Virtual Domain Server WWW Server Service Administrator Guidance

Services available with WWW server service

情報基盤センターが提供する バーチャルドメインサーバ ( post-x.cc.uec.ac.jp ) の WWW サーバサービス は,OS やサーバプログラムの知識を必要とせず,WWW コンテンツの作成とアップロードのみで情報発信を可能とするサービス です.インターネットサービスプロバイダにて提供されているWWW レンタルサービスと同じ感覚で利用可能です.

In addition, staff at the Information Technology Center will manage the systems such as the OS of the servers that form the basis of WWW services. There is no need to consider OS security measures. Administrators, please take security measures for your CMS and contents.

Function overview

This WWW server service has the following functions:

  • Apache 2.4 is running as the WWW server.

  • CGI, PHP, SSI scripts, etc. can be used. There are some restrictions regarding SSI. For more information, please see Regarding SSI .

  • Since the suEXEC and suPHP modules are used, CGI scripts and PHP run with user privileges.

  • Access control using .htaccess files is possible. Depending on the settings, users can also authenticate using their own passwords.

    Warning

    There are some restrictions regarding configuration (directives) for PHP. For more information, please see Regarding SSI .

  • Database functions provided by MariaDB 10.5 are available.

  • You can check the access log and error log.

  • Files can be uploaded/downloaded using FTP (on-campus) or SFTP (on-campus/off-campus).

  • HTTPS communication is possible by using a server certificate created using a key without a passphrase.For more information, please see HTTPS communication using server certificate

Limitations

The following restrictions apply to the use of this WWW server service:

  • Maintenance work cannot be performed using FTP from an off-campus network.

  • In order to transfer files using SFTP, you need to configure the SSH public key in advance.

  • It is not possible to log in directly to the virtual domain server using ssh , slogin commands, etc.

  • ITC does not back up users’ HTTP, CGI content, etc.

  • Some PHP functions are disabled. For more information, please see Disabled PHP functions .

  • There are restrictions on the use of disks. For more information, please see Regarding disk quotas .

Notes

There are the following Notes when using this WWW server service:

  • If a security incident occurs, the WWW server service in question will be discontinued without prior notice.

  • From Apache 2.4, the format written in the .htaccess file has changed for access control etc. As a result, if you migrate content that was operated on an older version of Apache to a virtual domain server, it may not work as intended.

    For more information, please see Apache official website etc.

Before using virtual domain server

This section outlines the steps to use a WWW server service using a virtual domain server.

First, assume that the DNS server for the domain is already operational.

  1. Please download the 「バーチャルドメインサーバ(WWW)利用申請書」 (Virtual Domain Server (WWW) Usage Application Form) from the ITC’s application list page and fill in the necessary information.

  2. Please submit the created usage application form to the Information Technology Center’s business office located on the 4th floor of East Building 3.

  3. If the application is approved, the administrator account and temporary password for FTP transfer will be notified to the email address based on the UEC account of the representative/administrator listed on the application form.

  4. ウェブブラウザでバーチャルドメインサーバ( post-x.cc.uec.ac.jp )にアクセスし,速やかに仮パスワードを変更 Changing your FTP account してください.

  5. Please apply for new or change of CNAME (alias) or A record (IP address) of WWW server to the DNS administrator of the domain you have applied for use.

  6. Please upload the content to the virtual domain server using FTP.

  7. Please check whether the uploaded content is displayed correctly in your web browser.

  8. If there is an existing WWW server, please stop it.

  9. Please maintain the content regularly.

  10. Please check the logs regularly.

Settings and usage instructions for WWW administrators

Changing your FTP account

The WWW administrator applies for use, and if the application is approved, an account and temporary password for logging into the virtual domain server via FTP will be sent to you.

バーチャルドメインサーバの管理者から送られてくるのは仮パスワードです.以下の説明を参考に, 必ず速やか に 変更してください.なお,スクリーンショットにある post-1 および本文中の post-x.cc.uec.ac.jp は,適宜 ご自身の利用されているバーチャルドメインサーバ(post-4, 5, 6, 7, 8)に読み替えてください.

