Web Servers and Samba

Overview

Each of the major departmental servers run a web server. The web server running in the public zone is the public web server and is accessible from the Internet at the canonical name www.cs.miami.edu. The web server in the servers zone is an internal, departmental web server and is not directly accessible from the Internet. It can be accessed from the servers zone (or above) at the canonical name web.cs.miami.edu. Of intermediate security is the student's web server, in the lab zone, which will be running on lee.cs.miami.edu, and has not yet a chosen canonical name. The internal server can publish web pages homed on its file system to the public server. The pages are therefore accessible from the Internet in a manner indistiguishable from pages homed on the public server. The technology achieveing this publication is an SMB connection between the two servers. The internal server is a Samba server. It exports /pub/htdocs with no-password, read-only permission. The public server is a Samba client and mounts this exported file tree. This forms a Samba tunnel across security zones. At this time, this is the only Samba tunnel. It is possible to set up no-password connections between server and lab zones, as well as more interesting, per user read-write connections between the server and lab zone, protected by password.

   proxy client ---+   +--------------->
                   |   |
                   +-->+
    ------------> sherman <==================> jackson <--------
       http                        SMB                    http
    private_html               public_html                     

Private and Public html directories

At present, the server for the servers zone is sherman, and we shall use that name in what follows. Departmental home directories are on sherman. Traditionally, a URL ending in ~username instructs the web server to access the directory ~username/public_html. To avoid confusion, we have instructed sherman's web server to access the directory ~username/private_html. Files under private_html are accessible as web pages within the department, but not directly from without. Files to be seen publically should be placed in the directory /pub/htdocs/home/username. We suggest a symbolic link from ~username/public_html to /pub/htdocs/home/username. The entirity of /pub/htdocs is exported to the public web server. The URL www.cs.miami.edu/~username will present pages actually residing on sherman, in the directory /pub/htdocs/home/username. The result is, assuming you have created the suggested symbolic link, place public pages in the directory public_html, place internal pages in the directory private_html.

Accessing private_html externally.

In order to encourage collaboration and the virtual classroom and office, full access to departental resources must be available from anywhere on the Internet. This is accomplished by tunneling a local port through the firewall to the internal web server. Furthermore, this web server has been set to proxy URL's it does not service itself, hence access to services restricted by requester IP address are available off campus. We are in the process of improving the ease of creating this tunnel. The suggested method for unix based servers is to add the following lines in your .ssh/config file:

Host webproxy
   HostName web.cs.miami.edu
   LocalForward 8080 web.cs.miami.edu:80

then either use the following URL in your browser:
   http://localhost:8080/page-name
or set your browser to proxy http and https to localhost, port 8080.

Adminstrative notes

This CNAME is bound to an IP address in the cs.miami.edu global address block and is routed towards the public web server by a static translation. offer http services accessible to the appropriate security levels. Publishing of data from higher security file systems to lower security web servers is accomplished using the SMB protocol. It is noted that infected email and web pages are the most direct route to host compromise, and counter-measures are incomplete. The effect is that individual host security cannot be ignored.

History

Burton Rosenberg
Updated: 2 August 2002