Web Hosting: Difference between revisions

From CSCWiki
Jump to navigation Jump to search
No edit summary
 
(53 intermediate revisions by 8 users not shown)
Line 18: Line 18:
* A personal website or blog!
* A personal website or blog!
* [[Club Hosting|Club websites!]]
* [[Club Hosting|Club websites!]]

== How do I make a website? ==

If you just want to show some static content (e.g. blog posts, club information, technical articles), then we recommend that you use a static site generator (SSG). Static sites are faster, simpler and more secure than CMSs like WordPress (dynamic and written in PHP) for small sites. We routinely disable WordPress sites that are more than a few weeks out of date (or if a critical security flaw is disclosed).

Here are some SSGs which require little to no coding experience, and also have a great selection of themes to choose from:

* [https://jekyllrb.com/ Jekyll] (accepts Markdown, Liquid and HTML)
* [https://gohugo.io/ Hugo] (accepts a wide variety of formats, including Markdown and JSON)
* [https://hexo.io/ Hexo] (accepts Markdown and various Javascript-based templating engines)
* [https://www.11ty.dev/ Eleventy] (accepts Markdown, Liquid, HTML, and various Javascript-based templating engines)
* [https://www.getzola.org/ Zola] (accepts Markdown and Tera)
* [https://blog.getpelican.com/ Pelican] (accepts Markdown, reStructuredText and Jinja2)

[https://astro.build/ Astro] is an excellent static site builder which integrates with a wide variety of JS-based frameworks (including React, Vue, Svelte and Solid), but requires a bit more coding experience.

These SSGs require some experience with React.js:

* [https://nextjs.org/ Next.js]
* [https://www.gatsbyjs.com/ Gatsby.js]

These SSGs require some experience with Vue.js:

* [https://nuxtjs.org/ Nuxt.js]
* [https://vuepress.vuejs.org/ Vuepress]
* [https://vitepress.vuejs.org/ Vitepress]
* [https://gridsome.org/ Gridsome]

[https://jamstack.org/generators/ Here] is an awesome list of other generators to explore, if you are interested.

=== Transferring your files to the CSC servers ===
If you just need to transfer a single file, then the easiest option is to use the <code>scp</code> command (which is available on all major operating systems), e.g.

scp /path/to/your/file your_username@corn-syrup.csclub.uwaterloo.ca:~/

This will copy /path/to/your/file from your local PC to your CSC home directory (we use NFS, so you can access it from any of the general-use machines).

However, we strongly recommend setting up a git repository in your home directory instead.

=== Setting up a git repository ===
All of the files in the <code>www</code> directory in your home directory are accessible from csclub.uwaterloo.ca/~your_username. If everything is set up right, this can provide a GitHub Pages-like experience.

<ol>
<li>
<ul>
<li>For members:<br>
Create a "bare" git repository in your home directory (on the CSC machines). You will git push/pull from this directory.
<pre>
mkdir myrepo.git
cd myrepo.git
git init --bare
</pre>
</li>
<li>For club reps:<br>
Switch to the Unix user for your club, and use the <code>--shared</code> option to automatically add group write permissions.
<pre>
become_club myclub
cd ~
mkdir myrepo.git
cd myrepo.git
git init --bare --shared
</pre>
</li>
</ul>
</li>
<li>
Create a git post-receive hook which will automatically deploy your website whenever you git push. Paste the following script into hooks/post-receive (in the bare repo you created earlier). You may wish to customize it a bit first.
<pre>
#!/bin/bash

set -e
# Uncomment this to echo the commands as they are executed
#set -x
shopt -s dotglob
# FOR CLUB REPS ONLY: set the following variable to e.g. /users/myclub/www
DEPLOYMENT_DIR=~/www

while read oldrev newrev refname; do
branch=$(git rev-parse --symbolic --abbrev-ref $refname)
# Only the master branch will be deployed
if [ "$branch" != master ]; then
continue
fi
rm -rf $DEPLOYMENT_DIR/*
git --work-tree=$DEPLOYMENT_DIR checkout -f $branch
# FOR CLUB REPS ONLY: uncomment the following lines and replace 'myclub'
# with the Unix group name of your club
#chgrp -R myclub $DEPLOYMENT_DIR
#chmod -R g+w $DEPLOYMENT_DIR
done
</pre>
(The script was adapted from [https://peteris.rocks/blog/deploy-your-website-with-git/ here].)

