Web Servers and Samba
Overview
Each of the major departmental servers
run a web server.
The web server running in the public zone
is the public web server and is accessible
from the Internet at the canonical name
www.cs.miami.edu.
The web server in the servers zone is an
internal, departmental web server and is
not directly accessible from the Internet.
It can be accessed from the servers zone (or
above) at the canonical name web.cs.miami.edu.
Of intermediate security is the student's
web server, in the lab zone, which will be
running on lee.cs.miami.edu, and has not yet
a chosen canonical name.
The internal server can publish web pages
homed on its file system to the public server.
The pages are therefore
accessible from the Internet in a manner
indistiguishable from pages homed on the
public server. The technology achieveing this
publication is an SMB connection between the
two servers. The internal server is a Samba
server. It exports /pub/htdocs with no-password,
read-only permission. The public server is a
Samba client and mounts this exported file tree.
This forms a Samba tunnel across security zones.
At this time, this is the only Samba tunnel.
It is possible to set up no-password
connections between server and lab zones,
as well as more interesting, per user
read-write connections
between the server and lab zone, protected
by password.
proxy client ---+ +--------------->
| |
+-->+
------------> sherman <==================> jackson <--------
http SMB http
private_html public_html
Private and Public html directories
At present, the server for the servers zone
is sherman, and we shall use that name in what follows.
Departmental home directories are on sherman. Traditionally,
a URL ending in ~username instructs the web server to
access the directory ~username/public_html. To avoid
confusion, we have instructed sherman's web server to
access the directory ~username/private_html. Files
under private_html are accessible as web pages within
the department, but not directly from without.
Files to be seen publically should be placed in the
directory /pub/htdocs/home/username. We suggest a symbolic
link from ~username/public_html to /pub/htdocs/home/username.
The entirity of /pub/htdocs is exported to the public
web server. The URL www.cs.miami.edu/~username will present
pages actually residing on sherman, in the directory
/pub/htdocs/home/username.
The result is, assuming you have created the suggested
symbolic link, place public pages in the directory
public_html, place internal pages in the directory
private_html.
Accessing private_html externally.
In order to encourage collaboration and the virtual
classroom and office,
full access to departental resources must be available
from anywhere on the Internet.
This is accomplished by tunneling a local port through
the firewall to the internal web server. Furthermore,
this web server has been set to proxy URL's it does not
service itself, hence access to services restricted
by requester IP address are available off campus.
We are in the process of improving the ease of
creating this tunnel. The suggested method for unix
based servers is to add the following lines in your
.ssh/config file:
Host webproxy
HostName web.cs.miami.edu
LocalForward 8080 web.cs.miami.edu:80
then either use the following URL in your browser:
http://localhost:8080/page-name
or set your browser to proxy http and https to localhost,
port 8080.
Adminstrative notes
This CNAME is bound to
an IP address in the cs.miami.edu global
address block and is routed towards the public
web server by a static translation.
offer
http services accessible to the appropriate
security levels.
Publishing of data from higher security
file systems to lower security web servers is
accomplished using the SMB protocol.
It is noted that infected
email and web pages are the most direct route
to host compromise, and counter-measures are
incomplete. The effect is that individual
host security cannot be ignored.
History
Burton Rosenberg
Updated: 2 August 2002