Secure WWW Server

Table of Contents
What is a secure WWW server?
How do I know if my browser is communicating with a secure server?
When would I want to use the secure WWW server to deliver or collect information at my website?
Are there some issues to consider using the secure server?
Where in my account should I put documents that I want delivered to users in a secure manner?
How does a URL look different for a secure WWW server?
Can I use .htaccess files in my /wwws directory the same way as my /www directory?
Is the secure WWW server be able to access documents/programs in my /www directory and vice versa?
Can I use a secure WWW server if I have a virtual host associated with Webserve account?
At IU, how do I obtain an SSL certificate for my web site?
Can I authenticate users and/or control access to my web pages with a virtual hostname?

 
What is a secure WWW server?
  • A server which is capable of identifying itself authoritatively to a browser.
  • The server allows for encrypted communications between the WWW server and browser over the Internet.

A secure WWW server is a type of WWW server that is capable of communicating over the Internet with a WWW browser in a secure manner. This type of server is also called an 'SSL server' (for those inquiring minds who want to know, SSL stands for "Secure Sockets Layer").

Normally, the contents of any HTML document, image file, sound file, HTML form, or password entry dialog window are communicated between the WWW server and browser 'in the clear'. This type of transmission is not secure because no attempt is made by the browser to verify (authenticate) the identity of the server specified in the URL. In addition, no attempt is made by the browser or the server to encrypt or encode the information to make it useless to anyone 'eavesdropping' on the transmission.

A secure WWW server allows a more secure connection to the browser because the browser can trust that it is communicating with the server that was specified in the URL and because all communications between the browser and the server will be encrypted.

 
How do I know if my browser is communicating with a secure server?
  • Your browser may notify you before displaying the page
  • A 'lock' symbol may appear in 'locked' position on your browser
  • The URL will have 'https:' at the beginning.
 
When would I want to use the central secure WWW server to deliver or collect information at my website?

If you would feel uncomfortable entering the requested data into your form, consider the necessity for collecting it at all. Is it really necessary that you have that data item? Also, many data elements are protected, either by university policy or law, and must be kept secure. If you are requesting or sending/displaying sensitive data on your page, you must use the secure WWW server to encrypt the data in transit.

For more information about institutional data, see What is institutional data?

Commonly, empty forms are delivered to the user from a non-secure server. Once the user fills in the form, the 'action' directive in the form specifies that the contents is to be sent to a secure (https) server for further processing.

Another instance when using a secure server to deliver a document may be appropriate is when all or part of a document's content is sensitive regardless of whether the document is static or was generated by a CGI program 'on the fly'. You may or may not need to have .htaccess-style access protection on the file in addition.

 
Are there some issues to consider using the secure server?

It is important to remember the following about data that is collected via the secure server:

It is best to avoid using the secure server to deliver or receive pages/forms to or from the browser that contain large images, incorporate long sound, animation or video sequences, or which contain a very large amount of text. Why is this? Because all of the elements of a page add to the amount of data that must be encrypted by the server before transmission and subsequently decrypted by the browser upon reception. Large amounts of encyption and decryption can introduce delays.

When using the secure server we recommend that you place any files that are referenced from a delivered page (such as an image) in the same directory as the one that contains the HTML file for the page. This is especially true for directories that have an .htaccess file mediating access. The general rule would be: 'Try to keep everything that is related to a given page in the same directory as the page'.

 
Where in my account should I put documents that I want delivered to users in a secure manner?

They belong in the /wwws directory (or one of its subdirectories) in your account. If you have no /wwws subdirectory perform the following steps:

  1. Log into your Webserve account.
  2. Type the following command:
    mkdir wwws
    
  3. Type the following command:
    chmod 711 wwws
    
  • The wwws directory should be set for execute access only (chmod 711) to prevent directory browsing.

How does a URL look different for a secure WWW server?

There are few differences between a URL that addresses a non-secure (http) server and one that addresses a secure (https) server. The example below summarizes the parts of an 'https'-style URL:

https://www.indiana.edu/~account
https://www.iun.edu/~account
https://www.iuk.edu/~account
https://www.iue.edu/~account
https://www.iupui.edu/~account


Can I use .htaccess files in my wwws directory the same way as my www directory?

For the most part the answer is 'yes'. However, using an .htaccess file to mediate access to a page in your wwws (secure) directory tree and having a link on that page that refers to a page in your www (non-secure) directory tree that has virtually the same .htaccess file present might cause a repeat of the authentication prompt because the browser believes that the 'realm of authentication' has changed (wwws to www). The Webmaster's documentation on Controlling Web Page Access has more information.


Is the secure server able to access documents/programs in my www directory and vice versa?

Yes, but ONLY through links that are full URLs, not relative links.

The secure and non-secure servers are purposely configured to be completely independent of each other and to have no knowledge of each other's web spaces.

It is possible for you to create a CGI program for use from your /www (non-secure) directory which accesses files in your /wwws (secure) directory (or vice-versa). This practice is NOT RECOMMENDED


Can I use the secure server (wwws directory) if I have a virtual host associated with my Webserve website?

Yes, in two ways, which are described below:

  1. In a basic, but less versatile approach, you can use the secure server (wwws directory), but you will not be able to use your virtual host name in the URL. If your virtual host name is http://vhostname.indiana.edu your URL will take the form of your actual account name (plus the secure-http "https" designation at the beginning of the URL), and will look something like:

    https://www.indiana.edu/~account/

  2. In an alternative, but more versatile approach, you can use the secure server (wwws secure directory), and you will be able to use your virtual host name in the URL. In order to do this, you will need to contact webmaster and request an SSL Certificate
In addition, the SSL certificate is involved in making the encyption of all data that is transmitted between the web browser and the secure web server possible as long as https:-prefixed URLs using your virtual host name are being used.

At IU, how do I obtain an SSL certificate for my web site?

All Indiana University web servers that display sensitive data to, or accept sensitive data from, must operate in secure mode. Secure web servers are addressed with the prefix https://, while web servers operating in nonsecure mode use http://. In order for a web account to operate in secure mode, the account's administrator must obtain and install an SSL certificate signed by a trusted certificate authority (CA).

If you wish to obtain an SSL certificate on Webserve, please notify IU Webmaster and we will provide you with the next steps.

The University Information Security Office (UISO) has partnered with the InCommon Certificate Service to provide SSL certificates to the IU community.

For further information, see: 

SSL Certificates via InCommon Certificate Service 


Can I authenticate users to my web pages with a virtual hostname?

Yes, read the above section regarding use of the secure server with a virtual host. Note that all authentication of IU users must be encrypted.

  1. You may use CAS whether you have an SSL certificate or not. See: At IU, what is CAS?
  2. If you do not have a virtual host, you must use the method described on this document: Controlling Web Page Access