How to configure AFS file space for Web access



Web access to AFS file space is provided by an Apache server having access to the AFS file space.

Users are  responsible for the contents of their Web Pages and they must comply to the rules described in:
ENEAGRID/CRESCO Utilization Rules

The link between URL and AFS path is  reported in the following table:

URL
AFS path
http://www.afs.enea.it/userid
/afs/enea.it/user/u/userid/public_html
http://www.afs.enea.it/project/project_name /afs/enea.it/project/project_name/html
http://www.afs.enea.it/project/software_name /afs/enea.it/software/project_name/html

The list of all users having someting in their ~/public_html directory is available and if the directory contains a text file named public_html_description.txt its content is shown on that page.
Generally speaking the access to AFS file space is controlled by the AFS ACL [Acces Control List], which are set at directory level.
For a complete description of AFS ACL see for example the AFS Primer or How to protect your directories..., here only a few notes are reported.

The user can check the current status of the ACL for a directory using the command:

fs la directory_path

e.g.  fs la /afs/enea.it/user/u/userid/public_html

while the ACL can be set using the command:

fs sa directory_path [user | group ]  ACL

ACL for unrestricted Web access

If the directory is web published with unrestricted access the  following ACL must be set:

fs sa directory_path system:anyuser rl

If the user wants to publish an HOME page, the public_html folder must contain a index.html file.
If the index.html does not exist, a list of the files available in the directory is provided by the web server.

User restricted Web access


It is also possible to restrict the Web access to a published directory only to a list of authorized AFS users, who will be required to provide their AFS password before accessing the restricted area.

As the authorized user must provide the password, the connection must be done using SSL so that the password travels in an encrypted form over the network. To force SSL connection the Web page must link the restricted area using https protocol explicitly:

If "restricted_folder" is the restricted directory in user public_html folder, then the user must provide in his HOME page a link to:

https://www.afs.enea.it/userid/restricted_folder.

Note: if the access is attempted using the URL http://www.afs.enea.it/userid/restricted_folder ,  that is with an URL starting with http instead of https, the server returns the message Internal Server Error ... after having prompted userid and password (the password is transmitted uncrypted on the network in this case,this must be avoided!)

Inside the restricted directory the user must also create a .htaccess file with the following content:

AuthName "A description which will appear on the user/password prompt window"
AuthType Basic
AuthBasicProvider external
AuthExternal AFS_AUTH
require valid-user

A file with this content can be downloaded here.

To control the access to the reserved folder the AFS ACL must be properly set.

  • The generic user without token must not access the folder:
    • fs sa restricted_directory_path system:anyuser none
  • The web server must be able to access it:
    • fs sa restricted_directory_path system:wwwserver rl
  • The group or user related ACL must be set:
    • A user based ACL can be set by the commands:
      • fs sa restricted_directory_path userid1 rl
      • fs sa restricted_directory_path userid2 rl
    • or/and, using AFS groups:
      • fs sa restricted_directory_path group_OK rl
    • where the group group_OK includes user userid1 and userid2 as members.

How to manage AFS groups is described in Open AFS manual "Using Groups".