Make the script executable:
<pre>
chmod +x hooks/post-receive
</pre>

<b>For club reps</b>: Make sure the www directory is group-writable. Switch to the Unix user of your club and run:
<pre>
chmod g+w ~/www
</pre>
</li>
<li>
If you have not done so already, add your public SSH key to your ~/.ssh/authorized_keys file (on the CSC machines). See [https://git-scm.com/book/en/v2/Git-on-the-Server-Generating-Your-SSH-Public-Key here] for a tutorial.
</li>
<li>
On your local computer, add [[Machine_List|any CSC machine]] as a remote of your git repo.
<ul>
<li>For members:<br>
Just use the directory of your git repo, e.g.
<pre>
git remote add csc your_username@corn-syrup.csclub.uwaterloo.ca:myrepo.git
</pre>
</li>
<li>For club reps:<br>
Use the full path of the repo in your club user's home directory, e.g.
<pre>
git remote add csc your_username@corn-syrup.csclub.uwaterloo.ca:/users/myclub/myrepo.git
</pre>
</li>
</ul>
</li>
<li>
Now you can just <code>git push</code> normally after a commit, e.g.
<pre>
git push csc master
</pre>
And the files should show up automatically in your www folder (or your club's www folder, if you are a club rep).
</li>
<li>
If you have any files in your repo which you don't want to be served from your website, use a [https://httpd.apache.org/docs/2.4/howto/htaccess.html .htaccess file] in your www folder (make sure this is committed to the git repo). For example, to deny access to the folder named src (in your www folder), you could use the following snippet:
<pre>
RewriteEngine On
RewriteRule "^src(/.*)?$" - [F,L]
</pre>
See [https://httpd.apache.org/docs/2.4/mod/core.html the Apache documentation] for more details.
</li>
</ol>

If you need help, email <tt>syscom@csclub.uwaterloo.ca[mailto:syscom@csclub.uwaterloo.ca]</tt> or come to the CS Club office on the MC 3rd floor across from the Mathsoc CnD.


== DNS and Your Domain Name ==
== DNS and Your Domain Name ==


You can serve files without any additional configuration by placing them in your <tt>www</tt> directory and accessing them at <tt>http://csclub.uwaterloo.ca/~userid</tt>, where <tt>userid</tt> is your CSC user ID. However, many of our members and clubs prefer to use a custom domain name.
You can serve files without any additional configuration by placing them in your <tt>www</tt> directory and accessing them at <tt>http://csclub.uwaterloo.ca/~userid</tt>, where <tt>userid</tt> is your CSC user ID. However, many of our members and clubs prefer to use a custom domain name.

Note that this means you ''do not'' have to register a domain name to be able to use our services. You can just put a website at <tt>http://csclub.uwaterloo.ca/~userid</tt>.


=== uwaterloo.ca domain Names ===
=== uwaterloo.ca domain Names ===
Line 34: Line 177:


These virtual hosts must be approved by the Executive and Systems Committee. If interested, send syscom@csclub.uwaterloo.ca an email. If your request is approved, the Systems Committee will direct you to create a CNAME record for your domain and point it at <tt>csclub.uwaterloo.ca</tt>.
These virtual hosts must be approved by the Executive and Systems Committee. If interested, send syscom@csclub.uwaterloo.ca an email. If your request is approved, the Systems Committee will direct you to create a CNAME record for your domain and point it at <tt>csclub.uwaterloo.ca</tt>.

If you are interested in receiving mail or having other records on your domain, the apex of your domain cannot be a CNAME. If this is the case, then your domain should contain an "A" record of <tt>129.97.134.17</tt> and a (optional, but recommended) "AAAA" record of <tt>2620:101:f000:4901:c5c::caff:e12e</tt>.

