ULYSSIS documentation - User contributions [en]

Getting SSL/TLS

2020-01-06T17:04:23Z

Lars:

ULYSSIS does not sell or offer any other SSL certificates than our self-signed certificate. We will however guide requests and install a certificate from the KU Leuven is you are eligible for one, and we will also install certificates you have bought elsewhere.

==Requesting SSL from the KU Leuven==
The KU Leuven partners with other universities to use free SSL for its services, organisations and employees. We have permission to request SSL for Student Unions recognized by LOKO or another official body. Organisations (Vrije Verenigingen) are required to be recognized by LOKO or another official body and need to supply a reasoning why they need SSL. Individual users can request SSL but ICTS will only grant permission with elaborate reasoning.

Before sending us a request the following steps have to be done:
*Setup the site that needs SSL
*Change the domain's organisation-attribute to ''KU Leuven'' or ''Katholieke Universiteit Leuven''
*Create a forwarder from hostmaster@yourdomain.tld to ulyssis@ulyssis.org

Then you can send an email to ulyssis@ulyssis.org containing your name, the name of the organisation, what you will use SSL for and the domain and if needed a list of subdomains.

We will then generate the required cryptographic key and request and submit them with ICTS. It usually takes a few days before they have had time to verify both the domain and then the request for SSL itself. As soon as ICTS approves the request we will install the certificate and notify you.

==External certificates==
To install external certificates we require the certificate itself, the private key, and possibly the chain. We prefer you also send us (a link to) the documentation of your supplier. As certificate files, especially private keys, are a delicate matter we suggest you just email us the path in your homedirectory you've put them and we will move them over to the webserver safely. For more information concerning this procedure you can always contact us on ulyssis@ulyssis.org

===Let's Encrypt===
==== Certificate file structure ====

We currently do not have an automated system for renewing and deploying certificates such as those supplied by Let's Encrypt. We are however looking into automating this process in the future. Since more of our users are starting to use Let's Encrypt, and all of their certificates need to be renewed frequently, we have a specific procedure now.

When wishing to add a certificate with Let's Encrypt to your website, or renew your existing one, first create a folder <code>letsencrypt</code> in your '''home directory'''. Then add a folder per domain or group of domains:
mkdir letsencrypt
mkdir letsencrypt/mydomain.be

Certificates should be stored in these folders, according to the following file structure:
letsencrypt/
└── mydomain.be/
├── mydomain.be.chain
├── mydomain.be.crt
└── mydomain.be.key

If you already possess the necessary files, renaming and copying them accordingly is sufficient. Otherwise, you can generate or renew your certificates using '''acme.sh''':

==== Using acme.sh ====

<div style="background: #f2dede; color: #a94442; border: 1px solid #a94442; border-radius: 5px; padding: 5px">'''Warning:''' If you use a <code>.htaccess</code> file in the '''webroot of the domain name''', make sure to add the following lines at '''the top of the file''':
<IfModule mod_rewrite.c>
RewriteRule "^.well-known/acme-challenge" - [L]
</IfModule>
</div>

===== Generating the certificates =====

Because the normal method of generating Let's Encrypt certificates, certbot, requires root access, it's impossible for normal users to do so on our servers. Luckily there are plenty of alternatives which implement the Let's Encrypt protocol.

In this tutorial, we'll be using the '''acme.sh''' program to generate our certificates on the ULYSSIS servers.

First of all, we download the <code>acme.sh</code> script and make it executable:
wget https://raw.githubusercontent.com/Neilpang/acme.sh/master/acme.sh
chmod +x acme.sh

Next we actually generate the certificates. Make sure to replace the necessary parts (email, webroot, domain name):
./acme.sh --issue --cert-file letsencrypt/mydomain.be/mydomain.be.crt --key-file letsencrypt/mydomain.be/mydomain.be.key --ca-file letsencrypt/mydomain.be/mydomain.be.chain --accountemail "email@example.com" -w /home/user/myusername/path/to/webroot -d mydomain.be -d www.mydomain.be

If we provide an email address, for example "email@example.com", Let's Encrypt will remind us to renew our certificates when necessary. <code>/home/user/myusername/path/to/webroot</code> is the path to the '''webroot of the domain name'''. Note that we are issuing certificates for "mydomain.be" here. We also want to add the subdomain "www.mydomain.be" to the certificate, so we also pass it to the script. You can add additional subdomains if needed.

===== Renewing the certificates =====

To renew our certificates, we just execute:
./acme.sh --renew --cert-file letsencrypt/mydomain.be/mydomain.be.crt --key-file letsencrypt/mydomain.be/mydomain.be.key --ca-file letsencrypt/mydomain.be/mydomain.be.chain -d mydomain.be

After renewing certificates, you have to email us to install your renewed certificate.

==== Installing the certificates ====

We can check whether everything is stored correctly by executing:
ulyssis-certificate check mydomain.be

If everything looks good, you should only see lines starting with <code>[ OK ]</code>. Any line starting with <code>[FAIL]</code> or <code>[ABRT]</code> means a check has failed, you must correct this error before asking us to install your certificate.

