Web Hosting
The CSC offers web hosting for clubs and our members in accordance with our Machine Usage Agreement. This is a quick guide for the kinds of hosting we offer on our webserver, csclub.uwaterloo.ca, also known as caffeine.
We run an Apache httpd webserver and we offer you the use of a MySQL database.
What can I host on my website?
Web hosting is provided in accordance with the CSC Machine Usage Agreement. As a reminder, you are not permitted to host any of the following:
- Ads. Advertisements are not permitted because using our machines for commercial purposes is forbidden by university policy.
- Your start-up's website. Again, commercial use of our hosting is not permitted.
- Unauthorized copyrighted materials. Violating the law is a violation of our Machine Usage Agreement.
Please note that this is not an exhaustive list. Websites may be taken down without notice at the discretion of the Systems Committee. (We will always let you know that we took your site down, but if it is breaking our shared environment, we can't provide an advance warning.)
Some great examples of things members host on our webserver:
- Academic projects!
- A personal website or blog!
- Club websites!
How do I make a website?
If this is your first time making a website, this section may be useful to you.
To build your website, CS Club suggests you use http://blog.getpelican.com/ (Python) or https://jekyllrb.com/ (Ruby). They generate static sites and are faster, simpler and more secure than CMSs like WordPress (dynamic and written in PHP) for small sites. We routinely disable WordPress sites that are more than a few weeks out of date (or if a critical security flaw is disclosed).
You can transfer files to the CS Club via SFTP If you run Windows use https://winscp.net/eng/index.php, if you use OS X use https://cyberduck.io/?l=en, and Linux users can directly access SFTP by using ssh:// urls in their GUI file managers. You can use SSH for direct shell access, just run ssh ctdalek@corn-syrup.csclub.uwaterloo.ca or look at https://wiki.csclub.uwaterloo.ca/Machine_List for our other machines. Please do not connect to caffeine (the actual web server) unless you need to debug code. You can also just create your site on our servers or in our office to avoid having to shuffle files around. Your home directory is distributed everywhere via NFS. Bonus points if you use Git to sync your own computer with our servers, if you do this we recommend using git.uwaterloo.ca as your upstream repository.
If you need help, email syscom@csclub.uwaterloo.ca[1] or come to the CS Club office on the MC 3rd floor across from the Mathsoc CnD.
DNS and Your Domain Name
You can serve files without any additional configuration by placing them in your www directory and accessing them at http://csclub.uwaterloo.ca/~userid, where userid is your CSC user ID. However, many of our members and clubs prefer to use a custom domain name.
Note that this means you do not have to register a domain name to be able to use our services. You can just put a website at http://csclub.uwaterloo.ca/~userid.
uwaterloo.ca domain Names
If you represent a UWaterloo organization, you may be eligible for a custom uwaterloo.ca domain name, such as csclub.uwaterloo.ca. We can request this on your behalf.
In order to do so, we must have verified that the organization is a legitimate UWaterloo-affiliated group, and that you, the representative, are authorized to request a domain name on their behalf. This all takes place when you request club hosting with the Computer Science Club.
Once you register as a club representative of your particular organization, you can send an email from your official club account to syscom@csclub.uwaterloo.ca to request the domain yourdomain.uwaterloo.ca. Assuming it is available, we will file a ticket and request the domain in your name.
Your personal domain name
These virtual hosts must be approved by the Executive and Systems Committee. If interested, send syscom@csclub.uwaterloo.ca an email. If your request is approved, the Systems Committee will direct you to create a CNAME record for your domain and point it at csclub.uwaterloo.ca.
If you are interested in receiving mail or having other records on your domain, the apex of your domain cannot be a CNAME. If this is the case, then your domain should contain an "A" record of 129.97.134.17 and a (optional, but recommended) "AAAA" record of 2620:101:f000:4901:c5c::caff:e12e.
If you want TLS on your personal domain, mention this in your email to syscom (syscom: see SSL#letsencrypt).
Static Sites
You can place all your static content into your web directory, /users/userid/www.
If you have been approved for a virtual host, you can access this content using your personal domain once the Systems Committee makes the appropriate configuration changes. Here is an example configuration file:
<VirtualHost *:80> ServerName foobar.uwaterloo.ca ServerAlias *.foobar.uwaterloo.ca foobar ServerAdmin your@email.here.tld DocumentRoot /users/userid/www/ ErrorLog /var/log/apache2/luser-userid-error.log CustomLog /var/log/apache2/luser-userid-access.log combined </VirtualHost>
Dynamic Sites
If you require use of a database, we offer you the sole choice of MySQL. See this guide for how to create your database and connect to MySQL.
***NOTICE***
We STRONGLY discourage the use of content management systems such as WordPress. These packages are notorious for the number of security vulnerabilities they contain and pose a threat to our systems if they are not kept up to date. The Systems Committee WILL, at its discretion, disable any website using a package such as WordPress that is not updated to the latest version or that is found to contain exploitable security flaws. In such a case, the member or club serving that site will be notified of the termination; the site will not be re-enabled until the issues are addressed.
Using PHP
Because we use Apache, it's as simple as placing your index.php file in your /users/userid/www. That's it!
You can even include rewrite rules in an .htaccess file in your web directory.
Reverse Proxy (Python, Ruby, Perl, etc.)
