Web Page Security

How to I use TLS (SSL) to protect my site?

Panix offers two different routes to using TLS for your site. Both require obtaining a certificate from a certificate authority (CA).

For the more traditional route, you will need to log in to config.panix.com/order/ssl_cert. It is very important that you follow the instructions at the top of the form before submitting, so we will be able to validate control of the domain. TLS service itself is free of charge, but there is a $25 fee per certificate installation or renewal, as well as the cost of the certificate itself. Certificates are typically available for a 1 year lifetime.

The second route is to obtain a certificate from Letsencrypt using the ACME protocol. Letsencrypt is a certificate authority which issues TLS certificates free of charge. These certificates have a maximum lifetime of 90 days. Panix follows the recommendation to renew these certificates after 60 days. There is no installation or renewal fee, and the process is entirely automated. In order to obtain this type of certificate, there are certain prerequisites:


To set up TLS with a Letsencrypt certificate, log in to config.panix.com/web/ssl, select the web service (if necessary), and submit the form.

How do I redirect traffic from HTTP to HTTPS?

If you are using the web form to install Letsencrypt SSL, there is a box to check if you wish to automatically redirect. This happens in the server configuration. You would need staff intervention to undo this.

Otherwise, you can do this in an .htaccess file in your document root. There are two appoaches which will work from there: redirects, and URL rewriting.

Redirects are the simplest solution. For example,

<If "%{SERVER_PORT} != 443">
  Redirect / https://www.<yourdomain>/
</If>
will redirect any HTTP requests to the same URI at https://www.<yourdomain>/. Once you're sure things are working as expected, you can change Redirect to RedirectPermanent.

If you need more flexibilty, you can use URL rewriting to do the job. The following example will redirect to HTTPS while preserving the request hostname (e.g. vs. www.):

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R=302]
  
Once things are working as expected, you can change the response code in the brackets from 302 (temporary) to 301 (permanent).

What are file permissions and how do I set them?

Permissions are the way you regulate access to your files. When setting up web pages, the main thing you'll be concerned with is making sure everyone can read the file while not letting them overwrite it. There may be some things that you don't want people to have access to at all. To set permissions, you will use the chmod command. There are two ways to use chmod: number or text.

Using the numbering scheme, the chmod command has three number places, for example 744, representing the three user types. The first number on the left side is for "user", the middle one is for "group" and the right hand one for "other." Now, here's what each number does:

0  =  ---  =  no access
1  =  --x  =  execute
2  =  -w-  =  write
3  =  -wx  =  write and execute
4  =  r--  =  read
5  =  r-x  =  read and execute
6  =  rw-  =  read and write
7  =  rwx  =  read write execute (full access)

So, if you set a file to:

chmod 750 foo.html
      ^^^
      ||`-- others have no access
      |`-- group has read and execute access
      `-- user has full access

Now, for directories:

read = list files in the directory
write = add new files to the directory
execute = access files in the directory

Using text-based commands, the syntax is:

chmod [ugo][+-][rwx] [filename]
u=user, g=group and o=other and +/- turns on/off the attributes which follow it: r=read, w=write, x=execute.

For example, typing chmod go+r foo.html, turns on the read bits for group and others on file "foo.html". Note, that this command does NOT reset the other bits, so any previously specified permissions will not be changed. For example, this did not change any permissions for user and if group already had execuete permissions, it did not remove it. But, if you type chmod go=r foo.html, it will set file foo.html to be readable by group and other and turn off any write and execute permissions group and others had.

For the purposes of most websites, chmod 644 * or chmod a+r * (all files world-readable, writeable only by owner) should suffice; subdirectories should be set to 755/a+rx (which will allow files within the directory to be listed and read).

For more information, run man chmod from a Unix prompt.

How can I control access to my site (or parts of it)?

Your site, or parts of it, may not be intended for the eyes of the general populace. You can limit access only to parties with usernames and passwords (provided by you) by using .htaccess, a basic security function built into the HTTP protocol.

You need two files:
.htaccess
.htpasswd

The .htaccess file must be placed in the directory you want protected. It must contain the following:

For a Cheap-web or personal web account:

AuthUserFile /htdocs/userdirs/[$USERNAME]/.htpasswd
AuthGroupFile /dev/null
AuthName "Private"
AuthType Basic
require valid-user

and for a Standard, Advanced, or Developer Web account:

AuthUserFile /htdocs/corp-dirs/[$USERNAME]/[$DOMAIN]/.htpasswd
AuthGroupFile /dev/null
AuthName "Private"
AuthType Basic
require valid-user

The above example places the .htpasswd file in the root directory of your website. Naturally, you can place it anywhere you choose in your directory structure.

.htpasswd is where you will place the list of authorized usernames and passwords. The format is as follows:

username1:password1
username2:password2
...

Passwords are in an encrypted form. Do not create them by hand; use the command htpasswd to create them.
Usage: htpasswd [-c] passwordfile username
(The -c flag creates a new file).

Both files must be set via chmod to 755.

You might also want to customize the response given to an unauthorized access attempt ("401: Unauthorized"). The following line is an example of what you can add to .htaccess:

ErrorDocument 401 http://www.whatever.com/401.html

This will direct unauthorized requests to the file "401.html" (assumed to be in your root directory in the above example), which can contain forbidding graphics, pithy sayings, or anything else you decide will inform the viewer that the page is restricted.

This can, of course, be done for any of the error codes ("404: Not found" and "403: Forbidden" for example).

What are cookies and how do they work?

An HTTP cookie is text data exchanged between web servers and web browsers and used for authentication, storing user preferences, and tracking dynamically-stored information (such as, for example, the contents of electronic shopping carts).

For more detailed information about cookies, please see the Wikipedia entry.

How do I keep spammers from exploiting my web scripts?

To prevent attacks by spammers who exploit customers' vulnerable CGI scripts on our web servers, Panix has installed a filter script that holds mail addressed to a large number of recipients (the usual hallmark of a spammer). Panix staff are notified when such mail is held; we review it at the first opportunity and, unless it is the result of a break-in by a spammer, send it on.

We ask any customers who send (legitimate) large mailings via a web CGI to send us (via email to [email protected]) the full path of any scripts they run that send mail to multiple destinations. If these scripts are not exploitable, we'll add them to an exception list so that they can send mail without restrictions.

Customers who have not reviewed the CGI scripts in their web directories in recent years should follow the instructions below, disabling or deleting any unused scripts.



Last Modified:Friday, 18-Feb-2022 15:59:21 EST
© Copyright 2006-2021 Public Access Networks Corporation