Serving a few local network sites, best way forward?

I posted a User Tip on how to setup the web server. I prefer to serve files out of my home directory though. You can fudge the URL from the Apache config file.

https://discussions.apple.com/docs/DOC-3083

The US$20 spent on OS X Server would be well worth it, here. You'll have a GUI and the rest, and an easy way to add and remove web sites. Once you've got OS X Server purchased and you've got DNS configured, then launch Server.app and select the web site of interest (or create one) and have a look at the path in the display.

To relocate your existing sites, you can cp or cp -R or zip the files, and move them over to the /Library/Server/Web path, and probably into the web site and the directory you've just created underneath that path.

The /Library/WebServer/Documents path was used for Apache in OS X Server circa 10.6. OS X Server 10.9 has almost everything involving OS X Server underneath /Library/Server path; the web services configuration files and data are all under /Library/Server/web

FWIW, the web user is www (or sometimes _www, depending on the context), and not admin. The www (or _www) user has to be able to read the files, which means if you're copying around files and particularly if you're doing the usual "load random stuff into the web directories" sequence, you'll need to reset the ownships and/or the protection masks after the copy.

I've found OS X Server 10.9 Mavericks good (and in many ways, better than OS X Server 10.6), and the echo chamber chatter around the VPN services is not relevent locally, as I prefer using a gateway firewall NAT box with an integrated VPN server. Profiles are coming along nicely but aren't quite there yet as a complete replacement for MCX, but Workgroup Manager can still be downloaded for 10.9, so I can usually get where I want. (And US$20 is a whole lot nicer than the US$1000 OS X Server used to cost...)

I used both OS X and OS X Server several years ago when Server was very expensive and complicated. In my opinion it was only worth paying for if you had a large base of file sharing users. It was not much help for web serving. Playing with Apache config files on standard OS X was faster and more predictable.

My normal method is to ignore OS X security and put the web site in a folder at root and do all setup file movements logged in as root - this will bring a few comments!

To do this you need to get to know Apache config files but they are reasonably well documented with comments. You may also need to play with ACLs.

I generally wouldn't serve my login folder to the 'net; a subfolder of that maybe, if personal sharing is enabled.

As for the protections, the web server (www or _www) will need at least read access to the files in whatever folder you do specify.

IIRC, Mountain Lion Server removed the UserDir module pieces, so you'll have to add that back in manually if you want to keep files stored locally and not on the "standard" system-wide directories. Here's a good discussion of this and of UserDir and such. (I have not tested this, as I don't run per-user sites on the server.)

pamela.parks wrote:

You don't have permission to access /~myshortname/ on this server.

What are the permissions on your home directory and the Sites folder? They should be read and execute for group and other.

I think I am snarled up with prior configuration efforts and the way that Apple has moved the Sites folders around.

I think I am going to give MrHoffman's advice to buy the Server product a go... if it solves my problem by helping me get my Sites in the right places and the configurations all set, the $20 will be well spent compared to banging my head for another day.

At least it is only $20. I have tried Server and it was my inspiration to write a User Tip that would be easier to setup than Server - hint, hint.

Keep in mind that Server is a Server. It is designed to do a whole lot of things, most of which you don't need. It does include the web server but it is quite a bit different from a standard Apache configuration. It will change the performance characteristics of your machine. It will optimize your machine for background tasks instead of user tasks. You might notice a decrease in performance.

I still recommend setting up Apache manually, using that User Tip, for a local network such as you describe. Server does some specific tasks that would be very useful to people who need them. If all you need is to run a web server, it is only going to make things more difficult.

I agree with MrHoffman about serving anything over the net from a local machine. You should never do that from any system. Get a cheap, shared hosting service like Dreamhost.

etresoft wrote:

What are the permissions on your home directory and the Sites folder? They should be read and execute for group and other.

Don't forget ACLs.

If using a non-standard setup the config file may need changing and the path may need satisfactory permissions/ACLs.

pamela.parks wrote:

etresoft's question about permissions on the home directory and the Sites folder solved the problem.

This is what I referenced the access available for the www (or _www) user. Please take a little time to learn about file ownership and file permissions, as the payoff will be large. As part of this, you'll also learn how to make a web server breach more difficult to extend. Here's an older write-up on the general topic of web server protections.

I would like to reiterate a point I made earlier about not hosting any public site on your own server. When you have a server publicly accessible, hackers can bang on it 24x7 until they find a vulnerability or until some vulnerability is found elsewhere and you didn't patch it immediately. If you are a typically busy person with other stuff you would rather do, you can't win against the hackers.

If you want to run a public site, let professionals manage the details. Then you can get back to the stuff you would rather do. I am a big fan of Dreamhost. You don't have to worry about the details of www or _www users and permissions. You can configure each site to use a unique root and user. Of course, it is still possible to screw something up and get hacked on Dreamhost, but you and the hackers have to go though much more effort to make that happen.

My public web server runs on a dedicated Mac with OS 9 but my view is that if you have a solid firewall such as that provided by a Netgear modem/router and only allow HTTP initiated external access through the router you should be reasonably safe even without Apple's OTT security.

If others have experience of hacking overcoming a correctly set up router firewall I would like to see the details.

What kind of router is that? One with or without a backdoor?

Thanks - very interesting link.

This backdoor clearly affects a large number of routers including my DG834PN but I may be OK as I use DGTeam firmware - I have yet to confirm that DGTeam firmware is safe.

Any information on vulnerability of DGTeam firmware or a general fix for this backdoor would be appreciated.

I'm afraid the DGTeam firmware looks like it is abandonned. It wouldn't have the backdoor but it could have any number of other vulnerabilities. You are probably reasonably safe due to obscurity. I suggest replacing it.

It was abandoned a few years ago - probably pressure from Netgear - it is far more powerful/flexible than anything Netgear produces. I will not replace it unless there is better open source firmware.

Let me know if you discover any general fix for the backdoor.

There is a potential legal problem for those who sold devices with a known security backdoor - in many jurisdictions they will not be able to defend themselves by claiming that they were unaware of their supplier's testing backdoor.