(In progress... Cliff Notes below)
If computationally expensive, please run the server on a general-use server and proxy to Caffeine.
If Python, (1) use a virtual environment (2) host your app (within the virtualenv) with Gunicorn on a high port (but campus firewalled, i.e. NOT Ports 28000-28500).
If Ruby (Note, I've never used Ruby so take this with a grain of salt), use Unicorn in the same way.
.htaccess Config
Put the following in the appropriate .htaccess file (e.g. if you were running your app at ~ctdalek/python-app, put the .htaccess in ~ctdalek/www/python-app alongside the static files). Replace HOST with localhost if running on Caffeine or the hostname if running elsewhere; replace port with your chosen port number.
RewriteEngine On # If you want websockets, uncomment this: #RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC] #RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC] #RewriteRule .* ws://HOST:RANDOM_PORT%{REQUEST_URI} [L,P] RewriteCond %{SCRIPT_FILENAME} !-d RewriteCond %{SCRIPT_FILENAME} !-f RewriteRule "index.html" "http://HOST:RANDOM_PORT/" [P] RewriteCond %{SCRIPT_FILENAME} !-d RewriteCond %{SCRIPT_FILENAME} !-f RewriteRule "^(.*)$" "http://HOST:RANDOM_PORT/$1" [P]
Requiring Authentication
You can require users to authenticate through the University's Central Authentication System (CAS) by adding the following contents to your .htaccess configuration file:
AuthType CAS Require valid-user
You can replace
Require valid-user
with
Require user ctdalek
to restrict to specific users. See https://doubledoublesecurity.ca/uw/cas/user.html for more information.
Syscom
Disabling insecure or infringing sites
To disable a webspace that has known security vulnerabilities add the following snippet to `/etc/apache2/conf-available/disable-vuln-site.conf`. This rewrites all accesses of the directory or its children to the given file. Note that our disable page always returns HTTP status code 503 (Service Unavailable).
<Directory /users/$BADUSER/www> AllowOverride None Redirect 503 / ErrorDocument 503 /~sysadmin/insecure/index.html </Directory>
For infringing sites:
<Directory "/users/$BADUSER/www/infringing-directory"> AllowOverride None Redirect 503 / ErrorDocument 503 /~sysadmin/infringing/index.html </Directory>
For club domains (e.g. club1.uwaterloo.ca), redirect to the CSC domain instead:
<Directory "/users/$BADCLUB/www"> AllowOverride None RewriteEngine On RewriteRule . %{REQUEST_SCHEME}://csclub.uwaterloo.ca/~sysadmin/insecure/index.php [L,P] </Directory>
Expired Websites
There is a cron job running hourly on caffeine which disables expired member's websites (and re-enables them when they've renewed their membership).
The script is here: https://git.csclub.uwaterloo.ca/public/expire-sites
Some highlights:
- The script provides a 1-month grace period (corresponding to the grace period of pam-csc)
- The expired page returns HTTP status code of 503 (Service Unavailable)
Sample Apache config for website with both a custom domain and a UW subdomain
Define ENTITY_NAME pmclub Define UW_SUBDOMAIN ${ENTITY_NAME}.uwaterloo.ca Define CUSTOM_DOMAIN puremath.club Define ADMIN_EMAIL ${ENTITY_NAME}@csclub.uwaterloo.ca Define ENTITY_HOME https://csclub.uwaterloo.ca/~${ENTITY_NAME} Define APACHE_LOG_DIR /var/log/apache2 Define ERROR_LOG ${APACHE_LOG_DIR}/${ENTITY_NAME}-error.log Define CUSTOM_LOG "${APACHE_LOG_DIR}/${ENTITY_NAME}-access.log combined" <VirtualHost *:80> ServerName ${UW_SUBDOMAIN} ServerAlias *.${UW_SUBDOMAIN} ${ENTITY_NAME} ServerAlias ${CUSTOM_DOMAIN} *.${CUSTOM_DOMAIN} ServerAdmin ${ADMIN_EMAIL} Redirect permanent / https://${CUSTOM_DOMAIN}/ ErrorLog ${ERROR_LOG} CustomLog ${CUSTOM_LOG} </VirtualHost> <VirtualHost csclub:443> SSLEngine on SSLCertificateFile /etc/letsencrypt/live/${UW_SUBDOMAIN}/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/${UW_SUBDOMAIN}/privkey.pem SSLStrictSNIVHostCheck on ServerName ${UW_SUBDOMAIN} ServerAlias *.${UW_SUBDOMAIN} ServerAdmin ${ADMIN_EMAIL} Redirect permanent / https://${CUSTOM_DOMAIN}/ ErrorLog ${ERROR_LOG} CustomLog ${CUSTOM_LOG} </VirtualHost> <VirtualHost csclub:443> SSLEngine on SSLCertificateFile /etc/letsencrypt/live/${CUSTOM_DOMAIN}/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/${CUSTOM_DOMAIN}/privkey.pem SSLStrictSNIVHostCheck on ServerName ${CUSTOM_DOMAIN} ServerAlias *.${CUSTOM_DOMAIN} ServerAdmin ${ADMIN_EMAIL} DocumentRoot /users/${ENTITY_NAME}/www ErrorLog ${ERROR_LOG} CustomLog ${CUSTOM_LOG} Redirect permanent /<special page> ${ENTITY_HOME}/<special path>/<special file> </VirtualHost>