You can change your password from the URL below.

https://post-4.cc.uec.ac.jp/chpasswd.html (On-campus only)

https://post-5.cc.uec.ac.jp/chpasswd.html (学内専用)

https://post-6.cc.uec.ac.jp/chpasswd.html (学内専用)

https://post-7.cc.uec.ac.jp/chpasswd.html (学内専用)

https://post-8.cc.uec.ac.jp/chpasswd.html (学内専用)

../../_images/post-4_2.png

Enter the “Account Name”, “Old Password”, “New Password”, and “New Password (Confirmation)” here. The “New Password” and “New Password (Confirmation)” must be the same string.

../../_images/post-4_3.png

入力後, 送信 をクリックしてください.

Caution

送信 をクリックすると,確認のためのダイアログが表示されます.

ここで表示されるダイアログのパスワード欄には, 旧パスワード を入力してください.

パスワードの変更が成功すれば,以下の画面となります.

If an error is output, please click “Back” on your browser to return to the password change screen and try again.

../../_images/post-4_4.png

Changing the DB account

If you wish to use the DB when applying for WWW service, you will be provided with an FTP account as well as an account and password for connecting to the DB.

Unlike FTP accounts, DB accounts do not have a password change system using the web UI, so administrators should change their passwords using tools compatible with MariaDB or UNIX commands.

The following is a guide on how to change the password of the DB account using the mysql command installed on the educational computing server sol.edu.cc.uec.ac.jp of the ITC. Here, the WWW administrator’s UEC account is xa123456 , the FTP account is examplewww , and the DB account is example_db .

Caution

For security reasons, we do not allow connections to the DB from off-campus networks. Therefore, please change your password from the campus network.

login as: xa123456
xa123456@sol.edu.cc.uec.ac.jp's password: xa123456に対応するパスワード
Last login: Mon Nov 22 15:00:00 2016 from xxx.yyy.uec.ac.jp

Welcome to sol.cc.uec.ac.jp in ITC2014.

A manual page is available at

  https://www.cc.uec.ac.jp/srv/all/edu/

ITC staff (staff@cc.uec.ac.jp).

[xa12345@sol ~]$ mysql -u examplewww -h post-x.cc.uec.ac.jp -p example_db
Enter password: DBに接続するためのパスワード
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 31922
Server version: 5.5.50-MariaDB MariaDB Server

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> set password = password('example_dbに新しく設定するパスワード');
Query OK, 0 rows affected (0.00 sec)

mysql> quit
Bye
[xa123456@sol ~]$ exit
logout
Connection to sol closed.

WWW server service directory structure

When you access the virtual domain server using FTP or SFTP, you can check the following directories. Please arrange the contents appropriately according to the explanations in the table.

Directory name

Explanation

Write permission

/

Home directory

×

/.ssh

Location of key files used for SSH

/cgi-bin

Location of CGI

/dev

ITC management directory

×

/html

Location of contents, Location of SSI

/logs

Location of log files

×

/tmp

Location of temporary files, Location of PHP session files

Caution

The /tmp directory is prepared for temporary use. Avoid permanently storing large files.

The /dev directory is a directory prepared for the management of the Information Technology Center. Users cannot use it.

Example of logging in using the ftp command

Here is an example of actually using the ftp command from another machine. Here, the account name issued for the WWW server service is examplewww .

[xa123456@sol ~]$ ftp post-x.cc.uec.ac.jp
Connected to post-x.cc.uec.ac.jp (130.153.XX.YY).
220 (vsFTPd 3.0.2)
Name (post-x.cc.uec.ac.jp:xa123456): examplewww
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -al
227 Entering Passive Mode (130.153.XX.YY,249,16).
150 Here comes the directory listing.
drwxr-xr-x    8 0        0              79 Apr 02 14:45 .
drwxr-xr-x    8 0        0              79 Apr 02 14:45 ..
drwx------    2 10XXX    10XXX           6 Feb 17  2015 .ssh
drwxr-xr-x    2 10XXX    10XXX          79 Apr 24 16:11 cgi-bin
drwxr-x---    2 0        10XXX          17 Jun 20 11:22 dev
drwxr-xr-x    5 10XXX    10XXX         288 Jun 20 14:58 html
drwxr-x---    2 0        10XXX        8192 Jun 20 04:11 logs
drwxr-x---    2 10XXX    10XXX          68 Apr 05 15:10 tmp
226 Directory send OK.
ftp> pwd
257 "/"
ftp> cd ..
250 Directory successfully changed.
ftp> pwd
257 "/"
ftp> bye
221 Goodbye.
[xa123456@sol ~]$

