Difference between revisions of "Web"

From FyshyWyky
(Dynamic Content: Note on CGI filename restrictions for them to be run)
(HTTPS and SSL Certificates)
 
(29 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
= Introduction =
 
= Introduction =
bowl.fysh.org runs web servers under the primary hostname of www.fysh.org.  We currently utilise [http://httpd.apache.org/ Apache] 1.3.x (as supplied in Debian 'stable') for this purpose, with one instance running on port 80 for http access and a separate instance on port 443 for https access.
+
[[stickelback.fysh.org]] runs web servers under the primary hostname of [[www.fysh.org]].  We currently utilise [http://httpd.apache.org/ Apache] 2.4.x (as supplied in Debian 'stable') for this purpose, with a single instance running on both port 80 for http access and port 443 for https access.
  
 
We may also run additional instances of apache, or other web server software, on other ports as needed.
 
We may also run additional instances of apache, or other web server software, on other ports as needed.
  
 
= Webmaster =
 
= Webmaster =
All enquiries about www.fysh.org and other web services should be directed to the [mailto:webmaster@fysh.org Fyshy Webmaster].
+
All enquiries about [[stickelback.fysh.org]] and other web services should be directed to the [mailto:webmaster@fysh.org Fyshy Webmaster].
  
 
= User Pages =
 
= User Pages =
Any user with an account on fysh can create a page on the [[http://en.wikipedia.org/wiki/World_wide_web WWW]] simply by placing the requisite files in a directory called public_html in their home directory.  This will yield a URL of http://www.fysh.org/~username/ for example.
+
Any user with an account on [[river.fysh.org]] can create a page on the [http://en.wikipedia.org/wiki/World_wide_web WWW] simply by placing the requisite files in the directory ''/var/www/user/username/public_html/'' (where 'username' is theirs).  This will yield a URL of http://www.fysh.org/~username/ for example.  If you find that this directory does not yet exist, or file permissions deny you access, please contact [mailto:webmaster@fysh.org The Fyshy Webmaster] to correct this.
 +
 
 +
Please note that /var/www/user on [[river.fysh.org]] is NFS mounted on [[www.fysh.org]] '''read-only'''.  Web scripts and CGIs ''cannot'' write to any files.  Thus any web page that needs to store data will have to utilise a [[Databases|Database]].  In some circumstances we will set up a separate area for a user to place web pages that absolutely ''require'' file write access, but we would much rather they use a proper [[Databases|Database]] instead.  '''Furthermore''' files located in /var/www/user on [[river.fysh.org]] will appear under /home on [[www.fysh.org]].  This is to satisfy the requirements of SuExec when CGIs are run from a /~username/ URL.  Be sure to write any scripts/CGIs to take account of this different path!  It is noted that at this time you can in fact use the same /var/www/user/... path on [[stickelback.fysh.org]] as on [[river.fysh.org]], as a side effect of river:/var/www being mounted onto stickelback:/var/www, but this should not be relied upon.
  
 
= User Domains =
 
= User Domains =
Additionally we will host the web pages for any domain that a user owns or controls and can get the DNS changed to point to our IP. Contact the [mailto:webmaster@fysh.org Fyshy Webmaster] to enquire about setting this up.  Note that you should ensure that you have a valid and working webmaster email account under your own domain when this is set up.
+
Additionally we will host the web pages for any domain that a user owns or controls and can get the DNS changed to point to our web server. Please note that our preference is that you use a CNAME record pointing to "www.fysh.org." (the trailing dot is important, don't miss it out!), as this allows us to move your domain webhosting about if we need to.  The one practical exception to this is where you use solely the domain name for your URL, i.e. if your domain was 'example.com' and you wanted to use http://example.com/ instead of, or as well as, http://www.example.com/.  You can't have a CNAME record and any other records for the same name, and a domain itself requires at least an SOA record.  Thus in this configuration you would have to use an A record pointing to the same IP as www.fysh.org.
 +
 
 +
Contact the [mailto:webmaster@fysh.org Fyshy Webmaster] to enquire about setting this up.  Note that you should ensure that you have a valid and working webmaster email account under your own domain when this is set up.
 +
 
 +
The same caveat as for User Pages about '''read-only''' file access will apply.
  
