How to set up a web site

How Do I Set Up My Homepage

1. Log in to your home directory. If you have a CS account, you can log in with the following command:

ssh <your CS username>@compute.cs.columbia.edu

2. Check if ~/html exists: If you have a new account, you probably don’t have an html folder. Upon logging into compute.cs.columbia.edu or clic.cs.columbia.edu, type in the following:

ls -ld ~/html

If nothing is returned, you can safely execute the following command:

mkdir ~/html && chmod o+x ~/html

3. (recommended) Symlink secure_html to serve the same content via https and http. While not a required step, it is important to keep in mind that our infrastructure does not currently automatically assume that your insecure (http) content should also be served encrypted. The standard, however, is to allow users to navigate web content via both. To enable this, if you do not have a secure_html directory, use this command:

ln -s ~/html ~/secure_html

If secure_html does not exist, then this will create it. Extra care should be taken if you already have content being delivered via secure_html (this will cause the symlink to fail). If your folder already exists, be sure to review your files and, if necessary, copy the ones you want into your html folder. Then, after you are certain you are not deleting data, you can move or delete your old secure_html folder and symlink using the ln command above.

See the next step if you need to keep these web pages restricted.

Force Redirect Http To Https

If you want to force redirect a file, a folder, or your entire web page from http to https (wherever possible, this is considered best practice), make the following changes.

  1. In the folder you want to secure, create a .htaccess file
  2. Add the following configuration:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]

Important Note: If you’re including authentication or changing this default configuration in any way, you should temporarily change “R=301” to “R=302″. This is very helpful to prevent caching, for accurate testing. Changes would include anything below.

Force a single web page to use Https

If you want to allow people to use http and https, but require that a user have one secure web page, you can force that single page in one of two ways.

Option 1: If/else syntax (Apache 2.4 feature, recommended)

New in Apache 2.4, you can use If/Else. This allows Apache configuration to be written much like a programming language, and allows for simplification of rewrites. This is particularly helpful because it reduces the need to rely on complex regex (which can also speed up requests).

<If "%{DOCUMENT_URI} == '/~myusername/path/to/file.html'">
RewriteEngine On
RewriteCond %{HTTPS} off 
RewriteRule (.*) https://%{SERVER_NAME}%{REQUEST_URI} [R=302,L] #change this to 301 after testing 
</If>

If you have more than one file, you can include multiple conditionals with or. It must be within the double quotes. As an example:

<If "%{DOCUMENT_URI} == '/~myusername/path/to/file.html' or %{DOCUMENT_URI} == '/~myusername/path/to/file2.html'>
</If>

Option 2: The old way

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule my_escaped_page\.html https://%{SERVER_NAME}%{REQUEST_URI} [R=302,L] #change this to 301 after testing

If you go this route, please note that this uses regex, and as such, many characters including slashes and periods could have unintended consequences. It is strongly advised that you use a regex tester to see what your web site will do. Regex101 is a good one.

Authentication and Http/Https redirection

If your website is accessible via http and https, and you require authentication, you must add conditionals to ensure that authentication is only occurring after redirection. By default, this is not the case. While your browser may automatically redirect you to https on subsequent attempts – especially if you have used a 301 permanent redirect – the first attempt will send a password in plain text, which exposes your password to anyone who has access to the network.

Authentication must be done via SSL. Please review this section carefully if you have authentication on your website.

Code snippet:

<If "%{HTTPS} == 'on'">
AuthType Basic
AuthName "Restricted"
Require valid-user
# passwd file or LDAP here
#...
</If>

 

This ensures that authentication only occurs when the web page is accessed via https. When joined with a RewriteCond to redirect all traffic to https, it ensures that authentication occurs, and always occurs after the user has been redirected ot the correct protocol.

Permissions

Please see Access Forbidden &#8211; Proper Permissions for Websites for a detailed description on setting file permissions.