Caution

As shown in the operation example above, you cannot move to another directory even if you perform cd .. If you need absolute path information on a virtual domain for CGI reasons, please see Regarding absolute paths .

Uploading/Downloading files using ftp commands

By using the ftp command, you can upload WWW content that exists on your local machine to the virtual server. You can also download logs and temporary files on the virtual server.

Also, by making settings, it should be possible to use the automatic uploader that comes with the WWW content generation program.

Caution

The virtual domain server’s FTP service supports both active and passive modes. However, due to firewall settings, inquiries regarding passive mode are not supported.

If you are unable to perform FTP communication successfully in passive mode, please try active mode. Note that modern FTP clients (e.g. FFFTP and macOS’s ftp command) have passive transfer enabled by default.

Notes on CGI, PHP scripts, etc.

Virtual servers can use CGI scripts using the languages ​​installed in Ubuntu.

The following interpreters are available for CGI scripts. Please refer to it when writing scripts and shebangs.

Interpreter name

Version

Absolute path

Python

3.10

/usr/bin/python3

Perl

5.34

/usr/bin/perl

bash

5.1

/bin/bash

PHP

8.3

/usr/bin/php

Also, if you set /usr/bin:/bin in your PATH, you can use the commands provided by Ubuntu.

As for PHP, it has built-in modules, so you can use PHP scripts by changing the extension to .php .

Caution

If you want to use the binary as a CGI program, compile it on your local machine and upload the binary. Binaries compiled in the Ubuntu environment are available.

However, please take sufficient security measures for the created binaries. In addition, the center may not be able to respond to inquiries regarding binaries that have been prepared in-house. Please note.

Also, when the WWW server executes CGI programs or PHP scripts, it operates with the execution privileges of the user ID/group ID. So file permissions will work if they are readable and writable for the user. However, when the WWW server reads static content such as HTML files, it operates with apache/apache authority. Be careful with permissions.

データベースとの連携 が必要な場合はバーチャルドメインサーバのスタッフまでご相談下さい. バーチャルドメインサーバ( post-x.cc.uec.ac.jp )では,MariaDB ( MySQL )が動作しています. なお,データベースへのアクセスは 学内からのみ としてあります.また, データベースは,WWW サーバと連携する以外の利用は 行わないでください

Notes on virtual domain server WWW server service

Notes on logs

バーチャルドメインサーバ( post-x.cc.uec.ac.jp )では下記のログファイルを利用者に向けて提供しています. これらのログファイルは定期的にローテートされ,古いログファイルは 自動的に削除 されます. 利用者の皆さまご自身で定期的に バックアップ を取るようにしてください.

File name

Explanation

Timing when logs are recorded

otate interval”

Number of generations

access_log

HTTP communication access log

Real time

every day

500

error_log

HTTP communication error log

Real time

every day

500

ssl_access_log

HTTPS communication access log

Real time

every day

500

ssl_error_log

HTTPS communication error log

Real time

every day

500

ftp.log

Operation log related to FTP

Once a day

weekly

90

sftp.log

Operation log related to SFTP

Real time

weekly

90

Note

Due to its specifications, ftp.log cannot record file operation logs in real time. Please understand.

From June 20, 2019, the log retention period and rotation interval have been changed. please note.

About log text format

The log file is a UNIX format text file. Due to the line feed code used at the end of a line, it may be difficult to read it as is on some operating systems such as Windows. When reading logs, please use an application that converts line feed codes, or an editor that can handle UNIX-format text files as is.

Regarding settings such as access restrictions, etc.

