

You can still use the "AuthName 'Computer Science Login:'" directive. The text in single quotes is informational and shows up when a user is prompted for their user name and password. You can set this to anything you wish.

There is a difference when limiting access to a list of users using the apache "require" directive and Kerberos. You can still use "require valid-user" which will allow access to anyone that has a CS Windows user account. To limit access to certain users in kerberos specify the users with our CS.UNC.EDU Kerberos REALM name like this:

require user windows_login1@CS.UNC.EDU [windows_login2@CS.UNC.EDU] ...

You can specify multiple "require user" lines. The REALM name CS.UNC.EDU must be in capital letters!
See the above examples for using our Windows Kerberos server for authentication in your .htaccess file.