You are here

Serving web pages from AFS filespace

Printer-friendly versionPrinter-friendly version
It is possible to have web pages that live in AFS space - but because AFS has stricter access controls, some additional configuration is required.

The benefit of AFS web space is that access can be made more selective and more robust by using standard ACLs, and additional access constraints can be implemented with further refinements in .htaccess files.

In order to serve web pages, the web server needs to be able to read them. Under NFS or a local file system, web pages are usually group-owned and readable by the apache GID. Under AFS, such files (or, more accurately, directories containing any such files) should have ACL "rl" (read & lookup) permissions for the specific web server eg 'system:groupserver'. Any directories above this in the filesystem tree should have at least "l" (lookup) permission for the same 'system:groupserver' (otherwise the web server cannot navigate down to the desired location).

Here are the AFS groups for each AFS-aware web service.

ServiceAFS Group
Main www.infsystem:infmainweb
homepages.infsystem:homepageswebserver
groups.infsystem:groupwebserver
dream.infdreamersadmin:webservers

Using Cosign

To use (or continue to use) Cosign with .htaccess files, check that all directories in the path down to the .htaccess file have ACL "l" (lookup) permission for the 'system:groupwebserver' group (for example), and that the directory containing the .htaccess file has "rl" (read & lookup) permissions for the 'system:groupwebserver' group. Cosign "Require" directives can then be used to define access constraints (see Apache httpd Require directive documentation).

Note that "Require" directives can only be used to further refine access constraints (the .htaccess file cannot be used to override ACL access constraints within user-ACL restricted space).

Caveat

It is worth being reiterating that AFS is a global filesystem, and that the files available via the /afs/inf.ed.ac.uk path, could be readable by they entire world (as well as the desired web server) depending on the ACL settings of the directories on the path. So be careful when setting the ACLs.
Last reviewed: 
10/03/2021

System Status

Home dirs (AFS)
Network
Mail
Other services
University services
Scheduled downtime

Choose a topic