1MOD_GRIDSITE(8) GridSite Manual MOD_GRIDSITE(8)
2
6 mod_gridsite - Grid extensions to Apache httpd
7
9 LoadModule gridsite_module mod_gridsite.so
10
12 mod_gridsite is an Apache 2.0 module which enforces access control via
13 Grid Access Control Lists, and X.509, GSI or VOMS credentials.
14 mod_gridsite also gives Apache built-in support for the HTTP PUT and
15 DELETE methods, and formatting of HTML pages with standard headers and
16 footers.
17 Since mod_gridsite access control within Apache itself, Grid authoriza‐
19 tion and the associated verified credentials are available to all tech‐
20 nologies supported by Apache, including static file serving, SSI, CGI,
21 PHP, mod_perl and Java servlets via a connector to Tomcat.
22 Operation of mod_gridsite can be configured using runtime directives in
24 Apache's standard httpd.conf configuration file. The module must first
25 be loaded with a LoadModule directive:
26 LoadModule gridsite_module /PATH/TO/MODULES/mod_gridsite.so
28 The module's behaviour is then controlled by GridSite... directives
30 within Apache <Directory ...> sections, allowing different directories
31 to use GridSite features in different ways.
32
35 GridSiteIndexes on|off
36 Determines whether GridSite generates HTML directory listings.
37 These have some advantages over standard Apache directory list‐
38 ings (eg the displayed filenames are never truncated) and will
39 include standard headers and footers if GridSiteHtmlFormat is
40 on. (Default: GridSiteIndexes off)
41 GridSiteIndexHeader file
44 If the named file is found in the directory being listed, the
45 file is included verbatim at the top of the listing and excluded
46 from the file-by-file listing. The file can either be HTML or
47 plain text (in which case browsers will be treat it as one HTML
48 paragraph.) (Default: none)
49 GridSiteHtmlFormat on|off
52 Determines where HTML pages receive additional formatting before
53 being sent to the client. This includes the "Last modified",
54 "View page history", "Switch to HTTP(S)", "Print View" and
55 "Built with GridSite" footer elements. If header and footer
56 files are found, they will be used too. (Default: GridSiteHtml‐
57 Format off)
58 GridSiteHeadFile file
61 GridSiteFootFile file
63 Set the filenames to be used for as standard headers and footers
64 for HTML pages. If the file name begins with "/" then this is
65 used as the absolute path to that file to be used. Otherwise,
66 for each HTML page, the directory of that page is tried first,
67 and then parent directories in ascending order until a header /
68 footer file is found. Header files are inserted in place of HTML
69 <body[ ...]> tags; footer files in place of </body>. (These
70 standard files should each include the appropriate body tag as a
71 replacement.) (Defaults: GridSiteHeadFile gridsitehead.txt,
72 GridSiteFootFile gridsitefoot.txt)
73 GridSiteAuth on|off
76 Enables GridSite access control features, using GACL files. The
77 files are named .gacl and are per-directory. The current direc‐
78 tory is tried and then parent directories in ascending order
79 until a .gacl file is found. (Default: GridSiteAuth off)
80 GridSiteAdminList uri
83 All members of the DN List with name "uri" receive the full set
84 of permissions, irrespective of per-directory .gacl files. Peo‐
85 ple in this group have full control over the whole site.
86 (Default: none)
87 GridSiteGSIProxyLimit limit
90 When using GSI Proxy credentials, proxies with delegation depth
91 greater than "limit" will be ignored by mod_gridsite authoriza‐
92 tion decisions. A limit of zero implies only full X.509 certifi‐
93 cates (and no proxies) will be accepted. A limit of 1 implies
94 that only the initial proxy, usually created on the user's own
95 machine, is acceptable. Higher levels lead to proxies on remote
96 machines, eg used by running jobs, being accepted. (Default:
97 GridSiteGSIProxyLimit 1)
98 GridSiteMethods [GET] [PUT] [DELETE] [MOVE]
101 Specifies which HTTP methods are supported by GridSite. GET (and
102 HEAD) are always supported. PUT and DELETE support is turned on
103 by this directive, subject to a positive statement that write
104 permission is allowed for the directory in question, by a GACL
105 file. (Default: GridSite GET)
