How to configure AFS file
space for Web access
Web access to portions of the AFS file space is provided by an Apache server having
access to the AFS file space.
The link between URL and AFS path is reported in the following
table:
URL
|
AFS
path
|
http://www.afs.enea.it/userid
|
/afs/enea.it/user/u/userid/public_html
|
| http://www.afs.enea.it/project/project_name |
/afs/enea.it/project/project_name/html |
| http://www.afs.enea.it/software/software_name |
/afs/enea.it/software/software_name/html |
Generally speaking the access to AFS file space is controlled by the
AFS ACL [Acces Control List], which are set at directory level.
For a complete description of AFS ACL see for example the
AFS Primer or
How to protect your directories..., here only a few notes are reported.
The user can check the current status of the ACL for a directory using
the command:
fs la directory_path
e.g. fs la /afs/enea.it/user/u/userid/public_html
while the ACL can be set using the command:
fs sa directory_path [user | group ] ACL
ACL
for unrestricted Web access
If the directory is web published with unrestricted access the
following ACL must be set:
fs sa directory_path
system:anyuser rl
If the user wants to publish an HOME page, the public_html folder must
contain a
index.html file.
If the index.html does not exist, a list of the files available in the
directory is provided by the web server.
User restricted Web access
It is also possible to restrict the Web access to a published directory
only to a list of authorized AFS users, who will be required to
provide
their AFS password before accessing the restricted area.
As the authorized user must provide the password, the connection must
be done using SSL so that the password travels in an encrypted form
over the network. To force SSL connection the Web page must link the
restricted area using
https
protocol explicitly:
If "
restricted_folder" is the
restricted directory in user public_html folder, then the user
must provide in his HOME page a
link to:
https://www.afs.enea.it/userid/restricted_folder.
Note: if the access is attempted using the URL http://www.afs.enea.it/userid/restricted_folder , that is with an URL starting with http instead of https, the server returns the message Internal Server Error ... after
having prompted userid and password (the password is transmitted
uncrypted on the network in this case,this must be avoided!)
Inside the restricted directory the user must also create a
.htaccess file with the following content:
AuthName
"A
description which will appear on the user/password prompt window"
AuthType Basic
AuthBasicProvider external
AuthExternal AFS_AUTH
require valid-user
A file with this content can be downloaded
here.
To control the access to the reserved folder the AFS ACL must be properly set.
- The generic user without token must not access the folder:
- fs sa restricted_directory_path
system:anyuser none
- The web server must be able to access it:
- fs sa restricted_directory_path
system:wwwserver rl
- The group or user related ACL must be set:
-
A user based ACL can be set by the commands:
- fs sa restricted_directory_path
userid1 rl
-
fs
sa restricted_directory_path
userid2 rl
- or/and, using AFS groups:
- fs sa restricted_directory_path
group_OK rl
- where the group group_OK
includes user
userid1 and userid2
as members.
How to manage AFS groups is described in Open AFS manual "
Using
Groups".