Once you have placed your files in the correct folder, you can send us an email clearly stating for which domains we need to add certificates and where the files are stored. If you are renewing existing certificates, also clearly state that in your email.

We have largely automated the installation of certificates. If you do not follow these instructions, your request will be denied or you may end up with broken SSL. So make sure you follow this procedure carefully.

==Logs==
Due to the nature of our setup (dumb loadbalancer combined with shibboleth on webworkers), all https traffic will seem to come from our loadbalancer IP address instead of the actual originating IP address. Keep this in mind when checking log files.

[[Category:Webserver]]

Registering a new account

2019-02-09T16:21:39Z

Lars: Add image with highlighted KU Leuven login link

To register an account you can follow these easy steps:

[[File:UCC Request New Account.png|thumb|right]]
* Go to https://ucc.ulyssis.org/accounts and login using your Central KU Leuven Account
* Select the kind of account you wish to register
** Most people will want to register a '''regular account''' for '''personal use'''
** If you are a recognised '''faculty''' union, assembly or representational organisation you are entitled to this free account. We verify this using the list of '''recognised "kringen"''' of LOKO, http://loko.be/verenigingen/ . Recognised organisations are not entitled to a free account.
** If you are a '''Recognised organisation''' by LOKO, Studentenraad KU Leuven or the KU Leuven itself you are entitled to an organisation account, this account has a reduced price.
* After picking your account type you have to chose what options you want, and choose a username and language.
* Next you need to accept the ULYSSIS terms of use and confirm your order.
* An email will be sent to your KU Leuven emailaddress to confirm your order and with a request for payment.
* As soon as we have received and processed your payment your account will be activated and you will receive instructions to set a password.

File:UCC Request New Account.png

2019-02-09T16:19:25Z

Lars:

Resetting your password

2018-12-21T19:24:42Z

Lars:

You can always reset your password.
In order to reset your password, visit [https://ucc.ulyssis.org/ucc/passwd/reset UCC]. Please keep in mind you need to be logged out of UCC to be able to reset your password.

* Fill in your username and click on 'reset password'
* Then you will have to sign in using your KU Leuven credentials to make sure it is really you
* Choose another password
* Click on reset password
* You will immediately be logged out of your KU Leuven account again, but your password will have been changed.
* Try to log in at UCC with your new password

Be wise and pick a [https://xkcd.com/936/ strong and easy to remember password].

Forwarders

2018-08-30T14:25:30Z

Lars: /* Change the forwarders for your @ulyssis email address */

You may want to receive e-mail from ulyssis on another email provider. It is very easy to set this up.

== Change the forwarders for your @ulyssis.org email address ==

# Go to ucc.ulyssis.org and log in with your username and password.
# On the right side, click on '''Mail'''.
# Under '''Address forward''' you can change the forward address of your ULYSSIS mail by clicking on '''edit'''.
# Choose '''forward''' and enter the email address you want to forward your ULYSSIS mail to and save the changes.
# If you forward to Gmail, Hotmail. or use Thunderbird, we recommend looking at [[Using a forwarder as an alias]] so you can send mails under the forwarding address instead of just your own.

== Change the forwarders for other domains ==

# Go to ucc.ulyssis.org and log in with your username and password.
# On the right side, click on '''Mail'''.
[[File:Forwarder Step1.png|700px]]
# Under '''Virtual Domains''', click on the domain you want to change.
[[File:Forwarder Step2.png|700px]]
# You can change a forwarder by clicking on '''edit''' or on '''Add alias''' and add the forwarders you want.
[[File:Forwarder Step3.png|700px]]
# Save your changes

== Use your mailbox and forwarders at the same time ==

An alternative way to set the forwarders, that will also allow you to use your mailbox and the webinterface, is to use a .forward file. On each line of this file, you can specify to wich addresses you want to forward the email. If one of the addresses is the same as your @ulyssis address, then the mail will also be placed in your ULYSSIS mailbox. In the following example, your @ulyssis email address is <code>user@ulyssis.org</code>.

Example .forward file:

user@ulyssis.org
example@gmail.com
example2@skynet.be

This will place the email in your ULYSSIS mailbox so that you can access it from the webinterface or your local mailclient. It will also forward the mail to <code>example@gmail.com</code> and <code>example2@skynet.be</code>.

To use this, place a .forward file with the prefered email addresses in your homedir, see [[Accessing your files]], and set your forwarder to 'Inbox' in https://ucc.ulyssis.org/mail

Forwarders

2018-08-04T17:17:29Z

Lars: Add images for forwarder setup

You may want to receive e-mail from ulyssis on another email provider. It is very easy to set this up.

== Change the forwarders for your @ulyssis email address ==

# Go to ucc.ulyssis.org and log in with your username and password.
# On the right side, click on '''Mail'''.
# Under '''Address forward''' you can change the forward address of your ULYSSIS mail by clicking on '''edit'''.
# Choose '''forward''' and enter the email address you want to forward your ULYSSIS mail to and save the changes.
# If you forward to Gmail, Hotmail. or use Thunderbird, we recommend looking at [[Using a forwarder as an alias]] so you can send mails under the forwarding address instead of just your own.

