SDP Group Webserver

In %RT%105069 we proposed a new solution for System Design Project group web pages. Previously they'd been hosted on groups.inf.

This new service is intended to make things a bit more secure, and isolate them from the main groups.inf service.

Very quick summary

  • Machine sdpvm hosts the sites, group2.sdp ... etc
  • live/sdp-webserver.h has the config
  • requires AFS PTS ids to be reserved on AFSAdminUids for each group
  • kerberos machine keytabs for each of the above Ids (done by component in header)
  • These AFS IDs are members of the corresponding AFS group system:sdpweb-group1, system:sdpweb-group2, etc
  • Each groupX.sdp.inf apache vhost runs with the corresponding sdpgroupX keytab
  • Each vhost has it's document root as /afs/, with system:sdpweb-groupX having the necessary ACL access
  • Optionally each group vhost can have PHP and CGI enabled in the sdp-webserver.h header. Though all CGIs run as the apache unix user. The CGI root is /afs/
    • NOTE ordering in sdp-webserver.h is important, the _SDP_VHOST_ENABLE_PHP line would need go below the group's _SDP_GROUP_VHOST macro
  • The DNS for each needs to point at sdpvm.inf
  • HTTP just redirects to HTTPS

Things to note

  • The VM is currently hosted on the student project VM Host at KB
  • Students can't log into sdpvm (like most servers).
  • sdpvm isn't carrying a full set of software packages, and is SL7
  • Makes CGI use (if enabled) tricky to develop for.
  • There's no MySQL or Postgres, like there wasn't on groups.inf. Students could connect to pgteach.inf
  • The "security" depends on the ACLs of the various documents roots being correct.
  • It's assumed that as well as the system:sdpweb-groupX having access to the html file space, that the students in that group will also have access. Probably via the "sdpX" roles -> inf:sdpX AFS group. These secondary roles need to be cleared and repopulated between sessions.

-- NeilBrown - 12 Jan 2021

Topic revision: r2 - 11 Mar 2021 - 12:00:53 - RossArmstrong
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies