User web pages on web-docs.gsi.de
As the owner of a GSI Linux account you may publish your own web pages on
web-docs.gsi.de
.
These pages will be available as
http://web-docs.gsi.de/~userid/
.
This location corresponds to the
web-docs/
subdirectory in your
home directory (
/u/userid/web-docs/
or
/misc/userid//web-docs/
) (which is in fact a symlink to
/WWW/userid/
that is in turn auto-mounted from the corresponding NFS server).
So when you put a html file called
index.html
into this directory, it will be automatically accessible as
http://web-docs.gsi.de/~userid/
.
Good online references for HTML editing are
Windows users may access the Linux
web-docs/
folder via Samba as
//samba.gsi.de/web-docs
(see
SambaConnection).
Usage notes
- For stability reasons no central FileSystems are accessible from the web server.
- Quotas: the size limit for each individual web-docs is 3 GiB.
Content requirements
Your web-docs pages should meet the following criteria:
- Accessibilty requirements – BITV 2.0 (based on WCAG 2.0).
- Avoid including content from outside GSI (Images, Javascript libraries, web fonts etc.) – as IP addresses are generally considered personal date this will most probably violate GDPR regulations unless explicit agreements exist (Auftragsdatenverarbeitungsvertrag).
All pages made available from outside GSI (see below) must also provide:
- An imprint (Impressum) – eg. a link to the GSI imprint
- A privacy policy (Datenschutzerkläring) – eg. a link to https://www.gsi.de/en/bottommenu/data_privacy_protection.htm GSI's privacy policy.
CGI scripts
You may put shell, perl or python scripts or even binary executables inside your
web-docs
. These scripts will be executed by the web server as long as they have a
.cgi
,
.pl
or
.py
extension and have proper permissions:
- file must be executable
- file must not be writable to anyone but the owner
- also the containing directory must writable for the owner exclusively.
The scripts will be
executed with the privileges of the account they belong to. There's a 5 minute limit on the total CPU usage for each script (as we had some nasty infinite loops in the past).
You can put
PHP files in your
web-docs
. They will be run with the your own privileges like other CGI scripts.
Controlling access to your web-docs
Initially your web-docs pages are only available on the GSI intranet, but you may open your web-docs to world-wide access.By doing so you acknowledge your responsibility to meet the content requirements listed above.
Controlling access by IP or hostname
You can control the access to your web-docs via
.htaccess
files - webserver config sniplets that apply to the directory they reside in and its subdirectories.
To grant world-wide access to your web-docs put this into your
.htaccess
Require all granted
To restrict access to your web-docs to
example.gsi.de
and the subnet
192.168.31.0/24
subnet put this into your
.htaccess
:
Require host example.gsi.de
Require ip 192.168.31.
Adding authentication to your web-docs
To protect your web-docs with a login dialogue put this in our
.htaccess
AuthType Basic
AuthName "Descriptive text shown in the authentication dialog"
AuthUserFile .htpasswd
Require valid-user
Then create the password file
.htpasswd
in the same directory with
htpasswd -c .htpasswd username
. You'll be prompted for the password.
Authenticate your web-docs via GSI-Web-Login
- The GSI-Web-Login accounts are available on
ldap.hpc.gsi.de
-
ldap.hpc.gsi.de
is available on the standard LDAP port 389 and the semi-official LDAPS port 636
- STARTTLS encryption is required on port 389. Only if this does not work, try LDAPS on port 636
- The base DN for user information is
ou=users,ou=weblogin,ou=identities,dc=gsi,dc=de
- The base DN for group information is
ou=groups,ou=weblogin,ou=identities,dc=gsi,dc=de
- Access to the group information requires authentication with a special service-account.
- Requst a service-account by opening up a ticket in linux-service.
This is a basic Apache
.htaccess
configuration snippet for GSI-Web-Login authentication:
SSLRequireSSL # never enable GSI Web Login authentication over plain-text HTTP!
AuthType Basic
AuthName "Descriptive text shown in the authentication dialog"
AuthBasicProvider ldap
AuthLDAPURL "ldap://ldap.hpc.gsi.de/ou=users,ou=weblogin,ou=identities,dc=gsi,dc=de" STARTTLS
Require valid-user
For further information on authentication and access control please have a look at
http://httpd.apache.org/docs/current/howto/auth.html
--
ChristopherHuhn,
StefanHaller - 2005 - 2021