Configuring the Apache Server to Host the HST Server Web UI

The HST Server web UI is a web-based file server that enables clients to access the server file system through a web browser, and transfers files using IBM Aspera Connect. You can set up HTTP fallback to establish HTTP- or HTTPS-based file transfers with clients that don't have FASP connectivity.

1. Locate and open your Apache configuration file.
   With administrative account access, open your Apache configuration file in a text editor from the following location, depending on your operating system:

   Version	Path
   RedHat, CentOS, Fedora	/etc/httpd/conf/httpd.conf
   Ubuntu, Debian	/etc/apache2/apache2.conf
   SLES	/etc/apache2/httpd.conf

2. Review the ServerName setting.
   Locate the ServerName section in httpd.confand verify that the server name is correct. The following example shows how to set the HST Server domain name or IP address. Set only one.

   ServerName www.ConnectServerName.com
   ServerName 10.0.0.1

3. Locate the line for UseCanonicalName and verify that it is set to off (default value).

   UseCanonicalName off

4. Review or modify your web UI settings.
   Add the following section at the end of the configuration file if it is not already there:

   #BEGIN_ASPERA
   <Directory /opt/aspera/var/webtools>
      AllowOverride All
      Require all granted
   </Directory>
   <Directory /opt/aspera/var/webtools/scripts>
      AddHandler cgi-script .pl
      SetHandler cgi-script
      Options +ExecCGI
      AllowOverride All
   </Directory>
   ScriptAlias /aspera/scripts/ "/opt/aspera/var/webtools/scripts/"
   Alias /aspera/ "/opt/aspera/var/webtools/"
   #END_ASPERA

5. Enable the cgi and the dir modules.

   For Debian, SLSE, and Ubuntu Linux distributions, run the following commands:

   $ sudo a2enmod dir
   $ sudo a2enmod cgi
   $ sudo a2enmod cgid

   For CentOS, Fedora, and RedHat Linux distributions, open httpd.conf and add or uncomment the following lines:

   LoadModule dir_module modules/mod_dir.so
   LoadModule cgi_module modules/mod_cgi.so
   LoadModule cgid_module modules/mod_cgid.so

   After modifying the Apache configuration file, save and close it.
6. Configure Apache authentication for the system user on the HST Server.
   In addition to SSH authentication, HST Server uses Apache's authentication to authorize web UI access. To set up a system user (asp1 in this example) for Apache authentication, run the htpasswd command below.

   Note: On the first run of htpasswd, you must use the -c option to create the file for credential storage, webpasswd. Do not use the -c option otherwise.

   # htpasswd [-c ]/opt/aspera/etc/webpasswd asp1

   Note: If you have Apache 2.4.4, you may get authentication errors when trying to provide a password to view the site. As a workaround, run htpasswd with the -b option and enter the password on the command line as follows:

   # htpasswd -b /opt/aspera/etc/webpasswd asp1 password

7. Configure SSL. (Optional)
   For instructions on generating an RSA Private Key, a Certificate Signing Request (CSR), and an optional self-signed certificate by using OpenSSL, see Create an SSL Certificate (Apache).

   Once you create your private key and Certificate (or you are using the unsigned Certificate provided by Aspera), see Enable SSL (Apache).

8. Disable SELinux (RedHat, CentOS, and Fedora only).
   SELinux (Security-Enhanced Linux), an access control implementation, can affect web UI access. To disable SELinux, see Disabling SELinux.
9. Restart your Apache web server.

   Linux OS	Restart Command
   Debian 8 or newer Ubuntu 15.04 or newer	$ systemctl restart apache2.service
   CentOS 7 or newer RHEL 7 or newer	$ systemctl restart httpd.service
   Debian 7 or older Ubuntu 14.10 or older	$ sudo service apache2 restart
   CentOS 6 RHEL 6	$ sudo service httpd restart

10. Enable system-level security.
    Enabling system-level security allows the web UI to accurately display users' files and show or hide controls depending on users' permissions (this includes the delete and make directory functions). To enable system-level security, run the following command (as root) in a Terminal window:

    $ sudo /opt/aspera/sbin/enablesecure enable

    Once the script is executed, you are prompted to input the name of the Apache user.

    User running apache (default apache):

    Based on your input, the script generates text similar to the following. Use visudoers to copy-and-paste the generated text into your /etc/sudoers file. In the following example output, apache is the account that is running Apache and /opt/aspera is the Aspera installation directory.

    Important: Do not paste the example output shown below into your sudoers file. Paste the output generated when you ran the enablesecure script as described above.

    # BEGIN IBM Aspera High-Speed Transfer Server
    # The user account that runs the web server will impersonate
    # the logged-in user to present that user's files and folders.
    Defaults env_keep += "SERVER_NAME REQUEST_URI REQUEST_METHOD REMOTE_USER QUERY_STRING CONTENT_LENGTH SESSION_ID CSRF_TOKEN"
    Defaults:apache !requiretty
    apache ALL=(ALL) NOPASSWD: /opt/aspera/var/webtools/scripts/aspera-dirlist.pl,
    SETENV: /opt/aspera/var/webtools/scripts/aspera-dirlist.pl
    # END IBM Aspera High-Speed Transfer Server

    Note: Once secure permissions are enabled, users see the Delete and Create Folder buttons, allowing then to remove files and create directories on the server (within their docroot). To hide the Delete and Create Folder buttons, update the web UI configuration parameters EnableDelete and EnableCreateFolder, respectively. See Configuring your Web UI Settings for details.

    To disable the secure permissions, run the enablesecure script again with the argument disable.

    # /opt/aspera/sbin/enablesecure disable

11. Verify that cookies are enabled in the client Web browsers.
    Note: Cookies must be enabled in client browsers. Otherwise, they might get an error message when they attempt to access the HST Server web UI.