If you want to restrict access, etc., please prepare an .htaccess file on the directory where you want to restrict access. Also, if you want to implement password restrictions, etc., create a password file on your local host and transfer it to the virtual domain server. In that case, please be careful about permissions, etc.

Also, as noted in Notes , the directives written in .htaccess have changed since Apache 2.4. Please check this in books, on the internet, etc.

Please contact us for details on other available directives. Verify individually.

Regarding handling of user directories

Since this WWW server service cannot have multiple users other than the administrator of each WWW server service, the UserDir directive of Apache’s mod_userdir module is disabled.

However, it is possible to use the mod alias module ‘s AliasMatch directive to add a tilde to the URL to make it appear that the user directory is public. If you wish to use it, please contact the virtual domain server staff.

For example, by creating a subdirectory under /html/user with each user’s name, placing HTML files there, and setting AliasMatch, accessing http://www.example.uec.ac.jp/~XXXXX/ will browse the contents under /html/user/XXXXX/ will be browsed when accessing.

By using this function, I think it has become easier to migrate the currently public WWW server to a virtual domain server. Please consider using this WWW server service.

It is also possible to set a new AliasMatch directive for a WWW server service that is already in operation. Please contact us if you would like to use it.

File transfer using public key authentication

By using SSH, it is possible to use the sftp command from inside and outside the university. Place a public key file in a format readable by OpenSSH in the .ssh directory with the file name authorized_keys (no extension). You cannot log in to sftp unless you set a public key. For more information, please see the link below.

公開鍵認証を用いたバーチャルドメインサーバへのファイル転送

HTTPS communication using server certificate

By creating a server certificate using a key without a passphrase using OpenSSL , unique HTTPS communication is possible for each WWW server service.

  • Server certificate

  • Intermediate certificate

  • Key file

If you wish to use this service, please limit access to UEC Disk 2 using a ticket link, etc., and contact support@cc.uec.ac.jp .

Note

Additionally, the Information Technology Center provides a service to issue server certificates that can be used in the uec.ac.jp domain through the National Institute of Informatics’ UPKI electronic certificate issuance service. Please see the link below for details.

UPKI Server Certificate Issuance Service

However, for information on how to create a server certificate, please refer to books and information on the Internet.

Regarding the 403,404 error in the top directory

バーチャルドメインサーバ( post-x.cc.uec.ac.jp)は 共用サーバ のため, 同居する他のウェブサーバのコンテンツ等の運用不備によりファイル等へ 不用意にアクセス される可能性 があります.そこでこれを極力避ける保険として, /html , /cgi-bin ディレクトリに対し, その他のユーザーからの読み込み属性を落としています.

The Apache process that determines WWW services is running under a different user authority than the user of the virtual domain server. Therefore, when accessing a page that does not actually exist in the top directory ( http://www.xxx.uec.ac.jp/no_exist.html ), a 404 Not Found would normally be returned, but returned The 403 Forbidden message is returned.

There are two methods to resolve this phenomenon: Note that this phenomenon only occurs in the case of directories directly under /html and /cgi-bin .

  • Disable Apache’s MultiViews function for the top directory.

    Caution

    If you use this method, the MultiViews function will also be disabled in lower directories. please note.

  • If you need to change the permissions for the top directory to allow read attributes for other users, please contact the virtual domain server staff.

Files for which access is prohibited

For security reasons, access to pages with any of the following file names is restricted in some way. Please be careful.

Please note that these conditions may be added at any time.

  • Files whose access is restricted regardless of on-campus or off-campus networks

    1. Filenames starting with .ht

    2. Filenames ending with the extensions .old, .bk, .bak, .org, .orig, .tmp, .temp, .swp

    Caution

    File names like test.old.html allow access. Please note.

    Extensions are restricted regardless of uppercase or lowercase letters. Therefore, file names ending with extensions such as .OLD or .Bak are also subject to access restrictions.

