CSG, Creating personal web pages

Department of Computing	Imperial College London
Creating personal web pages

These notes explain how DoC staff and students can make their web pages visible from the Departmental server. It refers to commands which should be run on departmental Linux systems.

DoC runs the Apache web server, version 2.2.6.

Make your home directory publically accessible:
chmod a+x ~
Note: on directories the permissions set by the chmod command are interpreted as follows:
r = permission to get a directory listing
w = permission to create and delete files in the directory
x = permission to access files in the directory provided the name of the files are known
If it doesn't already exist, create a directory called public_html:
mkdir public_html
Make this executable by all:
chmod a+x public_html
Create a file called index.html within this directory and make this readable by all:
```
cd public_html
chmod a+r index.html
```
This will be your main personal web page.
Then for each file you have created that you want to make available on the WWW:
chmod a+r filename
Your main personal web page, index.html, will then be visible around the world as the following URL:
http://www.doc.ic.ac.uk/~username/
The web server automatically maps URLs of the form http://www.doc.ic.ac.uk/~username/ to the Unix filesystem path /homes/username/public_html/index.html.
Other web pages in your public_html directory area will be visible as URLs of the form:
http://www.doc.ic.ac.uk/~username/somefile.html
Again, the webserver automatically maps each such URL to the filesystem path /homes/username/public_html/somefile.html.

All pages, and pages linked to, must be in the English language, non-political, legal, and must not bring the Department or the College into disrepute. Your home page must contain a link back to the Department's home page. Please make sure your page conforms to the usual computing regulations.

Editing your web pages from Windows systems

We don't advise editing web pages on Windows, as the line endings will become infected by the Windows convention for line endings (CR+LF). In particular, you must not edit CGI scripts on Windows, as the Windows line endings will confuse the web server and cause the dreaded "Internal Server Error".

If you must edit plain HTML web pages on Windows, proceed as follows:

Once you have a public_html folder you can save files to it from Windows systems with the correct permissions in the following way:

Right click on My computer.
Select Map network drive.
In the folder box type:
```
\\fs-homes\public_html
```
Check 'reconnect at logon'.
Click 'ok'.

Note the drive letter that the folder is allocated to and always save web pages to this location.

The reason for this is that the user files saved to your home directory via the H: drive is private. Files saved directly to the public_html share are publically readable.

Restricting pages to DoC only using the secure server

If you have web pages which you think should only be seen by people within the Department of Computing, or even just particular groups of users within DoC, this can be done by using the secure web server.

Restricting access to DoC staff and students only

Create a new directory within your public_html directory, eg. mkdir public_html/secure.

Make this readable and executable by all in the usual way:

chmod a+rx public_html/secure

Create a file in this directory called .htaccess (note that there is a dot at the beginning of the name of this file) readable by all (chmod a+r .htaccess) containing the lines:

SSLrequireSSL
AuthType KerberosV5
AuthName "DoC Only"
require valid-user
satisfy all

This means that to gain access to the pages you put in this directory the user will be prompted for their DoC Linux username and password before they can gain access. On recent DoC Ubuntu Linux systems, if you already have a Kerberos ticket [which you will if you've just logged in fresh] then Firefox will use that instead of prompting you, but secure authentication still occurs.

Access any page within this directory via a full URL, on the wwwhomes web server, of the form:

https://wwwhomes.doc.ic.ac.uk/~username/secure/page

Please get into the habit of using wwwhomes when accessing your personal web pages securely; in fact, this particular case will work via www because the main web server is now able to proxy https requests to wwwhomes. But some cases (eg. the one below!) will not work properly.

Note that the AuthName "DoC Only" is just a label for the password box.

Variation: Restricting pages to within DoC or to DoC users

A convenient variation of the above is to allow users using a computer within the department (DoC IP addresses of the form 146.169.X.Y) straight in without authentication, while anyone using offsite computers will still be prompted for their DoC Linux username and password before they can gain access.

This time, the .htaccess file should contain the lines:

SSLrequireSSL
AuthType KerberosV5
AuthName "DoC Only"
order deny,allow
deny from all
allow from 146.169
require valid-user
satisfy any

As before, access any page within this directory via a full URL, on the wwwhomes web server, of the form:
```
https://wwwhomes.doc.ic.ac.uk/~username/secure/page
```

Notes:

The "allow from 146.169" constraint will only work as you expect it to if you access wwwhomes directly; if you access your page via https://www.doc.ic.ac.uk/~username/secure/page, the main web server will proxy the request onto wwwhomes but then the request will always come from www which is within 146.169.
The "order deny,allow" constraint is now needed to do the right thing, previous versions of Apache did not need this. A previous version of this web page did not use this, so existing users may have versions of the above without the order deny,allow constraint in; these will need editing.

Varation: Restricting access to particular DoC users or groups of users

Pages can also be set to only be accessible to particular users, or to a Unix user group, by putting one or both of the following 'require' lines in .htaccess instead of the above:

	require user user1 user2 user3
	require group groupname1 groupname2

To restrict access to staff only:

	require group doc-staff

Web-specific passwords

Up to now, all the secure authentication has been using DoC usernames and DoC Linux (Kerberos) passwords. Frankly, we recommend this as it makes sense within DoC.

However, you can also protect files with password access with separate, web-specific, passwords that you set yourself. This might be useful to share secure access to a non-DoC person - because of course you should never tell anyone a real DoC password (but you knew that, didn't you?).

To do this, the .htaccess file should contain something like:

	AuthType basic 
	AuthName "Password Protected Area"
	AuthUserFile /homes/your-username/protected/list
	require user username

The AuthUserFile is a list of names and encrypted passwords. It should be stored outside your public_html directory, and be publically readable. To make a password file use the htpasswd program:

	shell1% htpasswd --help
	Usage: htpasswd [-c] passwordfile username

The -c flag creates a new file.

The program will prompt you for the password twice and will add it to the file (or create the file if you use -c).

You can link to the files using both http and https.

There is some more documentation at the Apache web site.