The Server

Your User

You are given a user account on a server. The account holds your files. Certain files within the account make up the website. A username and password are needed to log into the server. HE Support can help with forgotten credentials. Call us at 510-580-4100.

Home Folder Contents

When you log into the server (not your website's login, but the server itself), you are brought to your user's home folder. It is located at /home/example_user/, where "example_user" is your user name. The folder can be shortened to ~/. Tilde means the current user's home folder.

The home folder contains the webroot folder. More on that is below.

The home folder has configuration files such as user preferences for VIM, SpamAssassin, and other software. It has scripts that will run when the user logs in and scripts that run when mail is received and scripts that can be run by the user.

Software can be installed into the home folder. It is the only location on the server that the user is allowed to install anything.

If a file or folder is unfamiliar in the home folder it is best to leave it alone, however, many of the files in the home folder will become familiar over time.

The Platform

Operating System

The V3 server platform uses the latest stable Ubuntu LTS release. Ubuntu is a flavor of Linux. LTS stands for Long Term Support and means that the Ubuntu team will keep it secure and up-to-date for the long term. HE Support can help you to identify your server version. V1s and V2s should inquire right away about the free conversion to a V3.

Fileserver

The server uses Apache to serve the files that make your site. Apache is popular because it allows many configuration options to be set in a file called ".htaccess", giving developers the ability to customize without the help of a server administrator.

Database

There are files in the account that make up the MySQL database. There is no need to access the files directly. They can only be accessed with a MySQL program. To access the database requires a username and password. HE Support can help you to login.

Language

There are executables on the server for scripting. The most popular for websites is PHP, but Python, Perl, and Ruby are other options. The server uses an Apache module to facilitate communicating with PHP. Python, Perl, and Ruby use the Common Gateway Interface (CGI).

Stack

The stack is the architecture that runs the website. It consists of an operating system (OS), fileserver, database, and scripting language. This stack is called a LAMP stack.

(L)inux

(A)pache

(M)ySql

(P)HP

Webroot

The website's files go in the webroot. While the home folder keeps files private, the webroot is very very public. Files in the webroot can be accessed by anyone with an internet connection.

HTTP vs. HTTPS

There are actually two webroots; one for HTTP and one for HTTPS. HTTP requests are served out of ~/public_html. HTTPS requests are served from ~/secure_html. HTTPS requests are encrypted and browsers will show the lock icon for requests that meet their security standards.

Apple, Google, Microsoft, and Mozilla are good people to have brand your site with a "secure" icon. I highly recommend serving all content out of ~/secure_html and achieving that "secure" status from the browser.

Handling HTTP vs HTTPS

Bandwidth will always be a concern for websites, but with today's bandwidth and improvements in the security algorithms themselves the data difference between HTTP and HTTPS is negligible. The option of having HTTP and HTTPS served separately is welcomed, however, best practice is to always force HTTPS. Don't let a silly mistake expose a client's sensitive information to eavesdroppers.

Forcing HTTPS (Recommended)

This is the best option because it always uses HTTPS and is simplistic.

First make ~/public_html and ~/secure_html the same folder. If the command fails make sure the ~/secure_html folder is empty.

cd ~ && rmdir secure_html && ln -s public_html secure_html

Then use ~/public_html/.htaccess to redirect any HTTP requests to HTTPS.

# Force HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*) https://%{HTTP_HOST}/$1 [R=301,L]

There are many ways to force HTTPS. The above uses Apache's RewriteEngine. %{HTTPS} is a variable that Apache sets to "off" for HTTP requests and "on" for HTTPS requests. This rewrite will occur on the condition that HTTPS is off. ^/(.*) will match any path so all pages use a 301 redirect to send the user to the same URL, but using HTTPS.

Separate HTTP and HTTPS (Not Recommended)

To separate HTTP and HTTPS any files that require HTTPS must be in ~/secure_html and any files that do not must be in ~/public_html. As if keeping track of all that weren't enough, all the links in the code must use the correct protocol. Mistakes will result in 404 errors.

Never count on a user to do anything as expected. If a page is only meant to be accessed over HTTPS, such as a sign-in or a checkout, it must be guarded by code because inevitably someone will try to submit their credit card information unencrypted over HTTP and your website will be a hero for ensuring that doesn't happen. More protection will come later in the HSTS article in the advanced section. For now remember that sensitive information can be exchanged over public channels and it is important for a website developer to protect a users data. The first step in protecting that data is to always force HTTPS.