You are here

Provision of secure web service for user data

Project ID: 
301
Current stage: 
Manager: 
What: 

We have a considerable amount of user web content (homepages is one obvious example) mounted on our web servers via NFS and AMD. This project would provide a more secure alternative using a separate web server with AFS filespace for sensitive data.

Why: 

Customer: School

Case statement: NFS mounted web space has many security disadvantages, as well as being only accessible from within the School. AFS, with proper safeguards, would allow both file access and web access in a secure and controlled manner.

When: 

Status: proposal

Priority: medium

Time: 1 week

How: 

Proposal:
To provide secure, on-request, user web space

Resources:
Sufficient AFS space to contain the content
Knowledge of AFS and apache/waklog

Plan/Issues:


  • Install basic test web server
  • Add support for authentication (CoSign & Kerberos) & waklog
  • Confirm ID naming scheme
  • Create AFS/Kerberos IDs for web server & users
  • Generate & store appropriate keytabs
  • Configure appropriate ACLs for filesystem access via command-line & browser
  • Generate volumes
  • Confirm filestructure &naming scheme and configure volume mount-points
  • Rebuild suEXEC
  • Configure CGI execution environment

(also see earlier AFS Web Server Plan/Issues Document)

Other: 

Dependencies:
This project requires a working version of waklog for our web servers.
This project relates to, and will have an impact on, the "Move user and group web space to AFS" project.


Risks:


  • AFS performance could be affected - possibly by significant web traffic to/from the servers. Any such degradation could, perhaps, be reduced by separate storage/servers for web areas.
  • Using AFS makes web data potentially available from any location (via browswer or filesystem), thus increasing security concerns.
  • Future dependency on waklog. Note that the future of mod_waklog is uncertain - any reliance we place on it may mean that might have to become involved in supporting it - either locally or publically.

Milestones

Proposed date Achieved date Name Description