If you want TLS on your personal domain, mention this in your email to syscom (syscom: see [[SSL#letsencrypt]]).


== Static Sites ==
== Static Sites ==
Line 66: Line 213:
the member or club serving that site will be notified of the termination; the
the member or club serving that site will be notified of the termination; the
site will not be re-enabled until the issues are addressed.
site will not be re-enabled until the issues are addressed.

When pages are parked, access to them is restricted to on-campus IPs, so you can still fix your page, but anyone off-campus will not be able to access it, and will be shown this page instead: [https://csclub.uwaterloo.ca/~sysadmin/insecure/ https://csclub.uwaterloo.ca/~sysadmin/insecure/].


=== Using PHP ===
=== Using PHP ===
Line 73: Line 222:
You can even include rewrite rules in an <tt>.htaccess</tt> file in your web directory.
You can even include rewrite rules in an <tt>.htaccess</tt> file in your web directory.


=== Reverse Proxy (Python, Ruby, Perl, etc.) ===
=== Using WSGI ===


(In progress... Cliff Notes below)
We newly support <tt>mod_wsgi</tt> for dynamic frameworks you may not want to run through FCGI, such as Django. If you'd like to set up one of these sites, you'll need Systems Committee approval and assistance with the configuration. You will be responsible for setting up the site in your home directory and all the associated WSGI scripts.


If computationally expensive, please run the server on a general-use server and proxy to Caffeine.
Here is a sample configuration file for a Django site:


If Python, (1) use a [http://docs.python-guide.org/en/latest/dev/virtualenvs/ virtual environment] (2) host your app (within the virtualenv) with [http://gunicorn.org/ Gunicorn] on a high port (but campus firewalled, i.e. NOT Ports 28000-28500).
<VirtualHost *:80>

ServerName foobar.uwaterloo.ca
If Ruby (Note, I've never used Ruby so take this with a grain of salt), use [http://unicorn.bogomips.org/ Unicorn] in the same way.
ServerAlias *.foobar.uwaterloo.ca foobar

ServerAdmin your@email.here.tld
==== .htaccess Config ====

ErrorLog /var/log/apache2/luser-userid-error.log
Put the following in the appropriate .htaccess file (e.g. if you were running your app at ~ctdalek/python-app, put the .htaccess in ~ctdalek/www/python-app alongside the static files). Replace HOST with localhost if running on Caffeine or the hostname if running elsewhere; replace port with your chosen port number.
CustomLog /var/log/apache2/luser-userid-access.log combined

<pre>
WSGIDaemonProcess process_name python-path=your/path/here/:possibly:/users/userid/site:/users/userid/.env/...
RewriteEngine On
WSGIScriptAlias / /path/to/your/wsgi/script

WSGIProcessGroup process_name
# If you want websockets, uncomment this:
#RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
Alias /robots.txt /path/if/necessary/robots.txt
#RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
Alias /favicon.ico /path/if/necessary/favicon.ico
#RewriteRule .* ws://HOST:RANDOM_PORT%{REQUEST_URI} [L,P]

<Directory /path/to/your/wsgi/script>
RewriteCond %{SCRIPT_FILENAME} !-d
<Files wsgi.py>
RewriteCond %{SCRIPT_FILENAME} !-f
Require all granted
RewriteRule "index.html" "http://HOST:RANDOM_PORT/" [P]
</Files>

</Directory>
RewriteCond %{SCRIPT_FILENAME} !-d
</VirtualHost>
RewriteCond %{SCRIPT_FILENAME} !-f
RewriteRule "^(.*)$" "http://HOST:RANDOM_PORT/$1" [P]
</pre>

== Requiring Authentication ==
<b>**UPDATE**</b>: CAS is deprecated; the instructions below are left for historical purposes only. The University of Waterloo now uses [[ADFS]] for web authentication. Unfortunately the Apache module which we use to integrate with ADFS (mod_auth_mellon) cannot be used from .htaccess files, which means that regular members cannot use this. ([https://github.com/latchset/mod_auth_mellon/issues/82 Here] is the relevant GitHub issue; as of this writing, it is still open.) If you require UW authentication for your website, please send an email to syscom and we will configure Apache for you.