== Change the forwarders for other domains ==

# Go to ucc.ulyssis.org and log in with your username and password.
# On the right side, click on '''Mail'''.
[[File:Forwarder Step1.png|700px]]
# Under '''Virtual Domains''', click on the domain you want to change.
[[File:Forwarder Step2.png|700px]]
# You can change a forwarder by clicking on '''edit''' or on '''Add alias''' and add the forwarders you want.
[[File:Forwarder Step3.png|700px]]
# Save your changes

== Use your mailbox and forwarders at the same time ==

An alternative way to set the forwarders, that will also allow you to use your mailbox and the webinterface, is to use a .forward file. On each line of this file, you can specify to wich addresses you want to forward the email. If one of the addresses is the same as your @ulyssis address, then the mail will also be placed in your ULYSSIS mailbox. In the following example, your @ulyssis email address is <code>user@ulyssis.org</code>.

Example .forward file:

user@ulyssis.org
example@gmail.com
example2@skynet.be

This will place the email in your ULYSSIS mailbox so that you can access it from the webinterface or your local mailclient. It will also forward the mail to <code>example@gmail.com</code> and <code>example2@skynet.be</code>.

To use this, place a .forward file with the prefered email addresses in your homedir, see [[Accessing your files]], and set your forwarder to 'Inbox' in https://ucc.ulyssis.org/mail

File:Forwarder Step3.png

2018-08-04T17:14:42Z

Lars:

File:Forwarder Step2.png

2018-08-04T17:14:22Z

Lars:

File:Forwarder Step1.png

2018-08-04T17:14:03Z

Lars:

Secure file permissions

2018-07-16T09:23:44Z

Lars:

PHP code is run with PHP-FPM as your ULYSSIS user. This means you can tighten up you website's security by denying other users the permission to read your PHP files. However, due to the way the Apache webserver works, it must be able to determine the existence of your PHP files. Non-PHP files in your www directory must remain readable by other users, because Apache reads these as it's own user.

=== Recommended permissions ===

* Homedirectory: <code>0701/drwx-----x</code>
* www directory (and other directories from where websites are served), including subdirectories: <code>0705/drwx---r-x</code>
* Website files (css, images, html, ...): <code>0604/-rw----r--</code>
* Configuration files containing secrets/passwords: <code>0600/-rw-------</code>
* Other directories and files that are not part of a website: <code>0600/-rw-------</code> or <code>0700/-rwx------</code>

=== Securing database login info ===

Suppose you have a file called <code>config.php</code>, containing login information for your database. To secure this information, you can make it readable and writeable by only you, and nobody else using <code>chmod 600 config.php</code>. In FileZilla, you can do this by right-clicking on the config file, clicking on "File permissions...", and changing the permissions according to the following screenshots:

[[File:config-php_dropdown.png]]
[[File:config-php_attrs.png]]

=== Securing uploads directory ===

Also, if there are directories that you made writeable by others, e.g. an uploads folder, this is no longer necessary. If this directory is called <code>uploads</code>, you can remove write rights for others with <code>chmod go-w uploads</code>. In FileZilla, you can do this by right-clicking on the config file, clicking on "File permissions...", and changing the permissions according to the following screenshots:

[[File:uploads_dropdown.png]]
[[File:uploads_attrs.png]]

Secure file permissions

2018-07-16T09:22:41Z

Lars: /* Recommended security settings */

PHP code is run with PHP-FPM as your ULYSSIS user. This means you can tighten up you website's security by denying other users the permission to read your PHP files. However, due to the way the Apache webserver works, it must be able to determine the existence of your PHP files. Non-PHP files in your www directory must remain readable by other users, because Apache reads these as it's own user.

=== Recommended security settings ===

* Homedirectory: <code>0701/drwx-----x</code>
* www directory (and other directories from where websites are served), including subdirectories: <code>0705/drwx---r-x</code>
* Website files (css, images, html, ...): <code>0604/-rw----r--</code>
* Configuration files containing secrets/passwords: <code>0600/-rw-------</code>
* Other directories and files that are not part of a website: <code>0600/-rw-------</code> or <code>0700/-rwx------</code>

=== Securing database login info ===

Suppose you have a file called <code>config.php</code>, containing login information for your database. To secure this information, you can make it readable and writeable by only you, and nobody else using <code>chmod 600 config.php</code>. In FileZilla, you can do this by right-clicking on the config file, clicking on "File permissions...", and changing the permissions according to the following screenshots:

[[File:config-php_dropdown.png]]
[[File:config-php_attrs.png]]

=== Securing uploads directory ===

Also, if there are directories that you made writeable by others, e.g. an uploads folder, this is no longer necessary. If this directory is called <code>uploads</code>, you can remove write rights for others with <code>chmod go-w uploads</code>. In FileZilla, you can do this by right-clicking on the config file, clicking on "File permissions...", and changing the permissions according to the following screenshots:

[[File:uploads_dropdown.png]]
[[File:uploads_attrs.png]]

Secure file permissions

2018-07-16T09:22:09Z

Lars:

PHP code is run with PHP-FPM as your ULYSSIS user. This means you can tighten up you website's security by denying other users the permission to read your PHP files. However, due to the way the Apache webserver works, it must be able to determine the existence of your PHP files. Non-PHP files in your www directory must remain readable by other users, because Apache reads these as it's own user.

