The Web @ Courant

Setting up a web page

Web Hosting Policy
Secure Computing Policy
Digital Accessibility Requirements
Creating a web directory
PHP programming
CGI programming
Restricting Access
Being included on a list
Listing directory contents
Composing a Webpage in Linux
Composing a Webpage in Windows
Advanced WebHosting

Web Hosting Policy

All users are responsible for the content of their site. If a user allows for community based content to be posted, the person running this site is responsible for monitoring ALL data and securing their site (this includes any upload scripts, wikis, blogs, bulletin boards, etc.) We recommend that all uploaded content be posted only after review and that submission of data be restricted to valid users. If inappropriate material is found or reported on your site any users who are responsible for this acount are subject to disciplinary action including losing web priveleges.

Secure Computing Policy

Any web based script that allows posting of data and then utilizes this data in some form has a potential for a security violation. Please be completely aware of the security implications before allowing this. Some things to consider when allowing posting of data: SQL or parsing injection, spam, malicious/inappropriate content, and account/data compromises. Many of these may even have legal implications and should be considered appropriately.

Digital Accessibility Requirements

All web content on NYU sites must comply with digital accessibility rules, which apply to HTML, CSS, images, and any PDFs or other documents posted online. Automated scanning tools are used to ensure web content is accessible. Learn more about digital accessibility requirements here.

Setting up a homepage at Courant

Creating a web directory

You can set up a web page by simply placing it under the directory /web/$USER (where $USER is your CIMS username). If you have access to another document hierarchy, such as a research group or administrative page, the same instructions apply except for the directory path.

All filesystems are mounted on all the webservers and the webservers are configured to treat a user's /web directory as if it were part of the document hierarchy. Note that HTML files outside your /web hierarchy will not be accessible via the web server.

The minimum permissions of your /web directory should be as follows:

chmod 711 /web/$USER
chmod 644 /web/$USER/index.html

PHP programming

Warning: Any scripts that use variables passed to them have potential for security exploits. Please be aware of the security implications and realize that web based scripts run as your user and can compromise your account. This is especially so with non-restricted upload scripts!

Courant supports PHP scripting in your /web directory. Any file that ends with .php will be interpreted as a PHP script file. Please see PHP's official page for further documentation.

Error reporting is disabled by default, for security reasons, but can enabled with the following lines:

ini_set('display_errors', true); ini_set('display_startup_errors', true); error_reporting(E_ALL);

This will only report programming errors, not syntax errors. To detect syntax errors, run php filename.php on any Linux server.

CGI programming

Cgi-bin access is provided via Apache's suexec, which checks cgi scripts for possible security holes. Note that cgi-bin access used to also be provided by cgiwrap but that is no longer supported.

Place your scripts in /web/$USER/cgi-bin/ (subdirectories are allowed). If the directory doesn't exist, create it by running:

mkdir /web/$USER/cgi-bin

Also to make this work, you need to have a symlink in your home directory called public_html that points to your web directory. For most users, this is created at the time your CIMS account is created, but if you have an older account or at some point deleted the public_html symlink, run:

cd ~
ln -s /web/$USER public_html

Set the permissions for your cgi-bin directory and scripts as follows (making scripts world writable will disable the script due to security implications):

chmod 711 /web/$USER/cgi-bin
chmod 755 /web/$USER/cgi-bin/sample-script.cgi

The URL for a CGI program using suexec is:

http://server/~username/cgi-bin/sample-script.cgi

Here is a sample-script.cgi file for an example (copy the content and paste into sample-script.cgi in your cgi-bin directory):

#!/usr/local/bin/perl -wT
print "Content-type: text/html\n\n";
print "<html><head><title>Hello World</title></head>\n";
print "<body>\n";
print "<h2>Hello, world!</h2>\n";
print "</body></html>\n";

Restricting Access

Restricting access can be based on nyu netids, cims usernames, domains, etc. This can be done by adding the appropriate directives to an .htaccess file in the directory to be restricted.

Being included on a list

To have a link to your homepage included on one of web pages maintained by the Institute, please follow the instructions on that page or contact the site webmaster (webmaster@cims.nyu.edu, webmaster@cs.nyu.edu, webmaster@math.nyu.edu).

Listing Directory Contents

The listing of directory contents for directories without an index.html is not generally enabled. It is however, enabled for all public_html directories as well as some others. For the contents of a directory to be listed, the permissions on that directory have to be somewhat different from those directories containing an index.html. The correct permissions are...

chmod 755 /web/$USER/somedirectory

It is best to enable this for chosen subdirectories under your /web directory to avoid inadvertently listing the contents of your /web directory.

In addition, you may have to add a .htaccess file to the directory, consisting of the following:

Options +Indexes

Composing a Webpage in Linux

Set the minimal permissions of the /web directory by executing the command chmod 711 /web/$USER.
To create an .html file, open a Mozilla SeaMonkey browser. Under the Window tab, select Composer. A blank page will be shown and it is here that you will design your webpage. When satisfied, save the .html file to the /web/$USER folder. In order for your webpage to be viewable by other users, you will need to change the permissions of the file you just created. Open a Terminal and execute the command chmod 644 /web/$USER/YOUR_HTML_FILE.

Your page should be accessible by entering the URL http://SERVER/~USER_NAME/YOUR_HTML_FILE.html where SERVER is one of cims.nyu.edu, cs.nyu.edu, i6.cims.nyu.edu; USER_NAME is your account login; and YOUR_HTML_FILE is the .html file you just created.

Note: Any files that are implemented in your .html files (i.e. image files, etc.) must be stored in your /web folder and have their permissions set using the chmod 644 command listed above.

Composing a Webpage in Windows

To create an .html file, open a Seamonkey browser. Under the Window tab, Select Composer. A blank page will be shown and it is here that you design your webpage. When Satisfied, save the .html file to the \\fs-u2.cims.nyu.edu\username folder.
In order for your webpage (.html file) to be viewable by other users, you will need to change the permissions of the file you just created. To do so, open your \\fs-u2.cims.nyu.edu\username folder and do the following:
- Right-click the .html file and Select Properties.
- Click the Security tab.
- Click Everyone. Check the "Read and Execute" and "Read" boxes.
- Now Click your user name. Check the "Full Control" box. Then Click Apply.

Note: Any files that are implemented in your .html files (i.e. image files, etc.) must be stored in your public_html folder and have their permissions set per the instruction above for .html files.

Note: If you are using an IDE for composing web pages such as dreamweaver and you are uploading your pages through dreamweaver, you will need to update permissions to the files once they get on our servers. Otherwise you could run the following command:

setfacl -r -m \
default:user::rwx,default:group::---,default:other:r-x public_html

This will set the default ACL and ignore umask settings in your public_html directory heirarchy.

Creating a MySQL Database

Warning: If allowing web-based content to a MySQL database, always be aware of the SQL Injection exploits that are possible.

Please see here for documentation on Courant's database service.

If you are running an individual database for a class on courses2 or courses3, see instructions here for setting it up. If you would like to migrate from a courses1 database to the new hosted system, please see this page.