=== CAS (no longer works) ===
You can require users to authenticate through the University's Central Authentication System (CAS) by adding the following contents to your .htaccess configuration file:

<pre>
AuthType CAS
Require valid-user
</pre>

You can replace <pre>Require valid-user</pre> with <pre>Require user ctdalek</pre> to restrict to specific users. See https://doubledoublesecurity.ca/uw/cas/user.html for more information.


== Syscom ==
== Syscom ==
Line 105: Line 270:
=== Disabling insecure or infringing sites ===
=== Disabling insecure or infringing sites ===


To disable a webspace that has known security vulnerabilities add the following snippet to `/etc/apache2/conf-available/disable-vuln-site.conf`. This rewrites all accesses of the directory or its children to the given file. Note that our disable page uses PHP to always return HTTP status code 503. (TODO: move files to somewhere in /srv)
To disable a webspace that has known security vulnerabilities add the following snippet to `/etc/apache2/conf-available/disable-vuln-site.conf`. This rewrites all accesses of the directory or its children to the given file. Note that our disable page always returns HTTP status code 503 (Service Unavailable).

<Directory /users/$BADUSER/www>
AllowOverride None
Redirect 503 /
ErrorDocument 503 /~sysadmin/insecure/index.html
</Directory>

For infringing sites:

<Directory "/users/$BADUSER/www/infringing-directory">
AllowOverride None
Redirect 503 /
ErrorDocument 503 /~sysadmin/infringing/index.html
</Directory>

For club domains (e.g. club1.uwaterloo.ca), redirect to the CSC domain instead:

<Directory "/users/$BADCLUB/www">
AllowOverride None
RewriteEngine On
RewriteRule . <nowiki>https://csclub.uwaterloo.ca/~sysadmin/insecure/index.php</nowiki> [L,P]
</Directory>

For WordPress sites specifically, insert a snippet similar to the following into conf-enabled/disable-wordpress.conf:

<Directory "/users/$BADCLUB/www">
Include snippets/disable-wordpress.conf
</Directory>

=== Expired Websites ===

There is a cron job running hourly on caffeine which disables expired member's websites (and re-enables them when they've renewed their membership).

The script is here: https://git.csclub.uwaterloo.ca/public/expire-sites

Some highlights:

* The script provides a 1-month grace period (corresponding to the grace period of pam-csc)
* The expired page returns HTTP status code of 503 (Service Unavailable)

=== Sample Apache config for website with both a custom domain and a UW subdomain ===


Define ENTITY_NAME pmclub
<Directory /users/$BADUSER/www>
Define CUSTOM_DOMAIN puremath.club
AllowOverride None
Define UW_SUBDOMAIN ${ENTITY_NAME}.uwaterloo.ca
RewriteEngine On
Define ADMIN_EMAIL ${ENTITY_NAME}@csclub.uwaterloo.ca
RewriteRule . /~sysadmin/insecure/index.php [L]
Define ENTITY_HOME https://csclub.uwaterloo.ca/~${ENTITY_NAME}
</Directory>
Define APACHE_LOG_DIR /var/log/apache2
Define ERROR_LOG ${APACHE_LOG_DIR}/${ENTITY_NAME}-error.log
Define CUSTOM_LOG "${APACHE_LOG_DIR}/${ENTITY_NAME}-access.log combined"
<VirtualHost *:80>
ServerName ${CUSTOM_DOMAIN}
ServerAlias *.${CUSTOM_DOMAIN} ${UW_SUBDOMAIN} *.${UW_SUBDOMAIN} ${ENTITY_NAME}
ServerAdmin ${ADMIN_EMAIL}
Redirect permanent / https://${CUSTOM_DOMAIN}/
ErrorLog ${ERROR_LOG}
CustomLog ${CUSTOM_LOG}
</VirtualHost>
<VirtualHost csclub:443>
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/${CUSTOM_DOMAIN}/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/${CUSTOM_DOMAIN}/privkey.pem
SSLStrictSNIVHostCheck on
ServerName ${CUSTOM_DOMAIN}
ServerAlias *.${CUSTOM_DOMAIN}
ServerAdmin ${ADMIN_EMAIL}
DocumentRoot /users/${ENTITY_NAME}/www
ErrorLog ${ERROR_LOG}
CustomLog ${CUSTOM_LOG}
Redirect permanent /<special page> ${ENTITY_HOME}/<special path>/<special file>
</VirtualHost>
<VirtualHost csclub:443>
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/${UW_SUBDOMAIN}/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/${UW_SUBDOMAIN}/privkey.pem
SSLStrictSNIVHostCheck on
ServerName ${UW_SUBDOMAIN}
ServerAlias *.${UW_SUBDOMAIN}
ServerAdmin ${ADMIN_EMAIL}
Redirect permanent / https://${CUSTOM_DOMAIN}/
ErrorLog ${ERROR_LOG}
CustomLog ${CUSTOM_LOG}
</VirtualHost>