=== Recommended security settings ===

* Homedirectory: <code>0701/drwx-----x</code>
* www directory (and other directories from where websites are served): <code>0705/drwx---r-x</code>
* Website files (css, images, html, ...): <code>0604/-rw----r--</code>
* Configuration files containing secrets/passwords: <code>0600/-rw-------</code>
* Other directories and files that are not part of a website: <code>0600/-rw-------</code> or <code>0700/-rwx------</code>

=== Securing database login info ===

Suppose you have a file called <code>config.php</code>, containing login information for your database. To secure this information, you can make it readable and writeable by only you, and nobody else using <code>chmod 600 config.php</code>. In FileZilla, you can do this by right-clicking on the config file, clicking on "File permissions...", and changing the permissions according to the following screenshots:

[[File:config-php_dropdown.png]]
[[File:config-php_attrs.png]]

=== Securing uploads directory ===

Also, if there are directories that you made writeable by others, e.g. an uploads folder, this is no longer necessary. If this directory is called <code>uploads</code>, you can remove write rights for others with <code>chmod go-w uploads</code>. In FileZilla, you can do this by right-clicking on the config file, clicking on "File permissions...", and changing the permissions according to the following screenshots:

[[File:uploads_dropdown.png]]
[[File:uploads_attrs.png]]

Secure file permissions

2018-07-16T09:21:58Z

Lars: Created page with "PHP code is run with PHP-FPM as your ULYSSIS user. This means you can tighten up you website's security by denying other users the permission to read your PHP files. However,..."

PHP code is run with PHP-FPM as your ULYSSIS user. This means you can tighten up you website's security by denying other users the permission to read your PHP files. However, due to the way the Apache webserver works, it must be able to determine the existence of your PHP files. Non-PHP files in your www directory must remain readable by other users, because Apache reads these as it's own user.

=== Recommended security settings ===

* Homedirectory: <code>0701/drwx-----x</code>
* www directory (and other directories from where websites are served): <code>0705/drwx---r-x</code>
* Website files (css, images, html, ...): <code>0604/-rw----r--</code>
* Configuration files containing secrets/passwords: <code>0600/-rw-------</code>
* Other directories and files that are not part of a website: <code>0600/-rw-------</code> or <code>0700/-rwx------</code>

=== Securing database login info ===

Suppose you have a file called <code>config.php</code>, containing login information for your database. To secure this information, you can make it readable and writeable by only you, and nobody else using <code>chmod 600 config.php</code>. In FileZilla, you can do this by right-clicking on the config file, clicking on "File permissions...", and changing the permissions according to the following screenshots:

[[File:config-php_dropdown.png]]
[[File:config-php_attrs.png]]

=== Securing uploads directory ===

Also, if there are directories that you made writeable by others, e.g. an uploads folder, this is no longer necessary. If this directory is called <code>uploads</code>, you can remove write rights for others with <code>chmod go-w uploads</code>. In FileZilla, you can do this by right-clicking on the config file, clicking on "File permissions...", and changing the permissions according to the following screenshots:

[[File:uploads_dropdown.png]]
[[File:uploads_attrs.png]]

Getting SSL/TLS

2018-05-22T19:18:15Z

Lars:

ULYSSIS does not sell or offer any other SSL certificates than our self-signed certificate. We will however guide requests and install a certificate from the KU Leuven is you are eligible for one, and we will also install certificates you have bought elsewhere.

==Requesting SSL from the KU Leuven==
The KU Leuven partners with other universities to use free SSL for its services, organisations and employees. We have permission to request SSL for Student Unions recognized by LOKO or another official body. Organisations (Vrije Verenigingen) are required to be recognized by LOKO or another official body and need to supply a reasoning why they need SSL. Individual users can request SSL but ICTS will only grant permission with elaborate reasoning.

Before sending us a request the following steps have to be done:
*Setup the site that needs SSL
*Change the domain's organisation-attribute to ''KU Leuven'' or ''Katholieke Universiteit Leuven''
*Create a forwarder from hostmaster@yourdomain.tld to ulyssis@ulyssis.org

Then you can send an email to ulyssis@ulyssis.org containing your name, the name of the organisation, what you will use SSL for and the domain and if needed a list of subdomains.

We will then generate the required cryptographic key and request and submit them with ICTS. It usually takes a few days before they have had time to verify both the domain and then the request for SSL itself. As soon as ICTS approves the request we will install the certificate and notify you.