Note that whilst we can offer HTTPS access to your domain it will be with a self-signed certificate for www.fysh.org, and as such any user accessing your domain's web page via HTTPS will get a warning about the hostname mismatch. This is because an SSL certificate for HTTPS is tied to the hostname that the IP the server runs on resolves to.  We only have the one IP to use for web services and thus only one possible HTTPS certificate.
+
If you wish URLs of the form http://www.example.com/~username/ (but for your domain) to be served from /var/www/user/username/public_html/ (as is set up for www.fysh.org URLs) please let us know and we'll adjust the configuration for your domain.  By default we assume you don't want just any Fysh.Org user to be able to utilise such a URL.  We can configure things such that only certain users have URLs of this form working for your domain, so let us know which users to allow.  As always it's the [mailto:webmaster@fysh.org Fyshy Webmaster] you need to contact for this.
  
If you have a desperate need to run a domain with HTTPS on the www.fysh.org server under your own domain and need to have your own distinct certificate then we may be able to arrange for additional IP(s) as needed, but we will have to pass on the charges of our hosting provider for this to you.
+
=== HTTPS and SSL Certificates ===
 +
 
 +
Since February 2018 we have offered use of [https://letsencrypt.org/ LetsEncrypt] SSL Certificates on the fysh.org web service. Contact the [mailto:webmaster@fysh.org Fyshy Webmaster] if you wish us to set this up for any of your domains we host.  You won't need to do anything else as the method we use to obtain LetsEncrypt certificates relies solely on control of the website as proof of legitimacy for the domain, which of course we have.
 +
 
 +
Do note that a single IP will still be used, so this relies on clients making use of [http://en.wikipedia.org/wiki/Server_Name_Indication Server Name Indication] to indicate which domain they want to access (so that the correct certificate is used), which has some limitations (mostly to do with rather old browsers and operating systems), but this is becoming less and less of an issue.
  
 
= Dynamic Content =
 
= Dynamic Content =
Going beyond simple static content we support use of [[http://en.wikipedia.org/wiki/Common_gateway_interface CGI]]s, written using any of the installed development languages, and PHP scripts directly via an Apache module. ''NB: in the case of CGIs the filename will have to end with either .cgi or .pl, unless the script is inside a virtual host's /cgi-bin/ directory.  Files whose name have no extension or other than .cgi or .pl will have their contents displayed instead of being run.''
+
Going beyond simple static content we support use of [http://en.wikipedia.org/wiki/Common_gateway_interface CGI]s, written using any of the installed development languages, and PHP scripts directly via an Apache module.
  
 
== PHP Configuration ==
 
== PHP Configuration ==
We currently only provide and support version 4.3.10 of PHP, as supplied by Debian 'stable'.
+
Our default PHP configuration is somewhat paranoid and as a result you may find you need to adjust some PHP settings, either by getting [mailto:webmaster@fysh.org us] to change the central config files, or by you making use of a .htaccess or .user.ini file as appropriate.
 +
 
 +
=== Current Version ===
 +
We currently primarily support version 7.0.x of PHP as supplied by Debian 'stable'.  Files with extensions of .php3, .php4, .php7, .php, .pht or .phtml are all handled by this version for web use, and bare 'php' on the command-line will use 7.0.x.
 +
 
 +
=== Legacy Version ===
 +
After the upgrade to Debian Stretch we currently still have version 5.6.x available, but these packages are from the older Debian Jessie and will be entirely removed no later than 11th May 2018.  Please ensure any of your code is updated to use PHP 7.0 by this date.  Currently to use 5.6.x you'll need to either rename files to have a .php5 extension (for web use), or call them with the php5 program if on the command-line.
 +
 
 +
=== Obsolete (and Removed) Versions ===
 +
PHP4 hasn't been supported for a long time as the PHP developers themselves dropped all support for it as of the end of 2007[http://www.php.net/downloads.php#v4].
 +
 
 +
== CGIs ==
 +
In the case of CGIs there are two ways to ensure the file will run.  Either the filename will have to end with .cgi or .pl, or the file must be inside the correct directory.  For any domain we host this is its /cgi-bin/ directory.  For user pages this will be river:/var/www/user/username/public_html/cgi-bin/ for the URL http://www.fysh.org/~username/cgi-bin/filename.  Files outside that directory whose name have no extension or other than .cgi or .pl will have their contents displayed instead of being run.
 +
 