Latest revision as of 09:25, 31 October 2022

The CSC offers web hosting for clubs and our members in accordance with our Machine Usage Agreement. This is a quick guide for the kinds of hosting we offer on our webserver, csclub.uwaterloo.ca, also known as caffeine.

We run an Apache httpd webserver and we offer you the use of a MySQL database.

What can I host on my website?

Web hosting is provided in accordance with the CSC Machine Usage Agreement. As a reminder, you are not permitted to host any of the following:

  • Ads. Advertisements are not permitted because using our machines for commercial purposes is forbidden by university policy.
  • Your start-up's website. Again, commercial use of our hosting is not permitted.
  • Unauthorized copyrighted materials. Violating the law is a violation of our Machine Usage Agreement.

Please note that this is not an exhaustive list. Websites may be taken down without notice at the discretion of the Systems Committee. (We will always let you know that we took your site down, but if it is breaking our shared environment, we can't provide an advance warning.)

Some great examples of things members host on our webserver:

How do I make a website?

If you just want to show some static content (e.g. blog posts, club information, technical articles), then we recommend that you use a static site generator (SSG). Static sites are faster, simpler and more secure than CMSs like WordPress (dynamic and written in PHP) for small sites. We routinely disable WordPress sites that are more than a few weeks out of date (or if a critical security flaw is disclosed).

Here are some SSGs which require little to no coding experience, and also have a great selection of themes to choose from:

  • Jekyll (accepts Markdown, Liquid and HTML)
  • Hugo (accepts a wide variety of formats, including Markdown and JSON)
  • Hexo (accepts Markdown and various Javascript-based templating engines)
  • Eleventy (accepts Markdown, Liquid, HTML, and various Javascript-based templating engines)
  • Zola (accepts Markdown and Tera)
  • Pelican (accepts Markdown, reStructuredText and Jinja2)

Astro is an excellent static site builder which integrates with a wide variety of JS-based frameworks (including React, Vue, Svelte and Solid), but requires a bit more coding experience.

These SSGs require some experience with React.js:

These SSGs require some experience with Vue.js:

Here is an awesome list of other generators to explore, if you are interested.

Transferring your files to the CSC servers

If you just need to transfer a single file, then the easiest option is to use the scp command (which is available on all major operating systems), e.g.

 scp /path/to/your/file your_username@corn-syrup.csclub.uwaterloo.ca:~/

This will copy /path/to/your/file from your local PC to your CSC home directory (we use NFS, so you can access it from any of the general-use machines).

However, we strongly recommend setting up a git repository in your home directory instead.

Setting up a git repository

All of the files in the www directory in your home directory are accessible from csclub.uwaterloo.ca/~your_username. If everything is set up right, this can provide a GitHub Pages-like experience.