==External certificates==
To install external certificates we require the certificate itself, the private key, and possibly the chain. We prefer you also send us (a link to) the documentation of your supplier. As certificate files, especially private keys, are a delicate matter we suggest you just email us the path in your homedirectory you've put them and we will move them over to the webserver safely. For more information concerning this procedure you can always contact us on ulyssis@ulyssis.org

===Let's Encrypt===
We currently do not have an automated system for renewing and deploying certificates such as those supplied by Let's Encrypt. We are however looking into automating this process in the future. Since more of our users are starting to use Let's Encrypt, and all of their certificates need to be renewed frequently, we have a specific procedure now.

For the first installation of a certificate, you will have to generate a new key as well as a certificate. For renewals, please '''always''' reuse the old key, so we only have to replace your certificate and not the key every few months.

When wishing to add a certificate with Let's Encrypt to your website, or renew your existing one, first create a folder ''letsencrypt'' in your home folder. Then add a folder per domain or group of domains, then add the relevant files to the right domain folder. Please keep in mind that it is always good practice to have your key be only readable by you, so check your permissions. Always remove irrevelant files, we won't search for the right certificate.

Rename your files like this:
chain.pem -> interestingdomain.be.chain
cert.pem -> interestingdomain.be.crt
privkey.pem -> interestingdomain.be.key

Your structure should look something like this:
letsencrypt/
├── interestingdomain.be
│   ├── interestingdomain.be.chain
│   ├── interestingdomain.be.crt
│   └── interestingdomain.be.key
└── otherdomain.com
├── otherdomain.com.chain
├── otherdomain.com.crt
└── otherdomain.com.key

Once you have placed your files in the correct folder, you can send us an email clearly stating for which domains we need to add certificates and where the files are stored. If you are renewing existing certificates, also clearly state that in your email.

We have largely automated the installation of certificates. If you do not follow these instructions, your request will be denied or you may end up with broken SSL. So make sure you follow this procedure carefully.

===Check certificate for common mistakes===

You can check if your certificate will likely be okay with a command-line tool on our shellservers: <kbd>ulyssis-certificate check interestingdomain.be</kbd>.

If everything looks good, you should only see lines starting with <code>[ OK ]</code>.

Any line starting with <code>[FAIL]</code> or <code>[ABRT]</code> means a check has failed, you must correct this error before asking us to install your certificate.

==Logs==
Due to the nature of our setup (dumb loadbalancer combined with shibboleth on webworkers), all https traffic will seem to come from our loadbalancer IP address instead of the actual originating IP address. Keep this in mind when checking log files.

Getting SSL/TLS

2018-05-22T19:15:41Z

Lars: /* Let's Encrypt */

ULYSSIS does not sell or offer any other SSL certificates than our self-signed certificate. We will however guide requests and install a certificate from the KU Leuven is you are eligible for one, and we will also install certificates you have bought elsewhere.

==Requesting SSL from the KU Leuven==
The KU Leuven partners with other universities to use free SSL for its services, organisations and employees. We have permission to request SSL for Student Unions recognized by LOKO or another official body. Organisations (Vrije Verenigingen) are required to be recognized by LOKO or another official body and need to supply a reasoning why they need SSL. Individual users can request SSL but ICTS will only grant permission with elaborate reasoning.

Before sending us a request the following steps have to be done:
*Setup the site that needs SSL
*Change the domain's organisation-attribute to ''KU Leuven'' or ''Katholieke Universiteit Leuven''
*Create a forwarder from hostmaster@yourdomain.tld to ulyssis@ulyssis.org

Then you can send an email to ulyssis@ulyssis.org containing your name, the name of the organisation, what you will use SSL for and the domain and if needed a list of subdomains.

We will then generate the required cryptographic key and request and submit them with ICTS. It usually takes a few days before they have had time to verify both the domain and then the request for SSL itself. As soon as ICTS approves the request we will install the certificate and notify you.

==External certificates==
To install external certificates we require the certificate itself, the private key, and possibly the chain. We prefer you also send us (a link to) the documentation of your supplier. As certificate files, especially private keys, are a delicate matter we suggest you just email us the path in your homedirectory you've put them and we will move them over to the webserver safely. For more information concerning this procedure you can always contact us on ulyssis@ulyssis.org

===Let's Encrypt===
We currently do not have an automated system for renewing and deploying certificates such as those supplied by Let's Encrypt. We are however looking into automating this process in the future. Since more of our users are starting to use Let's Encrypt, and all of their certificates need to be renewed frequently, we have a specific procedure now.

For the first installation of a certificate, you will have to generate a new key as well as a certificate. For renewals, please '''always''' reuse the old key, so we only have to replace your certificate and not the key every few months.

When wishing to add a certificate with Let's Encrypt to your website, or renew your existing one, first create a folder ''letsencrypt'' in your home folder. Then add a folder per domain or group of domains, then add the relevant files to the right domain folder. Please keep in mind that it is always good practice to have your key be only readable by you, so check your permissions. Always remove irrevelant files, we won't search for the right certificate.

