Web AccessChain of Events

CPTE 212John Beckett

The Sequence

• Client looks up hostname in DNS– DNS returns IP address

• Client sends request to IP address– Includes hostname in the request

• Web server software fields request– If hostname not known by server to be a

multidomain host, passes off to default site

– If server knows this as a multidomain host, passes off to configured location

Where Are the Web Materialsfor the Default Site?

Windows• Default Location:

c:\inetpub\wwwroot• Configure:

– IIS Manager– Expand hostname

(nCloud)– Sites…Default Web

site…Edit Site…Basic Settings

(Ubuntu) Linux/Apache• Default Location:

/var/www/html• Configure:

– /etc/apache2/sites-available/000-default.conf• DocumentRoot

– /etc/apache2/apache2.conf• <Directory /var/www>

Set your site up to use FTP for updatesWindows

(we aren’t doing this)• Create user for

updating• Build FTP site that is

accessible to that user• Change IIS

configuration to use that user’s materials

• Upload into that user’s account

Linux/Apache• Create user for updating• Configure FTP to allow

updating by users– /etc/vsftpd.conf “allow

write”• Configure Apache

configuration to use that user’s materials

• Upload into that user’s account

Why Use public_html directory?- The Problem

• If you point the Web server at the user’s main directory (e.g. /home/username), clients can ask the server for any file in that directory structure

• Although good practices will prevent security problems in this case, any slip-up allows an attacker an entry you didn’t need to give them

Why Use public_html directory?- The Solution

• Point the Web Server at a directory within the user’s space– Traditionally, we name this public_html

but you could choose another name• The server-side scripts in that

directory can then reference files in the parent directory with the notation “../filename”