 +
'''NB: river:/var/www/user is mounted on [[stickelback.fysh.org]] as /home'''.  This means that whilst you will want to create a /~username/cgi-bin/file.cgi as river:/var/www/user/username/public_html/cgi-bin/file.cgi it will appear on [[stickelback.fysh.org]] as /home/username/public_html/cgi-bin/file.cgi and any reference within it to itself or associated files should use that /home/username/... path, ''not'' the /var/www/user/... one!
 +
 
 +
Things wouldn't be so complicated if Apache's SuExec didn't treat /~username/ URLs as a special case (as we had everything under /var/www and had hoped that would be enough, but instead SuExec insists on checking the CGI is under the user's home directory AND has 'public_html' in its path).  We could compile a local copy of SuExec, but we have done so in the past for other reasons and it leads to maintainability problems when the Debian Apache2 package is updated.
 +
 
 +
We will not simply mount river:/home as www:/home, even read-only, as this potentially allows web access to all of everyone's world-readable files, and if [[stickelback.fysh.org]], but not [[river.fysh.org]], is ever compromised the hacker would have full access (even if read-only).
 +
 
 +
= Sending EMail from WWW Scripts =
 +
You may send email from scripts on the WWW host, but there are some caveats.
 +
 
 +
The 'envelope from' address will always be www-data@stickelback.fysh.org, even if you set a 'From: ' header in the email itself.  In April 2016 configuration was adjusted so this should no longer cause issues with remote MTAs trying to perform anti-spam checks.
  
Our default PHP configuration is somewhat paranoid and as a result you may find you need to adjust some php settings, either by getting [mailto:webmaster@fysh.org us] to change the central config files, or by you making use of a .htaccess file as appropriate.  The setting that most often needs adjustment is open_basedir, although we also default register_globals to 'Off'.
+
If any email sent in this way bounces or otherwise fails the notification will come to the [mailto:webmaster@fysh.org Fyshy Webmaster], not to any email address you set in the 'From: ' header.
  
 +
= References =
 +
<references/>
 
[[Category:Services]]
 
[[Category:Services]]

Latest revision as of 11:56, 11 February 2018

Introduction

stickelback.fysh.org runs web servers under the primary hostname of www.fysh.org. We currently utilise Apache 2.4.x (as supplied in Debian 'stable') for this purpose, with a single instance running on both port 80 for http access and port 443 for https access.

We may also run additional instances of apache, or other web server software, on other ports as needed.

Webmaster

All enquiries about stickelback.fysh.org and other web services should be directed to the Fyshy Webmaster.

User Pages

Any user with an account on river.fysh.org can create a page on the WWW simply by placing the requisite files in the directory /var/www/user/username/public_html/ (where 'username' is theirs). This will yield a URL of http://www.fysh.org/~username/ for example. If you find that this directory does not yet exist, or file permissions deny you access, please contact The Fyshy Webmaster to correct this.

Please note that /var/www/user on river.fysh.org is NFS mounted on www.fysh.org read-only. Web scripts and CGIs cannot write to any files. Thus any web page that needs to store data will have to utilise a Database. In some circumstances we will set up a separate area for a user to place web pages that absolutely require file write access, but we would much rather they use a proper Database instead. Furthermore files located in /var/www/user on river.fysh.org will appear under /home on www.fysh.org. This is to satisfy the requirements of SuExec when CGIs are run from a /~username/ URL. Be sure to write any scripts/CGIs to take account of this different path! It is noted that at this time you can in fact use the same /var/www/user/... path on stickelback.fysh.org as on river.fysh.org, as a side effect of river:/var/www being mounted onto stickelback:/var/www, but this should not be relied upon.

User Domains

Additionally we will host the web pages for any domain that a user owns or controls and can get the DNS changed to point to our web server. Please note that our preference is that you use a CNAME record pointing to "www.fysh.org." (the trailing dot is important, don't miss it out!), as this allows us to move your domain webhosting about if we need to. The one practical exception to this is where you use solely the domain name for your URL, i.e. if your domain was 'example.com' and you wanted to use http://example.com/ instead of, or as well as, http://www.example.com/. You can't have a CNAME record and any other records for the same name, and a domain itself requires at least an SOA record. Thus in this configuration you would have to use an A record pointing to the same IP as www.fysh.org.