Rename your files like this:
chain.pem -> interestingdomain.be.chain
cert.pem -> interestingdomain.be.crt
privkey.pem -> interestingdomain.be.key

Your structure should look something like this:
letsencrypt/
├── interestingdomain.be
│   ├── interestingdomain.be.chain
│   ├── interestingdomain.be.crt
│   └── interestingdomain.be.key
└── otherdomain.com
├── otherdomain.com.chain
├── otherdomain.com.crt
└── otherdomain.com.key

Once you have placed your files in the correct folder, you can send us an email clearly stating for which domains we need to add certificates and where the files are stored. If you are renewing existing certificates, also clearly state that in your email.

We have largely automated the installation of certificates. If you do not follow these instructions, your request will be denied or you may end up with broken SSL. So make sure you follow this procedure carefully.

You can check if your certificate will likely be okay with a command-line tool on our shellservers: <kbd>ulyssis-certificate check interestingdomain.be</kbd>.
If everything looks good, you should only see lines starting with <code>[ OK ]</code>.

Any line starting with <code>[FAIL]</code> or <code>[ABRT]</code> means a check has failed, you must correct this error before asking us to install your certificate.

==Logs==
Due to the nature of our setup (dumb loadbalancer combined with shibboleth on webworkers), all https traffic will seem to come from our loadbalancer IP address instead of the actual originating IP address. Keep this in mind when checking log files.

Securing MediaWiki using Centrale KU Leuven Login

2018-03-11T10:13:50Z

Lars: /* About */

==About==
MediaWikiShibboleth is a MediaWiki extension created by ULYSSIS to allow for Shibboleth (Centrale KU Leuven) login. The extension disables editing and creating of (talk) pages by anonymous users, and requires Shibboleth authentication for account creation and login.

==Prerequisites==
Before installing, you need to have SSL and Shibboleth (Centrale KU Leuven) login enabled on your domain.
For instructions on how to get SSL: https://docs.ulyssis.org/Getting_SSL
Information about requesting Shibboleth: https://docs.ulyssis.org/Shibboleth
Once you know everything is installed properly, you can proceed to install the extension.

==Installation==
First, download the latest release from [https://github.com/ULYSSIS-KUL/MediaWikiShibboleth/releases/latest github]. Make sure to click the <code>MediaWikiShibboleth.zip</code> download button. Then, unzip the zip file in your <code><mediawiki installation folder>/extensions/</code> directory. Finally, add the following lines to your <code><mediawiki installation folder>/LocalSettings.php</code>:

wfLoadExtension('MediaWikiShibboleth');
include 'extensions/MediaWikiShibboleth/MediaWikiShibboleth_body.php';

$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['createtalk'] = false;
$wgGroupPermissions['*']['createpage'] = false;
$wgGroupPermissions['*']['writeapi'] = false;

If you want to allow anonymous editing, you should <b>not</b> add the last 4 lines of the previous paragraph. Though this really defeats the purpose of the extension.

==Configuration==
MediaWikiShibboleth has 3 configuration options which allow for restricting who can log in to your wiki. These options work especially well with restricting the access of the wiki to logged-in users only. They can be configured in the <code><mediawiki installation folder>/extensions/MediaWikiShibboleth/extension.json</code> file.

=== Restricting access to logged-in users only ===
This option is not an option provided by the extension, but very useful in its context. If you do not want guest visitors to be able to view any page of your wiki, add the following line to your <code><mediawiki installation folder>/LocalSettings.php</code>:

$wgGroupPermissions['*']['read'] = false;

=== MWSStudentsOnly ===
This option tells MediaWikiShibboleth to only allow students to log in. KU Leuven employees, alumni, doctorate students, teaching assistants etc. will not be able to log in. Set this option by changing

"config": {
"MWSStudentsOnly": false,
"MWSAllowedKULids": "",
"MWSAllowedDegrees": ""
},

to

"config": {
"MWSStudentsOnly": true,
"MWSAllowedKULids": "",
"MWSAllowedDegrees": ""
},

in <code><mediawiki installation folder>/extensions/MediaWikiShibboleth/extension.json</code>. If you combine this option with "Restricting access to logged-in users only", only students will be able to view, log in and edit your wiki.

=== MWSAllowedKULids ===
This option can be used to only allow specific KUL ids to log in. An example KUL id is "r0653730". If this option is set to "", no KUL id checking will be performed. Set this option by changing

"config": {
"MWSStudentsOnly": false,
"MWSAllowedKULids": "",
"MWSAllowedDegrees": ""
},

to

"config": {
"MWSStudentsOnly": false,
"MWSAllowedKULids": "r0653730, r0300342, KUL id 3...",
"MWSAllowedDegrees": ""
},

in <code><mediawiki installation folder>/extensions/MediaWikiShibboleth/extension.json</code>. You can add as many KUL ids as you like, separated by a comma.

=== MWSAllowedDegrees ===
This option can be used to only allow persons enrolled in specific degrees/programmes to log in. An example KUL degree number is "51016742". If this option is set to "[]", no degree number checking will be performed. Set this option by changing

"config": {
"MWSStudentsOnly": false,
"MWSAllowedKULids": "",
"MWSAllowedDegrees": ""
},

to

"config": {
"MWSStudentsOnly": false,
"MWSAllowedKULids": "",
"MWSAllowedDegrees": "51016742, 51016835, 51016753..."
},

in <code><mediawiki installation folder>/extensions/MediaWikiShibboleth/extension.json</code>. You can add as many degree numbers as you like, separated by a comma.