106 GridSiteDNlists directory1[:directory2[:directory3]...]
109 Sets up the DN List path used by GACL for evaluating <dn-list>
110 credentials. If this directive is not used, then GACL will use
111 the GRST_DN_LISTS variable from Apache's own environment. If
112 that is not set either, then /etc/grid-security/dn-lists is
113 searched. (Default: none)
114 GridSiteDNlistsURI uri
117 If GridSiteDNlistsURI is used, then the URI given appears to be
118 populated with all the DN lists on the current DN lists path
119 which match the current server. That is, for server
120 https://example.org/ with DN lists URI /dn-lists/, all DN lists
121 with URLs starting https://example.org/dn-lists/ will appear to
122 be present in /dn-lists/, irrespective of where in the path they
123 are stored. (Default: none) <p>
124 GridSiteAdminURI uri
127 GridSiteAdminURI gives the absolute URI on the server of the
128 GridSite Admin CGI program, which is used for file management,
129 HTML and GACL editing. This should be used in conjunction with
130 the standard Apache directive ScriptAlias to map that URI to the
131 real-gridsite-admin.cgi executable. For example:
132 ScriptAlias /real-gridsite-admin.cgi /PATH/TO/real-gridsite-
134 admin.cgi
135 This URI is always reached by an internal redirection from the
137 value set by GridSiteAdminFile, and is never visible to users.
138 (Default: none)
139 GridSiteAdminFile cgifilename
142 If GridSiteAdminURI is set, then the cgifilename of GridSiteAd‐
143 minFile appears to be present in all directories when explicitly
144 requested (it does not appear in directory listings.) Requests
145 for these ghost CGI URIs are internally redirected to the value
146 set by GridSiteAdminURI. (Default: GridSiteAdminFile gridsite-
147 admin.cgi)
148 GridSiteEnvs on|off
151 This makes mod_gridsite export several variables into the envi‐
152 ronment of CGI programs and other dynamic content systems. The
153 variable names are listed below. For gridsite-admin.cgi mecha‐
154 nism to work, this switch must be left in its default state of
155 on. (Default: GridSiteEnvs on)
156 GridSiteEditable [ext1 [ext2 [ext3] ...]]]
159 A space-separated list of file extensions which can safely be
160 edited by the GridSite Text/HTML editor. The extensions are
161 given without the initial dot. This directive must apply to the
162 gridsite-admin.cgi executable, rather than just to the files it
163 manages. This is most easily achieved by placing GridSiteEd‐
164 itable in the main section of the virtual host, outside any
165 Directory or Location containers. (Default: GridSiteEditable
166 txt shtml html htm css js php jsp)
167 GridSiteHelpURI uri
170 If set, gives the URI to use for "Website Help" links in HTML
171 page footers. (Default: none)
172 GridSiteLink on|off
175 Turns off the link in the HTML page footers which gives credit
176 to GridSite. (Default: GridSiteLink on)
177 GridSiteUnzip path
180 If "path" is set by this directive, then real-gridsite-admin.cgi
181 will offer to list the contents of .zip archives on the server.
182 Users with write access are able to unpack the contents into the
183 same directory as the .zip file. The value of "path"
184 must point to the location of the unzip binary. (Default: none)
185 GridSiteGridHTTP on|off
188 Enable GridHTTP for this server, virtual server or directory:
189 HTTPS requests made with the header Upgrade: GridHTTP/1.0 will
190 be redirected to an HTTP version of the file. (Default: off)
191 GridSiteGridHTTPport port
194 Sets the port to use for the unencrypted HTTP component of Grid‐
195 HTTP HTTPS->HTTP transfers. The same setting will be used for
196 all virtual hosts which support GridHTTP. (Default: 777)
197 GridSiteSessionsDir path
200 Location of authentication cookies and SSL session credentials
201 directory, relative to ServerRoot. Used by GridHTTP to record
202 the credentials obtained via HTTPS, and available to the corre‐
203 sponding HTTP request or subsequent HTTPS requests following a
204 session restart. (Default: /var/www/sessions)
205 GridSiteACLFormat GACL|XACML
208 Format to use when writing .gacl files. (Both formats are auto‐
209 matically recognised when reading.) (Default: GACL)
210 GridSiteACLPath path
213 Specify the absolute or relative (to ServerRoot) path of the ACL
214 file governing this section of the server's URL space. This can
215 be applied to virtual URL spaces provided by other modules, such
216 as DAV or SVN, using the Apache <Location> container. If the
217 path contains %0, it is replaced by this virtual server's host‐
218 name. If it contains %1, %2, ... it is replaced with the 1st,
219 2nd, ... component of the request's URI, separated by slashes
220 and counting from immediately after the initial slash.