    • For members:
      Create a "bare" git repository in your home directory (on the CSC machines). You will git push/pull from this directory.
      mkdir myrepo.git
      cd myrepo.git
      git init --bare
      
    • For club reps:
      Switch to the Unix user for your club, and use the --shared option to automatically add group write permissions.
      become_club myclub
      cd ~
      mkdir myrepo.git
      cd myrepo.git
      git init --bare --shared
      
  1. Create a git post-receive hook which will automatically deploy your website whenever you git push. Paste the following script into hooks/post-receive (in the bare repo you created earlier). You may wish to customize it a bit first.
    #!/bin/bash
    
    set -e
    # Uncomment this to echo the commands as they are executed
    #set -x
    shopt -s dotglob
    # FOR CLUB REPS ONLY: set the following variable to e.g. /users/myclub/www
    DEPLOYMENT_DIR=~/www
    
    while read oldrev newrev refname; do
        branch=$(git rev-parse --symbolic --abbrev-ref $refname)
        # Only the master branch will be deployed
        if [ "$branch" != master ]; then
            continue
        fi
        rm -rf $DEPLOYMENT_DIR/*
        git --work-tree=$DEPLOYMENT_DIR checkout -f $branch
        # FOR CLUB REPS ONLY: uncomment the following lines and replace 'myclub'
        # with the Unix group name of your club
        #chgrp -R myclub $DEPLOYMENT_DIR
        #chmod -R g+w $DEPLOYMENT_DIR
    done
    

    (The script was adapted from here.)

    Make the script executable:

    chmod +x hooks/post-receive
    

    For club reps: Make sure the www directory is group-writable. Switch to the Unix user of your club and run:

    chmod g+w ~/www
    
  2. If you have not done so already, add your public SSH key to your ~/.ssh/authorized_keys file (on the CSC machines). See here for a tutorial.
  3. On your local computer, add any CSC machine as a remote of your git repo.
    • For members:
      Just use the directory of your git repo, e.g.
      git remote add csc your_username@corn-syrup.csclub.uwaterloo.ca:myrepo.git
      
    • For club reps:
      Use the full path of the repo in your club user's home directory, e.g.
      git remote add csc your_username@corn-syrup.csclub.uwaterloo.ca:/users/myclub/myrepo.git
      
  4. Now you can just git push normally after a commit, e.g.
    git push csc master
    

    And the files should show up automatically in your www folder (or your club's www folder, if you are a club rep).

  5. If you have any files in your repo which you don't want to be served from your website, use a .htaccess file in your www folder (make sure this is committed to the git repo). For example, to deny access to the folder named src (in your www folder), you could use the following snippet:
    RewriteEngine On
    RewriteRule "^src(/.*)?$" - [F,L]
    

    See the Apache documentation for more details.

If you need help, email syscom@csclub.uwaterloo.ca[1] or come to the CS Club office on the MC 3rd floor across from the Mathsoc CnD.

DNS and Your Domain Name

You can serve files without any additional configuration by placing them in your www directory and accessing them at http://csclub.uwaterloo.ca/~userid, where userid is your CSC user ID. However, many of our members and clubs prefer to use a custom domain name.

Note that this means you do not have to register a domain name to be able to use our services. You can just put a website at http://csclub.uwaterloo.ca/~userid.

uwaterloo.ca domain Names

If you represent a UWaterloo organization, you may be eligible for a custom uwaterloo.ca domain name, such as csclub.uwaterloo.ca. We can request this on your behalf.

In order to do so, we must have verified that the organization is a legitimate UWaterloo-affiliated group, and that you, the representative, are authorized to request a domain name on their behalf. This all takes place when you request club hosting with the Computer Science Club.

Once you register as a club representative of your particular organization, you can send an email from your official club account to syscom@csclub.uwaterloo.ca to request the domain yourdomain.uwaterloo.ca. Assuming it is available, we will file a ticket and request the domain in your name.

Your personal domain name

These virtual hosts must be approved by the Executive and Systems Committee. If interested, send syscom@csclub.uwaterloo.ca an email. If your request is approved, the Systems Committee will direct you to create a CNAME record for your domain and point it at csclub.uwaterloo.ca.

If you are interested in receiving mail or having other records on your domain, the apex of your domain cannot be a CNAME. If this is the case, then your domain should contain an "A" record of 129.97.134.17 and a (optional, but recommended) "AAAA" record of 2620:101:f000:4901:c5c::caff:e12e.