    1. File names ending with a half-width tilde (~)

    2. File names ending with a half-width hyphen (-)

    3. Files listed below

    • .DS_Store

    • dwsync.xml

    • php.ini

  • Files whose access is restricted to off-campus networks

    1. The file name is xmlrpc.php

    Caution

    This restriction may cause problems with some WordPress plugins. If you need to remove this restriction, please contact the virtual domain server staff.

    1. The file name is web.config

Where to save PHP session files

If you create a script to create a session using PHP, a file starting with sess_ will be created in the /tmp directory each time the session is started.

Regarding the php_flag and php_value directives in the .htaccess file

PHP of this WWW server service is invoked in CGI mode. Therefore, due to CGI mode specifications, settings made in .htaccess files using php_flag and php_value directives will not be reflected. In addition, a ‘500 Internal Server Error’ will occur due to system specifications.

If you wish to change the PHP settings, please create a .user.ini file directly under the directory you wish to change and change the PHP configuration. Please refer to the following for the .user.ini file.

PHP: .user.ini files - Manual

Regarding SSI

This WWW server service allows the use of SSI (Server Side Includes). However, there are the following restrictions.

  1. Please use the extension .shtml

  2. Please place it under the /html directory.

Caution

Placing an SSI script in the /cgi-bin directory will not work.

  1. The cmd attribute of the exec element has functionality limitations

Note

<!--#exec cmd="/bin/ls" --> , which is given as an example in the introduction of SSI, does not work. This is because the script cannot access the directory /bin where the ls command is located. This is the same even if the path is a relative path ( ../../ /bin/ls ).

Regarding absolute paths

If absolute path information is required for the operation of CGI, etc., please refer to the following. Here, the WWW server is www.test.cc.uec.ac.jp .

Directory name

Absolute path

/html

/var/www/www.test.cc.uec.ac.jp/html

/cgi-bin

/var/www/www.test.cc.uec.ac.jp/cgi-bin

/tmp

/var/www/www.test.cc.uec.ac.jp/tmp

Note

Do the same for other directories .

Disabled PHP functions

バーチャルドメインサーバ( post-x.cc.uec.ac.jp )では,セキュリティ上の理由により, 以下の PHP の関数を 利用出来ない ようにしています.もしこれらの関数を利用されたい場合は, バーチャルドメインサーバのスタッフまでご連絡ください.

  • system

  • exec

  • shell_exec

  • phpinfo

  • passthru

  • proc_open

  • popen

  • proc_get_status

  • chgrp

  • chown

  • chroot

Note

Note that functions to be disabled may be added or deleted at any time. Please pardon.

Regarding disk quotas

バーチャルドメインサーバ( post-x.cc.uec.ac.jp )は共用サーバのため,各ウェブサイトに利用可能な ディスク容量,i-node 数に 以下の制限 を掛けております.

Object

Quota type

Upper limit

Disk capacity

Software

9.0GB

Hardware

10.0GB

Number of i-nodes

Software

90,000

Hardware

100,000

Caution

If you touch the soft quota, the grace period is 7 days for both disk space and number of i-nodes. please note.

i-node 数のクォータとは簡単に記すと,利用者がバーチャルドメインサーバ( post-x.cc.uec.ac.jp )上に 置くことが可能なファイルとディレクトリを合わせた総数に対する制限とお考えください.

  • About disk space quotas

    If you temporarily need to exceed the above disk capacity for operational purposes, please contact the Virtual Domain Server staff, stating the reason, the required capacity, and the period for which you would like the limit to be relaxed. We will temporarily relax the disk quota after carefully examining the application details.

    Quota restrictions on disk space may not meet your wishes, depending on the server’s operational status at the time. In addition, we may change the quota relaxation conditions once approved. Please pardon.

  • About i-node quotas

With recent CMSs, the above i-node limit may be reached depending on how the system is operated and the scale of the website. In such a case, the upper limit will be raised without a fixed deadline, so please contact the virtual domain server staff.

Regarding clickjacking measures

To prevent Clickjacking, the virtual domain server is set to allow only content within the same domain to be displayed in a frame. This may cause problems when trying to display content from other websites using frames.

If you wish to use frames to display content from other websites, please contact our staff. Remove this restriction.

For more information about clickjacking, please refer to information on the Internet.