[OpenAFS] Using OpenAFS with Web Servers

Cees de Groot cg@cdegroot.com
19 Mar 2002 21:49:16 +0100


Jason Garman <jgarman@wedgie.org> said:
>I haven't personally tried this, but I'm itching to set up a system like
>this for someone.  It seems like the absolute perfect solution for large
>web sites. 
>
The only problem I see (and what has kept me so far from moving our Apache
hosting environment from NFS to AFS) is security. What I would like to have is
that the user gets a volume with r/w permissions, but the webserver to have
generally r/o permission to the files. That's easily done with ACL's, but what
when a user wants to store e.g. output from CGI scripts into files? For
example, some simple content management system that lets you enter a text in a
CGI script and then dumps a new static HTML file in the server area? I haven't
been able to find a good (secure) solution for that that doesn't involve
teaching FrontPage users to interact with AFS... I'd appreciate any insights
on this issue.

Apart from that, I think it's good for my environment (lots of small,
low traffic, websites in a mass virtual hosting environment - AFS
excels in letting me move storage around, helps with backups, good
user/rights management, offloads our webserver/storage LAN through
caching, and as a bonus I could give clients direct AFS access), but for
a single high-volume website on dedicated servers I would probably look 
into the netblock-device based replicated filesystems (like drbd -
http://www.complang.tuwien.ac.at/reisner/drbd/, AFAIK it is possible here
to have a drbd block device r/w on the primary and r/o on the secondary
server) or check out GFS. Best of both worlds could be AFS on top of GFS...


-- 
Cees de Groot               http://www.cdegroot.com     <cg@cdegroot.com>
GnuPG 1024D/E0989E8B 0016 F679 F38D 5946 4ECD  1986 F303 937F E098 9E8B