If you want TLS on your personal domain, mention this in your email to syscom (syscom: see SSL#letsencrypt).

Static Sites

You can place all your static content into your web directory, /users/userid/www.

If you have been approved for a virtual host, you can access this content using your personal domain once the Systems Committee makes the appropriate configuration changes. Here is an example configuration file:

 <VirtualHost *:80>
 	ServerName foobar.uwaterloo.ca
 	ServerAlias *.foobar.uwaterloo.ca foobar
 	ServerAdmin your@email.here.tld
 
 	DocumentRoot /users/userid/www/
 
 	ErrorLog /var/log/apache2/luser-userid-error.log
 	CustomLog /var/log/apache2/luser-userid-access.log combined
 </VirtualHost>

Dynamic Sites

If you require use of a database, we offer you the sole choice of MySQL. See this guide for how to create your database and connect to MySQL.

***NOTICE***

 We STRONGLY discourage the use of content management systems such as
 WordPress. These packages are notorious for the number of security
 vulnerabilities they contain and pose a threat to our systems if they are not
 kept up to date. The Systems Committee WILL, at its discretion, disable
 any website using a package such as WordPress that is not updated to the latest
 version or that is found to contain exploitable security flaws. In such a case,
 the member or club serving that site will be notified of the termination; the
 site will not be re-enabled until the issues are addressed.

When pages are parked, access to them is restricted to on-campus IPs, so you can still fix your page, but anyone off-campus will not be able to access it, and will be shown this page instead: https://csclub.uwaterloo.ca/~sysadmin/insecure/.

Using PHP

Because we use Apache, it's as simple as placing your index.php file in your /users/userid/www. That's it!

You can even include rewrite rules in an .htaccess file in your web directory.

Reverse Proxy (Python, Ruby, Perl, etc.)

(In progress... Cliff Notes below)

If computationally expensive, please run the server on a general-use server and proxy to Caffeine.

If Python, (1) use a virtual environment (2) host your app (within the virtualenv) with Gunicorn on a high port (but campus firewalled, i.e. NOT Ports 28000-28500).

If Ruby (Note, I've never used Ruby so take this with a grain of salt), use Unicorn in the same way.

.htaccess Config

Put the following in the appropriate .htaccess file (e.g. if you were running your app at ~ctdalek/python-app, put the .htaccess in ~ctdalek/www/python-app alongside the static files). Replace HOST with localhost if running on Caffeine or the hostname if running elsewhere; replace port with your chosen port number.

RewriteEngine On

# If you want websockets, uncomment this:
#RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
#RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
#RewriteRule .* ws://HOST:RANDOM_PORT%{REQUEST_URI} [L,P]

RewriteCond %{SCRIPT_FILENAME} !-d
RewriteCond %{SCRIPT_FILENAME} !-f
RewriteRule "index.html" "http://HOST:RANDOM_PORT/" [P]

RewriteCond %{SCRIPT_FILENAME} !-d
RewriteCond %{SCRIPT_FILENAME} !-f
RewriteRule "^(.*)$" "http://HOST:RANDOM_PORT/$1" [P]

Requiring Authentication

**UPDATE**: CAS is deprecated; the instructions below are left for historical purposes only. The University of Waterloo now uses ADFS for web authentication. Unfortunately the Apache module which we use to integrate with ADFS (mod_auth_mellon) cannot be used from .htaccess files, which means that regular members cannot use this. (Here is the relevant GitHub issue; as of this writing, it is still open.) If you require UW authentication for your website, please send an email to syscom and we will configure Apache for you.

CAS (no longer works)

You can require users to authenticate through the University's Central Authentication System (CAS) by adding the following contents to your .htaccess configuration file:

AuthType CAS
Require valid-user

You can replace

Require valid-user

with

Require user ctdalek

to restrict to specific users. See https://doubledoublesecurity.ca/uw/cas/user.html for more information.

