You are here: GSI Wiki>Linux Web>ServicePortfolio>WebDocsService>WebDocs (2021-07-30, AndreKerkhoff)Edit Attach

User web pages on web-docs.gsi.de

As the owner of a GSI Linux account you may publish your own web pages on web-docs.gsi.de. These pages will be available as http://web-docs.gsi.de/~userid/.

This location corresponds to the web-docs/ subdirectory in your home directory (/u/userid/web-docs/ or /misc/userid//web-docs/) (which is in fact a symlink to /WWW/userid/ that is in turn auto-mounted from the corresponding NFS server).

So when you put a html file called index.html into this directory, it will be automatically accessible as http://web-docs.gsi.de/~userid/.

Good online references for HTML editing are

Windows users may access the Linux web-docs/ folder via Samba as //samba.gsi.de/web-docs (see SambaConnection).

Usage notes

  • For stability reasons no central FileSystems are accessible from the web server.
  • Quotas: the size limit for each individual web-docs is 3 GiB.

Content requirements

Your web-docs pages should meet the following criteria:
  1. Accessibilty requirementsBITV 2.0 (based on WCAG 2.0).
  2. Avoid including content from outside GSI (Images, Javascript libraries, web fonts etc.) – as IP addresses are generally considered personal date this will most probably violate GDPR regulations unless explicit agreements exist (Auftragsdatenverarbeitungsvertrag).

All pages made available from outside GSI (see below) must also provide:
  1. An imprint (Impressum) – eg. a link to the GSI imprint
  2. A privacy policy (Datenschutzerkläring) – eg. a link to https://www.gsi.de/en/bottommenu/data_privacy_protection.htm GSI's privacy policy.

CGI scripts

You may put shell, perl or python scripts or even binary executables inside your web-docs. These scripts will be executed by the web server as long as they have a .cgi, .pl or .py extension and have proper permissions:
  • file must be executable
  • file must not be writable to anyone but the owner
  • also the containing directory must writable for the owner exclusively.

The scripts will be executed with the privileges of the account they belong to. There's a 5 minute limit on the total CPU usage for each script (as we had some nasty infinite loops in the past).

PHP

You can put PHP files in your web-docs. They will be run with the your own privileges like other CGI scripts.

Controlling access to your web-docs

Initially your web-docs pages are only available on the GSI intranet, but you may open your web-docs to world-wide access.By doing so you acknowledge your responsibility to meet the content requirements listed above.

Controlling access by IP or hostname

You can control the access to your web-docs via .htaccess files - webserver config sniplets that apply to the directory they reside in and its subdirectories.

To grant world-wide access to your web-docs put this into your .htaccess 

Require all granted

To restrict access to your web-docs to example.gsi.de and the subnet 192.168.31.0/24 subnet put this into your .htaccess: 

Require host example.gsi.de
Require ip 192.168.31.

Adding authentication to your web-docs

To protect your web-docs with a login dialogue put this in our .htaccess 
AuthType Basic
AuthName "Descriptive text shown in the authentication dialog"
AuthUserFile .htpasswd
Require valid-user

Then create the password file .htpasswd in the same directory with htpasswd -c .htpasswd username. You'll be prompted for the password.

Authenticate your web-docs via GSI-Web-Login

  • The GSI-Web-Login accounts are available on ldap.hpc.gsi.de
  • ldap.hpc.gsi.de is available on the standard LDAP port 389 and the semi-official LDAPS port 636
  • STARTTLS encryption is required on port 389. Only if this does not work, try LDAPS on port 636
  • The base DN for user information is ou=users,ou=weblogin,ou=identities,dc=gsi,dc=de
  • The base DN for group information is ou=groups,ou=weblogin,ou=identities,dc=gsi,dc=de
  • Access to the group information requires authentication with a special service-account.
    • Requst a service-account by opening up a ticket in linux-service.

This is a basic Apache .htaccess configuration snippet for GSI-Web-Login authentication: 

SSLRequireSSL # never enable GSI Web Login authentication over plain-text HTTP!
AuthType Basic
AuthName "Descriptive text shown in the authentication dialog"
AuthBasicProvider ldap
AuthLDAPURL     "ldap://ldap.hpc.gsi.de/ou=users,ou=weblogin,ou=identities,dc=gsi,dc=de" STARTTLS
Require valid-user

For further information on authentication and access control please have a look at http://httpd.apache.org/docs/current/howto/auth.html

-- ChristopherHuhn, StefanHaller - 2005 - 2021
Edit  | Attach | Print version | History: r24 < r23 < r22 < r21 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r24 - 2021-07-30, AndreKerkhoff - This page was cached on 2021-09-26 - 13:49.

This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding GSI Wiki? Send feedback | Imprint (german) | Privacy Policy (german)