==Operation==
When the extension is installed successfully, anonymous users will not be able to create an account and the account creation page will be removed from the home page. On the log in page, a new image is added: if you click on this image, you will be logged in using Shibboleth. If you want to log in with an explicit username/password combination, you can click "Password Login" to expand a login menu.

The new log in page looks like this with "Password Login" expanded:

[[File:Login.png]]

==Creating accounts==
If you want to create password accounts, you can navigate to the CreateAccount special page (make sure you are logged in using an administrator account). This is necessary to create accounts for users without a KU Leuven login. You should select "Use a temporary random password and send it to the specified email address".

[[File:CreateAccount.png]]

Overview

2018-02-16T06:30:09Z

Lars: /* Security & anti-spam */ Remove page with misinformation

<div style="background:#f9f9f9;border:1px solid #ddd;font-size:95%;padding:1.5em;">
Welcome to our documentation website. Many of the common procedures and issues our users experience are described here. If you still encounter problems we haven't covered or you just can't seem to get things to work, even though you followed one of our manuals, be free to contact us on ulyssis@ulyssis.org for personal support.</div>

<div>
<div style="width:45%;float:left;padding-right:10px;">
== Account ==
* [[Registering a new account]]
* [[Renewing your account]]
* [[Transferring your account]]
* [[Resetting your password]]
* [[Help, my account has been disabled]]
* [[Why do I have to pay 0.00 euro and how?]]
</div><div style="width:45%;float:left">
== Files ==
* [[Accessing your files]]
* [[Transferring files over SFTP]]
* [[Using SSHFS]]
* [[Making Backups]]
</div>
<div style="clear:both;"></div>
</div>

<div>
<div style="width:45%;float:left;padding-right:10px;">

== Webserver ==
* [[Webserver changes summer 2016]]
* [[Using your webspace]]
* [[Using (Fast)CGI for non-PHP websites]]
* [[Getting Apache logs]]
* [[Managing PHP errors]]
* [[Setting PHP options]]
* [[Adding domain names|Adding domain names (.be, .com, .org, ...)]]
* [[Getting SSL|Getting SSL (https-security)]]
* [[Shibboleth|Shibboleth (Centrale KU Leuven Login)]]
* [[Basic authentication|Basic authentication in PHP]]
* [[Claiming a port]]
</div><div style="width:45%;float:left">

== Mail ==
* [[ULYSSIS mail]]
* [[Forwarders]]
* [[Using a forwarder as an alias]]
* [[Add an alias in Gmail]]
* [[Add an alias in Hotmail/Outlook]]
* [[Add an alias in Thunderbird]]
* [[Fetch your KU Leuven email into another email address]]

</div>
<div style="clear:both;"></div>
</div>

<div>
<div style="width:45%;float:left;padding-right:10px;">
== CMSs ==
* [[Setting up Wordpress]]
* [[Setting up Drupal]]
* [[Setting up Joomla]]
* [[Setting up MediaWiki]]
</div><div style="width:45%;float:left">

== Security & anti-spam ==
* [[Software Version Checker]]
* [[Preventing spam on Wordpress]]
* [[Preventing spam on Joomla]]
* [[Preventing spam on Drupal]]
* [[Preventing spam on MediaWiki]]
* [[Anti-spam policies]]
</div>
<div style="clear:both;"></div>
</div>

<div>
<div style="width:45%;float:left;padding-right:10px;">

== Databases ==
* [[Using PostgreSQL]]
* [[Using MySQL]]
* [[Using PHPMyAdmin]]

</div><div style="width:45%;float:left">

== Shell ==
* [[Accessing your files]]
* [[Transferring files over SFTP]]
* [[Accessing shell servers over SSH]]
* [[ULYSSIS public IRC]]
* [[Useful Linux Commands]]
* [[Managing Cron jobs]]
* [[Claiming a port]]
* [[Installing packages]]
</div>
<div style="clear:both;"></div>
</div>

<div>
<div style="width:45%;float:left;padding-right:10px;">

== Versioning ==
* [[Subversion]]
* [[GitLab]]
</div><div style="width:45%;float:left">

== ULYSSIS Public Services ==
* [[ULYSSIS public IRC]]
* [[ULYSSIS public FTP]]
</div>
<div style="clear:both;"></div>

<div>
<div style="width:45%;float:left;padding-right:10px;">
== Tutorials ==
* [[Using the kulemt package]]
* [[KULoket agenda iCal feed]]
</div>
<div style="clear:both;"></div>
</div>

__NOTOC__

Using MySQL

2017-12-23T12:17:44Z

Lars: /* Accessing MySQL from outside of our network */

==Creating a MySQL user==
To use MySQL on your ULYSSIS account you first need to create a MySQL user on [https://ucc.ulyssis.org UCC]. In the MySQL section of the panel you will be suggested to click a link to create a user. Then fill in a password for the database user. It is highly recommended that this password differs from the password you use for your account. Then you just click ''Create user'' and you are ready to go.