Syscom

Disabling insecure or infringing sites

To disable a webspace that has known security vulnerabilities add the following snippet to `/etc/apache2/conf-available/disable-vuln-site.conf`. This rewrites all accesses of the directory or its children to the given file. Note that our disable page always returns HTTP status code 503 (Service Unavailable).

<Directory /users/$BADUSER/www>
    AllowOverride None
    Redirect 503 /
    ErrorDocument 503 /~sysadmin/insecure/index.html
</Directory>

For infringing sites:

<Directory "/users/$BADUSER/www/infringing-directory">
   AllowOverride None
   Redirect 503 /
   ErrorDocument 503 /~sysadmin/infringing/index.html
</Directory>

For club domains (e.g. club1.uwaterloo.ca), redirect to the CSC domain instead:

<Directory "/users/$BADCLUB/www">
  AllowOverride None
  RewriteEngine On
  RewriteRule . https://csclub.uwaterloo.ca/~sysadmin/insecure/index.php [L,P]
</Directory>

For WordPress sites specifically, insert a snippet similar to the following into conf-enabled/disable-wordpress.conf:

<Directory "/users/$BADCLUB/www">
  Include snippets/disable-wordpress.conf
</Directory>

Expired Websites

There is a cron job running hourly on caffeine which disables expired member's websites (and re-enables them when they've renewed their membership).

The script is here: https://git.csclub.uwaterloo.ca/public/expire-sites

Some highlights:

  • The script provides a 1-month grace period (corresponding to the grace period of pam-csc)
  • The expired page returns HTTP status code of 503 (Service Unavailable)

Sample Apache config for website with both a custom domain and a UW subdomain

Define ENTITY_NAME pmclub
Define CUSTOM_DOMAIN puremath.club
Define UW_SUBDOMAIN ${ENTITY_NAME}.uwaterloo.ca
Define ADMIN_EMAIL ${ENTITY_NAME}@csclub.uwaterloo.ca
Define ENTITY_HOME https://csclub.uwaterloo.ca/~${ENTITY_NAME}

Define APACHE_LOG_DIR /var/log/apache2
Define ERROR_LOG ${APACHE_LOG_DIR}/${ENTITY_NAME}-error.log
Define CUSTOM_LOG "${APACHE_LOG_DIR}/${ENTITY_NAME}-access.log combined"

<VirtualHost *:80>
	ServerName ${CUSTOM_DOMAIN}
	ServerAlias *.${CUSTOM_DOMAIN} ${UW_SUBDOMAIN} *.${UW_SUBDOMAIN} ${ENTITY_NAME}
	ServerAdmin ${ADMIN_EMAIL}

	Redirect permanent / https://${CUSTOM_DOMAIN}/

	ErrorLog ${ERROR_LOG}
	CustomLog ${CUSTOM_LOG}
</VirtualHost>

<VirtualHost csclub:443>
	SSLEngine on
	SSLCertificateFile /etc/letsencrypt/live/${CUSTOM_DOMAIN}/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/${CUSTOM_DOMAIN}/privkey.pem
	SSLStrictSNIVHostCheck on

	ServerName ${CUSTOM_DOMAIN}
	ServerAlias *.${CUSTOM_DOMAIN}
	ServerAdmin ${ADMIN_EMAIL}

	DocumentRoot /users/${ENTITY_NAME}/www

	ErrorLog ${ERROR_LOG}
	CustomLog ${CUSTOM_LOG}

	Redirect permanent /<special page> ${ENTITY_HOME}/<special path>/<special file>
</VirtualHost>

<VirtualHost csclub:443>
	SSLEngine on
	SSLCertificateFile /etc/letsencrypt/live/${UW_SUBDOMAIN}/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/${UW_SUBDOMAIN}/privkey.pem
	SSLStrictSNIVHostCheck on

	ServerName ${UW_SUBDOMAIN}
	ServerAlias *.${UW_SUBDOMAIN}
	ServerAdmin ${ADMIN_EMAIL}

	Redirect permanent / https://${CUSTOM_DOMAIN}/

	ErrorLog ${ERROR_LOG}
	CustomLog ${CUSTOM_LOG}
</VirtualHost>