221 GridSiteExecMethod nosetuid|suexec|X509DN|directory
224 Execution strategy for CGI scripts and executables. For options
225 other than nosetuid, suexec (or gsexec renamed suexec) must
226 installed. For X509DN and directory, gsexec must be installed,
227 as suexec. See gsexec(8) for an explanation of the different
228 execution strategies. (Default: nosetuid)
229 GridSiteUserGroup user group
232 Unix user and group when using suexec (or gsexec as suexec.)
233 This is equivalent to the suexec SuexecUserGroup directive, but
234 can be specified on a per-directory basis. (Default: none)
235 GridSiteDiskMode GroupNone|GroupRead|GroupWrite WorldNone|WorldRead
238 The file creation permissions mode, taking two arguments to
239 specify the group and other permissions. The mode always
240 includes read and write permission for the CGI user itself.
241 (Default: GroupNone WorldNone)
242 GridSiteCastUniPort port
245 The UDP unicast port to listen on for HTCP queries, and from
246 which to send replies to HTCP unicast and multicast queries.
247 Ideally, this should be a privileged port below 1024. This
248 directive may not appear within a virtual server. (Default: 777)
249 GridSiteCastGroup group[:port]
252 A UDP multicast group on which to listen for HTCP queries, plus
253 an optional port. If no port is given, then 777 is used. Multi‐
254 ple GridSiteCastGroup directives can be given to cause the UDP
255 responder to listen to more than one multicast group. This
256 directive may not appear within a virtual server.
257 GridSiteCastAlias URL-prefix path-prefix
260 Maps SiteCast generic URLs to the local filesystem. When pro‐
261 cessing HTCP queries, matching SiteCast URLs will have URL-pre‐
262 fix stripped off and the remaining portion of the URL added to
263 path-prefix to construct a local path and filename. If a file is
264 found with that name, a SiteCast HTCP response will be returned
265 to the querying host. Otherwise the queries are ignored. This
266 directive may appear within virtual servers, and the virtual
267 server's servername and first port will determine the host and
268 port name used to construct the transfer URL.
269
272 The following variables are present in the environment of CGI programs
273 and other dynamic content systems if the GridSiteEnvs on directive is
274 in effect.
275 GRST_PERM
278 Numerical value of the permission bit-map obtained by comparing
279 the user with the GACL in force. (These should be tested using
280 the GRSTgaclPermHasXXXX functions from GACL.)
281 GRST_ADMIN_LIST
284 URI of the DN List, listing people with full admin and write
285 access to the whole site.
286 GRST_GSIPROXY_LIMIT
289 Maximum valid delegation level for GSI Proxies.
290 GRST_DIR_PATH
293 Absolute path in the local filesystem to the directory holding
294 the file being requested.
295 GRST_DESTINATION_TRANSLATED
298 Present if a WebDAV Destination: header was given in the request
299 with a local URL. Contains the translation of the URL given into
300 an absolute path in the local filesystem.
301 GRST_HELP_URI
304 URI of website help pages set by GridSiteHelpURI directive.
305 GRST_ADMIN_FILE
308 Filename of per-directory ghost gridsite-admin.cgi program.
309 (This is used by real-gridsite-admin.cgi to construct links in
310 its pages.)
311 GRST_EDITABLE
314 Space-separated list of extensions which can safely be edited
315 with a Text/HTML editor.
316 GRST_HEAD_FILE and GRST_FOOT_FILE
319 Filenames of standard header and footer files.
320 GRST_DN_LISTS
323 DN lists search path.
324 GRST_DN_LISTS_URI
327 Directory of virtual URIs used to publish this site's DN Lists.
328 GRST_UNZIP
331 Full path to the unzip(1) binary, used to list and unpack .zip
332 files.
333 GRST_NO_LINK
336 If set, do not include credit links to GridSite in page footers.
337 GRST_ACL_FORMAT
340 Format to use when writing .gacl files: either GACL or XACML.
341 GRST_EXEC_METHOD
344 Specified by GridSiteExecMethod either suexec, X509DN or direc‐
345 tory.
346 GRST_EXEC_DIRECTORY
349 The directory containing the CGI script or executable (used by
350 gsexec to determine which pool account to use in directory map‐
351 ping mode.)
352 GRST_DISK_MODE
355 The Apache disk permission modes bit pattern, in hexadecimal,
356 starting with 0x. (Similar to the Unix bit pattern, except with
357 hexadecimal rather than octal values: eg 0x600 [Apache] vs 0600
358 [Unix] are both read/write for user only.)
359
362 Andrew McNab <Andrew.McNab@manchester.ac.uk>
363 mod_gridsite is part of GridSite: http://www.gridsite.org/
365
367 htcp(1), httpd(8), gsexec(8)
368mod_gridsite October 2005 MOD_GRIDSITE(8)