Contact the Fyshy Webmaster to enquire about setting this up. Note that you should ensure that you have a valid and working webmaster email account under your own domain when this is set up.

The same caveat as for User Pages about read-only file access will apply.

If you wish URLs of the form http://www.example.com/~username/ (but for your domain) to be served from /var/www/user/username/public_html/ (as is set up for www.fysh.org URLs) please let us know and we'll adjust the configuration for your domain. By default we assume you don't want just any Fysh.Org user to be able to utilise such a URL. We can configure things such that only certain users have URLs of this form working for your domain, so let us know which users to allow. As always it's the Fyshy Webmaster you need to contact for this.

HTTPS and SSL Certificates

Since February 2018 we have offered use of LetsEncrypt SSL Certificates on the fysh.org web service. Contact the Fyshy Webmaster if you wish us to set this up for any of your domains we host. You won't need to do anything else as the method we use to obtain LetsEncrypt certificates relies solely on control of the website as proof of legitimacy for the domain, which of course we have.

Do note that a single IP will still be used, so this relies on clients making use of Server Name Indication to indicate which domain they want to access (so that the correct certificate is used), which has some limitations (mostly to do with rather old browsers and operating systems), but this is becoming less and less of an issue.

Dynamic Content

Going beyond simple static content we support use of CGIs, written using any of the installed development languages, and PHP scripts directly via an Apache module.

PHP Configuration

Our default PHP configuration is somewhat paranoid and as a result you may find you need to adjust some PHP settings, either by getting us to change the central config files, or by you making use of a .htaccess or .user.ini file as appropriate.

Current Version

We currently primarily support version 7.0.x of PHP as supplied by Debian 'stable'. Files with extensions of .php3, .php4, .php7, .php, .pht or .phtml are all handled by this version for web use, and bare 'php' on the command-line will use 7.0.x.

Legacy Version

After the upgrade to Debian Stretch we currently still have version 5.6.x available, but these packages are from the older Debian Jessie and will be entirely removed no later than 11th May 2018. Please ensure any of your code is updated to use PHP 7.0 by this date. Currently to use 5.6.x you'll need to either rename files to have a .php5 extension (for web use), or call them with the php5 program if on the command-line.

Obsolete (and Removed) Versions

PHP4 hasn't been supported for a long time as the PHP developers themselves dropped all support for it as of the end of 2007[1].

CGIs

In the case of CGIs there are two ways to ensure the file will run. Either the filename will have to end with .cgi or .pl, or the file must be inside the correct directory. For any domain we host this is its /cgi-bin/ directory. For user pages this will be river:/var/www/user/username/public_html/cgi-bin/ for the URL http://www.fysh.org/~username/cgi-bin/filename. Files outside that directory whose name have no extension or other than .cgi or .pl will have their contents displayed instead of being run.

NB: river:/var/www/user is mounted on stickelback.fysh.org as /home. This means that whilst you will want to create a /~username/cgi-bin/file.cgi as river:/var/www/user/username/public_html/cgi-bin/file.cgi it will appear on stickelback.fysh.org as /home/username/public_html/cgi-bin/file.cgi and any reference within it to itself or associated files should use that /home/username/... path, not the /var/www/user/... one!

Things wouldn't be so complicated if Apache's SuExec didn't treat /~username/ URLs as a special case (as we had everything under /var/www and had hoped that would be enough, but instead SuExec insists on checking the CGI is under the user's home directory AND has 'public_html' in its path). We could compile a local copy of SuExec, but we have done so in the past for other reasons and it leads to maintainability problems when the Debian Apache2 package is updated.

We will not simply mount river:/home as www:/home, even read-only, as this potentially allows web access to all of everyone's world-readable files, and if stickelback.fysh.org, but not river.fysh.org, is ever compromised the hacker would have full access (even if read-only).

Sending EMail from WWW Scripts

You may send email from scripts on the WWW host, but there are some caveats.

The 'envelope from' address will always be www-data@stickelback.fysh.org, even if you set a 'From: ' header in the email itself. In April 2016 configuration was adjusted so this should no longer cause issues with remote MTAs trying to perform anti-spam checks.

If any email sent in this way bounces or otherwise fails the notification will come to the Fyshy Webmaster, not to any email address you set in the 'From: ' header.

References

<references/>