welcome: please sign in

The following 519 words could not be found in the dictionary of 7 words (including 7 LocalSpellingWords) and are highlighted below:
able   about   above   access   Access   accessed   accessing   action   actually   add   Add   addition   address   administrator   administrators   affect   afs   all   allows   almost   along   also   Alternatively   an   An   and   Andrew   another   any   anything   anyuser   Apache   apache   apache2   application   applications   Applications   are   argument   as   As   assume   at   authorization   authorized   authors   based   be   berkeley   bizarro   bottom   broader   browsing   but   buy   By   by   can   cannot   case   cases   Category   cause   cert   Cert   certainly   Certificate   certificate   cgi   chapter   Charset   checks   choice   chosen   code   collaboratively   com   command   common   Common   configuration   configurations   configured   configuring   considered   content   contents   Contents   control   Coop   couldn   cryptic   cs   daemon   data   database   Databases   dav   day   dedicated   Default   default   Denied   deprecated   describes   details   directories   directory   do   doc   Document   documented   Dom   domain   Domtool   domtool   don   dump   Dynamic   edit   edu   either   en   end   engine   entries   error   Error   errors   etc   every   Examining   example   Examples   examples   executables   execute   expected   explicitly   extensions   Fast   fast   features   fetch   File   file   Files   files   Filesystem   find   first   fix   follows   For   for   force   found   from   fs   fsr   full   General   generate   Generate   get   gets   Getting   give   going   grant   granted   graphical   group   guide   Guide   handy   happy   has   have   having   hcoop   help   hint   home   host   hosted   how   htaccess   html   http   https   hurt   if   If   in   In   incompatible   Indication   information   instance   instead   Instead   interface   ip   irrelevant   is   Is   Issues   it   It   its   Its   Java   just   Key   know   last   learn   let   letsencrypt   library   lighttpd   like   likely   line   lines   list   listacl   live   location   log   logs   long   longer   look   lowercase   machine   made   make   makes   manage   manner   Manual   manual   many   Many   matches   may   Member   member   members   mentioned   might   minutes   mod   modifying   modules   more   mount   much   must   name   Name   named   nameservers   navajos   need   needed   needs   net   never   next   no   nogroup   normal   Normal   normally   not   notable   Note   notion   ns1   ns2   Of   of   off   offer   on   Once   once   one   only   Oops   optional   optionally   or   order   org   other   otherdir   others   Our   our   out   over   Own   own   page   parent   particular   pem   per   Perl   perl   permission   permissions   Permissions   petition   php   php5   php56   phtml   plan   Please   please   policy   popular   portal   principal   probably   problem   processed   production   program   protocol   provide   provided   providers   public   publish   python   re   read   readable   real   realtime   reason   redirect   Redirect   reference   refuse   relies   remote   replace   representation   request   Request   require   requirements   research   return   rewrite   rights   risky   rlidwka   Root   Rule   rules   run   running   Running   runs   sa   script   scripts   search   section   security   see   See   self   separate   separated   serve   served   Server   server   servers   serves   services   serving   Serving   set   setacl   share   should   showing   side   signed   Signing   simpler   simply   since   Since   single   Sites   skip   So   so   software   Some   somewhere   Ssl   ssl   stanza   Started   static   Static   statistics   stored   style   subdirectories   subdomain   such   suexec   supported   supporting   sure   system   System   systems   Table   tail   take   that   The   the   their   them   then   Then   there   therefore   these   they   They   this   This   through   Thus   to   To   tokens   too   Tool   transfer   Transferring   Try   twin   two   up   updated   upstream   us   use   useful   User   user   username   users   Using   using   utf   utilize   utilizes   var   variants   vendors   Version   version   via   view   violation   virtual   want   warnings   We   we   Web   web   webalizer   webdata   webpages   website   websites   what   When   when   where   which   who   wiki   wikipedia   will   with   without   work   working   world   write   writeable   www   yo   You   you   Your   your   yourdomain   yourself  

Clear message

MemberManual / ServingWebsites

This is the chapter of the MemberManual that describes how to serve your website(s).

Static Web Sites

If you're going to use a domain, please read the next section. If you plan on having static websites without any CGI such as php or perl, then read on. In your home directory, there is a directory named public_html. By default, you can access this at http://www.hcoop.net/~USER. You will never be able to execute server-side scripts when accessing webpages in that manner.

Dynamic Web Sites

If you plan on having a website that utilizes CGI such as php or perl, then you must either have a domain or an hcoop.net subdomain (i.e., USER.hcoop.net).

When you have chosen a domain to be hosted by HCoop, you then simply request control of that domain at the portal. Once it is authorized by an administrator, you will be able to utilize DomTool. DomTool will let Apache and other services know about your domain. Please take a look at using DomTool, DomTool user guide, and DomTool examples to learn how to do this. Our nameservers are ns1.hcoop.net and ns2.hcoop.net.

As a hint, DomTool configurations are stored in ~/.domtool/. Some users have made their production configurations readable and so you may be able to learn from them. See the bottom of DomTool examples to find out who is showing off their DomTool configurations.

If your web application needs write access to a data directory, give USER.daemon write permission to it and all of its subdirectories. In this example, be sure to replace USER with your username (lowercase):

fsr sa ./webdata USER.daemon write

Alternatively, use only fs if you need to set the ACL for just one directory.

For database help, take a look at this manual's Databases chapter.

To see how you can transfer files to HCoop, see the Transferring Files chapter.

