How to Set Up a Web Page

How Do I Set Up My Homepage?

Your homepage is in ~/html. Log into a cs machine and make sure the html directory exists in your home directory. Also make sure your home directory and the html directory have access by other users so the web server can enter. From the command line you can type "ls ~" to check if html exists, "mkdir ~/html" to create it if necessary, and "chmod o+x ~ ~/html" to set up the permissions correctly. If you want to serve content over https (encrypted http), that gets served from ~/secure_html. The same instructions apply other than the directory name.

Running Cgis Over Https (advanced)

If you'd like to host a cgi script from your home directory, but require that it only be accessed using SSL, you have to do a bit of trickery. The web server will only run cgi scripts from your ~/html directory which is normally served by http (unencrypted) and won't run them from ~/secure_html, which does get encrypted.

The workaround is:

  1. Put the cgi script in a subdirectory of ~/html, eg: ~/html/secure/
  2. Create a symbolic link in ~/secure_html/ that points to the previous directory. Eg: "ln -s /home/ab1234/html/secure ~/secure_html/secure". Now the secure directory is accessible using http or https.
  3. Create a .htaccess file in the secure directory which forces accesses to use https: 
    # Redirect http requests to https
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
The way this works is that when (if) a request comes in for http://..../secure, the rewrite rule sends the request to https://... The web server then looks in ~/secure_html and happily follows the link to the folder in ~/html, and is willing to execute the cgi script there because it's in an allowed directory.

Redirecting Http To Https With Auth

The above solution has a problem if you're using http authentication. The require valid-user requirement has higher priority than the rewrite rule. So if someone accesses the page using http, it will prompt them to log in (over http) and then redirect them to https. This is undesirable because the password is sent in cleartext. The solution is to use a more hackish redirection method: 

# Redirect http requests to https. Must use SSLRequireSSL method with http auth.
SSLOptions +StrictRequire
SSLRequireSSL
ErrorDocument 403 https://example.com/somepage/
SSLRequireSSL sets up a requirement for an https connection. +StrictRequire ensures that this requirement is met. Some configurations allow the connection if any requirement is met so it would try to authenticate without SSL to see if the require valid-user requirement is met.

With those 2 lines in place, if a client tries to connect over http, they'll get a 403 error. The ErrorDocument line says, if someone hits a 403 error here, send them to the specified url which does use https. This is a little less flexible than the Rewrite method because the url must be hardcoded in the .htaccess file.