MSSL Basic User Note #21:


Using the MSSL site web and ftp server

Paul Lamb 2-Nov-2012 V1.7

This document is http://www.mssl.ucl.ac.uk/www_computing/buns/webserver.html
A Linux system acts as our dedicated web (http & https) and ftp server. It is accessible from outside the firewall and hosts the aliases www.mssl.ucl.ac.uk, ftp.mssl.ucl.ac.uk and ftpin.mssl.ucl.ac.uk. All users of the MSSL Linux cluster can transfer files to and from this system. The use of the different areas of its filestore are described in the following sections.
 
 

1. Personal web pages

Directories for personal web sites are generated automatically on www.mssl.ucl.ac.uk for MSSL staff and students who have an account on the central Linux cluster (that does not have to be your preferred system).

The URL of your web site is (note the tilde):-

http://www.mssl.ucl.ac.uk/~your_mssl_username
This maps to the central Linux cluster filesystem directory
/disk/www/your_mssl_username/
which is accessible for read and write from the central Linux cluster.

Your homepage is

/disk/www/your_mssl_username/index.html
Once your homepage exists it will be indexed automatically (overnight) in (http://www.mssl.ucl.ac.uk/userpages)

Note that anything in or below the directory

/disk/www/your_mssl_username/mssl_only
cannot be accessed from outside the mssl.ucl.ac.uk domain.

Similarly, anything in or below the directory

/disk/www/your_mssl_username/ucl_only
cannot be accessed from outside the ucl.ac.uk domain.
 

1a. Password protection of pages

The web server supports a very simple password protection mechanism. If you need to restrict access in this way supply with the name of the directory and the password required. (We protect directories, not individual files.)
 

1b. Encryption of pages

The web server supports encryption using the Secure Sockets Layer (SSL). Encryption results in a significant cpu overload and should only be used to protect sensitive material (and passwords). It is not sensible to use encryption unless access to pages is restricted by IP address or by passwords.
 
 

2. 'Official' departmental and project pages

Pages can only be updated by logging onto www.mssl.ucl.ac.uk; an account for this system is required. The URLs have the form (NB no ~):-
http://www.mssl.ucl.ac.uk/www_username
This maps to the local filesystem directory
/home/html/www_username
Note that the homepage is
/home/html/www_username/index.html
and that anything in or below the directory
/home/html/www_username/mssl_only
cannot be accessed from outside the mssl.ucl.ac.uk domain.

Similarly, anything in or below the directory

/home/html/www_username/ucl_only
cannot be accessed from outside the ucl.ac.uk domain.
 

1a. Password protection of pages

The web server supports a very simple password protection mechanism. If you need to restrict access in this way supply with the name of the directory and the password required. (We protect directories, not individual files.)
 

1b. Encryption of pages

The web server supports encryption using the Secure Sockets Layer (SSL). Encryption results in a significant cpu overload and should only be used to protect sensitive material (and passwords). It is not sensible to use encryption unless access to pages is restricted by IP address or by passwords.
 
 

3. Temporary, outgoing anonymous ftp area

Access this from a Linux cluster system by writing into the directory:-
/disk/ftp/pub/your_group/your_mssl_username/
    e.g. /disk/ftp/pub/xray/pal/

The Linux command to list your group(s) is

id -gn

/disk/ftp is the default directory seen by user anonymous after ftp login on ftp.mssl.ucl.ac.uk. Note that the subdirectory incoming will not be accessible (see section 4).

Files will be deleted automatically from this temporary area (currently after 14 days).
 
 

4. Temporary, incoming anonymous ftp area

The external ftp user should logon to ftpin.mssl.ucl.ac.uk as user anonymous then
cd your_group
e.g.   cd solar

and upload. Note that anonymous ftp users cannot read from the incoming area.

DO NOT CREATE OR USE SUBDIRECTORIES as they will not be readable. This is to avoid misuse by third parties.

You can access the files from the central Linux cluster as directory:-

/disk/ftp/incoming/your_group/

Files will be deleted automatically from this temporary area (currently after 7 days).
 

5. Project ftp area

This area is visible to anonymous ftp users on ftp.mssl.ucl.ac.uk as the projects subdirectory and by MSSL Unix users as /disk/ftp/projects/. Some project areas are password protected. Some are maintained by interactive logon; others by NFS access.
 
 

6. Samba access to /disk/www and /disk/ftp

These disks are accessible using samba by mapping onto network drives dsk_www and dsk_ftp.
 
 

7. Passive and active ftp

7.1 What's the difference?

Ftp uses one network connection for control and a second for data transfer. In 'active' mode the data connection is inbound to the server onto a well defined TCP port (port 20). 'Passive' mode uses a random source and a random destination port number. Active mode is easy to firewall. Passive mode is harder and requires a "stateful" firewall.

7.2 Why should I care?

Some ftp clients support only active mode; other clients varyingly default to active or passive mode. Firewalls generally restrict active and passive mode ftp differently; some prohibit one or the other. If you experience problems you need to know which mode you are trying to use.

7.3 Firewalls and passive/and active ftp

The MSSL firewall allows all outbound ftp (i.e ftp initiated at MSSL). It allows inbound (initiated at remote sites) active and passive ftp to a small number of servers (currently ftp,ftpin,mssls7 and msslsc). Note remote firewalls may impose additional restrictions.

7.4 Using active and passive ftp

A successful active mode file transfer looks something like
>ftp ftp.mssl.ucl.ac.uk
Connected to mssllw.mssl.ucl.ac.uk.
Name (mssllw:pal): USERNAME
331 Password required for USERNAME
Password:
230 User USERNAME logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp > cd WHEREVER
ftp> put FILENAME
local: FILENAME remote: FILENAME
200 PORT command successful.
Active mode failure would be suggested by
ftp> put FILENAME
ftp: connect: Connection timed out

If you were attempting to connect to ftp.mssl.ucl.ac.uk there is probably a firewall restriction on active mode ftp at the REMOTE site (i.e. not MSSL). Note though that only some MSSL ftp servers are accessible through the firewall - see above.

If passive mode is being invoked you should see
ftp> put FILENAME
local: FILENAME remote: FILENAME
227 Entering Passive Mode (144,82,100,160,178,0)
Passive mode failure would be suggested by
227 Entering Passive Mode (144,82,100,160,178,19)
ftp: connect: Connection timed out

If you are failing to connect to ftp.mssl.ucl.ac.uk there is probably a firewall restriction on passive ftp at the REMOTE site (viz. not MSSL).

If active or passive mode fails, try the other. If both fail consult the remote computing service about their firewall restrictions. To toggle between active and passive mode:
ftp> passive
Passive mode on.
ftp> put FILENAME


ftp> passive
Passive mode off.
ftp> put FILENAME

A response of '?Invalid command' means the client does not support passive mode. Your hosts may be able to offer an alternative system.

If ftp initiated at MSSL fails, the cause is probably a firewall restriction at the remote site.