In addition, .htaccess files are not processed on our servers. See DomTool Examples to learn how to use rewrite rules and other features normally provided by .htaccess.


We use FastCGI based PHP 7.2 by default to serve .php, .phtml, and .php5 files. We may offer PHP variants (supported variants are documented in the Domtool library reference); to explicitly set the PHP version, use the phpVersion action as follows.

To use PHP 5 in a directory or virtual host:

phpVersion php56;

Common Web Applications

It is likely that another member has configured one of many common applications and documented it on the ../WebApplications page.

Running your own web server

Many popular Apache modules for "fast web serving," like mod_python and mod_perl, are incompatible with our security requirements; they force all Python, Perl, etc., scripts run through them to run as a single UNIX user. Thus, to use these modules, you will need to run your own separate web server. See RunningYourOwnApache. You will probably want to run lighttpd instead of your own Apache, since configuring it is much simpler.

It also couldn't hurt to petition the authors of these modules to fix this problem. ;-)

Examining your logs

The error and access logs are stored in ~/.logs/apache. They are separated by machine and domain. Your ~/.logs/apache directory is updated once every 20 minutes from the "real" logs in /var/log/apache2 on the machine that serves your virtual host. This is almost certainly navajos.

It is expected that you don't have permission to read your logs in /var/log/apache2. Instead, use the handy domtool-tail program to view the logs in realtime. For instance, this command line will dump the last entries in the access log for www.domain.com, in the style of the UNIX tail program. We assume that you have Domtool permissions on domain.com.

domtool-tail [-n LINES] www.domain.com access

The optional -n LINES argument will fetch that many lines from the log.

You can view a graphical representation of your access logs by browsing our webalizer interface at https://members.hcoop.net/webalizer/. Its statistics are updated once per day.

Permissions Issues (403 Access Denied)

When you publish web content, it will probably live in your home directory. The web server will need permission to read your files, or it will return "403 Access Denied" errors. Since your home directory is in AFS, normal UNIX permissions are irrelevant.

For instance, if you get a 403 error serving ~/public_html/otherdir/page.html, you might run this to see what's up:

$ fs listacl ~/public_html/otherdir
Access list for /afs/hcoop.net/user/y/yo/you/public_html/otherdir is
Normal rights:
  system:administrators rlidwka
  system:anyuser l
  you rlidwka

Oops! Apache only matches the "system:anyuser" principal, so it only gets the "l" (= "list") permission and can only list your directory contents. Try this to fix it:

$ fs setacl ~/public_html/otherdir system:anyuser read
$ fs setacl ~/public_html system:anyuser read
$ fs setacl ~ system:anyuser l

The first two give full read permission on the mentioned directories. "l" permission is needed in every parent directory of a file to be able to access it, so the last line makes sure "l" is granted to system:anyuser on your home directory.

When your web content is accessed through your own virtual host, you can also grant read access to $USER.daemon instead of the broader system:anyuser, where $USER is your username. This is your bizarro-world twin, which Apache runs as when serving your content.

Note that your CGI directories and executables should be in the group nogroup; if this is not the case you may see cryptic warnings in your error.log along the lines of suexec policy violationsee suexec log for more details.

See the Getting Started chapter of the Member Manual, in particular the AFS section, for information on how to work with AFS's separate notion of permissions.

Permissions Issues (500 Server Error for CGIs)

If you get a 500 server error when running a CGI script, one likely cause is directory permissions. suexec will refuse to run a cgi if its parent directory is writeable by others. So, make sure permissions are set to 755 and not 775. Note that the directory permissions do not actually affect anything (since we're using AndrewFileSystem), but modifying the suexec code to skip the checks is considered too risky.

Getting HTTPS access working

In order to serve websites over HTTPS, you will need to generate an SSL certificate and optionally request an IP address from us.

  1. Generate a Key and Certificate Signing Request, and then either generate a self-signed SSL certificate yourself, buy one from somewhere (search for "ssl certificate" using your search engine of choice for a list of popular vendors), or request a certificate from letsencrypt.

  2. Request permission to use your certificate for a domain.

  3. Add a stanza to your DomTool configuration file. Examples of this may be found at DomTool/Examples.

This relies on TLS SNI to work, which will work in almost all cases (the only notable software no longer supporting SNI is Java 6, which is deprecated). If for any reason you need a dedicated IP address, we are happy to provide you with one as long as our upstream providers will provide them.


WebDAV is a set of extensions to the HTTP protocol which allows users to collaboratively edit and manage files on remote web servers. WebDAV is useful when working on a website using systems that cannot mount an AFS share. General information of WebDAV can be found athttp://research.cs.berkeley.edu/doc/dav/.

If you want to be able to use DAV services with your own domain name, you will need to set up a host which is served via HTTPS. The Getting HTTPS access working section above should be of help. Then, you will want to add a stanza to your DomTool configuration to serve DAV. An example follows.

  (* Redirect HTTP to HTTPS *)
  web "dav" with
    rewriteRule "^(.*)$" "https://dav.yourdomain$1" [redirect];

  (* Serving DAV over HTTPS *)
  web "dav" where
    DocumentRoot = home "dav";
    SSL = use_cert "/etc/apache2/ssl/user/yourdomain.pem";
    addDefaultCharset "utf-8";

    location "/" with

You will almost certainly want to require authorization to access your davFilesystem, since it runs with your $USER.daemon tokens, and can therefore read and write anything it can.


MemberManual/ServingWebsites (last edited 2021-02-24 02:47:00 by ClintonEbadi)