The benefit of AFS web space is that access can be made more selective and more robust by using standard ACLs, and additional access constraints can be implemented with further refinements in .htaccess files.
In order to serve web pages, the web server needs to be able to read them. Under NFS or a local file system, web pages are usually group-owned and readable by the apache GID. Under AFS, such files (or, more accurately, directories containing any such files) should have ACL "rl" (read & lookup) permissions for the specific web server eg 'system:groupserver'. Any directories above this in the filesystem tree should have at least "l" (lookup) permission for the same 'system:groupserver' (otherwise the web server cannot navigate down to the desired location).
Here are the AFS groups for each AFS-aware web service.
| Service | AFS Group |
|---|---|
| Main www.inf | system:infmainweb |
| homepages.inf | system:homepageswebserver |
| groups.inf | system:groupwebserver |
| dream.inf | dreamersadmin:webservers |
Using Cosign
To use (or continue to use) Cosign with.htaccess files, check that all directories in the path down to the .htaccess file have ACL "l" (lookup) permission for the 'system:groupwebserver' group (for example), and that the directory containing the .htaccess file has "rl" (read & lookup) permissions for the 'system:groupwebserver' group. Cosign "Require" directives can then be used to define access constraints (see Apache httpd Require directive documentation).
Note that "Require" directives can only be used to further refine access constraints (the .htaccess file cannot be used to override ACL access constraints within user-ACL restricted space).
Caveat
It is worth being reiterating that AFS is a global filesystem, and that the files available via the/afs/inf.ed.ac.uk path, could be readable by they entire world (as well as the desired web server) depending on the ACL settings of the directories on the path. So be careful when setting the ACLs.