Web

From FyshyWyky
Revision as of 23:34, 18 December 2007 by Athan (talk | contribs) (CGIs: Path changes due to SuExec being a pain in the ass)

Introduction

www.fysh.org runs web servers under the primary hostname of www.fysh.org. We currently utilise Apache 2.2.x (as supplied in Debian 'stable') for this purpose, with a single instance running on both port 80 for http access and port 443 for https access.

We may also run additional instances of apache, or other web server software, on other ports as needed.

Webmaster

All enquiries about www.fysh.org and other web services should be directed to the Fyshy Webmaster.

User Pages

Any user with an account on bowl.fysh.org can create a page on the WWW simply by placing the requisite files in the directory /var/www/user/username/public_html/ (where 'username' is theirs). This will yield a URL of http://www.fysh.org/~username/ for example. If you find that this directory does not yet exist, or file permissions deny you access, please contact The Fyshy Webmaster to correct this.

Please note that /var/www/user on bowl.fysh.org is NFS mounted on www.fysh.org read-only. Web scripts and CGIs cannot write to any files. Thus any web page that needs to store data will have to utilise a Database. In some circumstances we will set up a separate area for a user to place web pages that absolutely require file write access, but we would much rather they use a proper Database instead. Furthermore files located in /var/www/user on bowl.fysh.org will appear under /home on www.fysh.org. This is to satisfy the requirements of SuExec when CGIs are run from a /~username/ URL. Be sure to write any scripts/CGIs to take account of this different path!

User Domains

Additionally we will host the web pages for any domain that a user owns or controls and can get the DNS changed to point to our IP. Contact the Fyshy Webmaster to enquire about setting this up. Note that you should ensure that you have a valid and working webmaster email account under your own domain when this is set up.

The same caveat as for User Pages about read-only file access will apply.

If you wish URLs of the form http://www.example.com/~username/ (but for your domain) to be served from /var/www/user/username (as is set up for www.fysh.org URLs) please let us know and we'll adjust the configuration for your domain. By default we assume you don't want just any Fysh.Org user to be able to utilise such a URL. We can configure things such that only certain users have URLs of this form working for your domain, so let us know which users to allow. As always it's the Fyshy Webmaster you need to contact for this.

Note that whilst we can offer HTTPS access to your domain it will be with a self-signed certificate for www.fysh.org, and as such any user accessing your domain's web page via HTTPS will get a warning about the hostname mismatch. This is because an SSL certificate for HTTPS is tied to the hostname that the IP the server runs on resolves to. We only have the one IP to use for web services and thus only one possible HTTPS certificate.

If you have a desperate need to run a domain with HTTPS on the www.fysh.org server under your own domain and need to have your own distinct certificate then we may be able to arrange for additional IP(s) as needed. Note however that we will have to pass on to you the charges of our hosting provider for this, which may entail you needing to pay such to us for an entire year up front.

Dynamic Content

Going beyond simple static content we support use of [CGI]s, written using any of the installed development languages, and PHP scripts directly via an Apache module.

PHP Configuration

We currently only provide and support version 5.2.0 of PHP, as supplied by Debian 'stable'. PHP4, version 4.4.4, is still available, but only via the CGI method and only if you suffix files with .php4.

NB: Support for PHP4 on both bowl.fysh.org and www.fysh.org will cease no later than 22nd December 2007. This is due to the PHP developers themselves dropping all support for it as of the end of 2007[[1]].

Our default PHP configuration is somewhat paranoid and as a result you may find you need to adjust some php settings, either by getting us to change the central config files, or by you making use of a .htaccess file as appropriate. The setting that most often needs adjustment is open_basedir, although we also default register_globals to 'Off'.

CGIs

In the case of CGIs there are two ways to ensure the file will run. Either the filename will have to end with .cgi or .pl, or the file must be inside the correct directory. For any domain we host this is its /cgi-bin/ directory. For user pages this will be bowl:/var/www/user/username/public_html/cgi-bin/ for the URL http://www.fysh.org/~username/cgi-bin/filename. Files outside that directory whose name have no extension or other than .cgi or .pl will have their contents displayed instead of being run.

NB: bowl:/var/www/user is mounted on www.fysh.org as /home. This means that whilst you will want to create a /~username/cgi-bin/file.cgi as bowl:/var/www/user/username/public_html/cgi-bin/file.cgi it will appear on www.fysh.org as /home/username/public_html/cgi-bin/file.cgi and any reference within it to itself or associated files should use that /home/username/... path, not the /var/www/user/... one!

Things wouldn't be so complicated if Apache's SuExec didn't treat /~username/ URLs as a special case (as we had everything under /var/www and had hoped that would be enough, but instead SuExec insists on checking the CGI is under the user's home directory AND has 'public_html' in its path).

We will not simply mount bowl:/home as www:/home, even read-only, as this potentially allows web access to all of everyone's world-readable files, and if [[www.fysh.org], but not bowl.fysh.org, is ever compromised the hacker would have full access (even if read-only).