User web pages on web-docs.gsi.de

• WebDocsUpgrade2020: Information about the upgrade of web-docs.gsi.de

As the owner of a GSI Linux account you may publish your own web pages on web-docs.gsi.de. These pages will be available as http://web-docs.gsi.de/~userid/.

This location corresponds to the web-docs/ subdirectory in your home directory (/u/userid/web-docs/ or /misc/userid//web-docs/) (which is in fact a symlink to /WWW/userid/ that is in turn auto-mounted from the corresponding NFS server).

So when you put a html file called index.html into this directory, it will be automatically accessible as http://web-docs.gsi.de/~userid/.

Good online references for HTML editing are

• http://www.selfhtml.org/ (available in German only)
• https://www.w3schools.com/

Windows users may access the Linux web-docs/ folder via Samba as //samba.gsi.de/web-docs (see SambaConnection).

Usage notes

• For stability reasons no central FileSystems are accessible from the web server.
• Quotas: the size limit for each individual web-docs is 3 GiB.

Content requirements

Your web-docs pages should meet the following criteria:

1. Accessibilty requirements – BITV 2.0 (based on WCAG 2.0).
2. Avoid including content from outside GSI (Images, Javascript libraries, web fonts etc.) – as IP addresses are generally considered personal date this will most probably violate GDPR regulations unless explicit agreements exist (Auftragsdatenverarbeitungsvertrag).

All pages made available from outside GSI (see below) must also provide:

1. An imprint (Impressum) – eg. a link to the GSI imprint
2. A privacy policy (Datenschutzerkläring) – eg. a link to https://www.gsi.de/en/bottommenu/data_privacy_protection.htm GSI's privacy policy.

CGI scripts

You may put shell, perl or python scripts or even binary executables inside your web-docs. These scripts will be executed by the web server as long as they have a .cgi, .pl or .py extension and have proper permissions:

• file must be executable
• file must not be writable to anyone but the owner
• also the containing directory must writable for the owner exclusively.

The scripts will be executed with the privileges of the account they belong to. There's a 5 minute limit on the total CPU usage for each script (as we had some nasty infinite loops in the past).

PHP

You can put PHP files in your web-docs. They will be run with the your own privileges like other CGI scripts.

Controlling access to your web-docs

Initially your web-docs pages are only available on the GSI intranet, but you may open your web-docs to world-wide access.By doing so you acknowledge your responsibility to meet the content requirements listed above.

Controlling access by IP or hostname

You can control the access to your web-docs via .htaccess files - webserver config sniplets that apply to the directory they reside in and its subdirectories.

To grant world-wide access to your web-docs put this into your .htaccess

Require all granted

To restrict access to your web-docs to example.gsi.de and the subnet 192.168.31.0/24 subnet put this into your .htaccess:

Require host example.gsi.de
Require ip 192.168.31.

Adding authentication to your web-docs

To protect your web-docs with a login dialogue put this in our .htaccess

AuthType Basic
AuthName "Descriptive text shown in the authentication dialog"
AuthUserFile .htpasswd
Require valid-user

Then create the password file .htpasswd in the same directory with htpasswd -c .htpasswd username. You'll be prompted for the password.

Authenticate your web-docs via GSI-Web-Login

• The GSI-Web-Login accounts are available on ldap.hpc.gsi.de
• ldap.hpc.gsi.de is available on the standard LDAP port 389 and the semi-official LDAPS port 636
• STARTTLS encryption is required on port 389. Only if this does not work, try LDAPS on port 636
• The base DN for user information is ou=users,ou=weblogin,ou=identities,dc=gsi,dc=de
• The base DN for group information is ou=groups,ou=weblogin,ou=identities,dc=gsi,dc=de
• Access to the group information requires authentication with a special service-account.
  • Requst a service-account by opening up a ticket in linux-service.

This is a basic Apache .htaccess configuration snippet for GSI-Web-Login authentication:

SSLRequireSSL # never enable GSI Web Login authentication over plain-text HTTP!
AuthType Basic
AuthName "Descriptive text shown in the authentication dialog"
AuthBasicProvider ldap
AuthLDAPURL     "ldap://ldap.hpc.gsi.de/ou=users,ou=weblogin,ou=identities,dc=gsi,dc=de" STARTTLS
Require valid-user

---

For further information on authentication and access control please have a look at http://httpd.apache.org/docs/current/howto/auth.html

-- ChristopherHuhn, StefanHaller - 2005 - 2021