==Creating a MySQL database==
After creating a MySQL user, you can simple press ''Add database'' in [https://ucc.ulyssis.org UCC] and enter the name for your new database. It will automatically be prefixed by your username.

==Using MySQL for your website or application==
Host: mysql.ulyssis.org
Username: your account's username
Password: the password you chose when you made the MySQL user
Database: the database name you chose, prefixed by your username

For example, if my username is foobar, I made a database called website and I were to create a PHP website I would use something like:
<syntaxhighlight lang="php">$db = new mysqli('mysql.ulyssis.org', 'foobar', 'correct horse battery staple', 'foobar_website');</syntaxhighlight>
or
<syntaxhighlight lang="php">$db = new PDO('mysql:host=mysql.ulyssis.org;dbname=foobar_website', 'foobar', 'correct horse battery staple');</syntaxhighlight>

==Managing MySQL with PHPMyAdmin==
Using your username and password you can easily manage your MySQL databases, tables and records on https://phpmyadmin.ulyssis.org

==Accessing MySQL from outside of our network==
To prevent unnecessary load on our database server by hackers and bots it is only available inside of our network. If you wish to access it externally the easiest way is to use an SSH-tunnel. In many mysql management tools this is already supported. On Linux, Mac OSX and other Unix-like Operating Systems it is also easily possible to use the following command to create a tunnel to a local port (in this case 3300)
ssh -f username@ssh2.ulyssis.org -L 3300:mysql.ulyssis.org:3306 -N

While this command is running, you can connect to the MySQL server with host 'localhost' and port '3300'.
To terminate the port forwarding, press ctrl-C in the terminal.

Renewing your account

2017-09-27T05:39:40Z

Lars:

3 weeks before your account expires you will start receiving emails reminding you to renew your account. These will continue until your account expires.

To renew your account you visit https://ucc.ulyssis.org/accounts and, while making sure you are '''not''' logged into a ULYSSIS Account, login using the Central KU Leuven Login and select your account (the renewal option will only be available if the account is in the renewal period of 3 weeks or has expired already).

* Select your account option, you are free to upgrade your personal account to a higher tier now
* Verify your personal information (in case of errors please contact ULYSSIS)
* Accept the terms of use
* Confirm your order
* An email will be sent to your KU Leuven emailaddress to confirm your order and with a request for payment.
* As soon as we have received and processed your payment your account will get renewed, you will receive a notification.
* If you are running late with your payment and you wish to prevent your account from getting expired you can contact ULYSSIS with a screenshot or scan that confirms the payment, we will then temporarily renew your account and verify that the money arrives within the near future.

Using (Fast)CGI for non-PHP websites

2017-08-09T20:34:21Z

Lars: /* FastCGI */

You're not stuck with PHP if you want to make a dynamic website. You can use all sorts of frameworks and programming languages with ULYSSIS, as long as it has CGI or FastCGI support.

If you want to use a certain programming language or framework, and you can't get it to work, don't hesitate to contact us at [mailto:ulyssis@ulyssis.org ulyssis@ulyssis.org].

==CGI==

CGI is a simple way to create a dynamic website. We use Apache's [http://httpd.apache.org/docs/2.4/mod/mod_cgid.html mod_cgid] to provide support for CGI. Note, however, that CGI is inefficient and
in general we recommend you to use a framework together with FastCGI. There are many frameworks, ranging from very simple and lightweight, to more complex and feature rich.

If, for example, you want Apache to interpret all files with the extension <tt>.cgi</tt> as CGI scripts, use the following <tt>.htaccess</tt> file (to be placed in your <tt>www</tt> folder):
<pre>Options +ExecCGI
AddHandler cgi-script .cgi</pre>

Here's an example of a very simple Python CGI script (called <tt>hello.cgi</tt>):
<pre>#!/usr/bin/env python

print 'Content-Type: text/plain\n'
print 'Hello world!'</pre>

CGI scripts need to be executable, otherwise they won't work:
<pre>chmod +x hello.cgi</pre>

==FastCGI==

We use Apache's [http://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html mod_fcgid] to provide support for FastCGI.

In order to use FastCGI, you will generally need a starter script specific to your framework and application. Just do a web search for "''framework'' mod_fcgid", where you ''framework'' is the framework you're using, and you will find good instructions. There's a Django example below.

You'll want to treat this starter script as a <tt>mod_fcgid</tt> script, and usually, you'll want to redirect everything to this script, so you can use an <tt>.htaccess</tt> file that looks like this:
<pre>Options +ExecCGI
AddHandler fcgid-script .fcgi
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ starter.fcgi/$1 [QSA,L]</pre>
Replace ''starter.fcgi'' with the name of your starter script. Don't forget to make your starter script executable:
<pre>chmod +x starter.fcgi</pre>
The starter script must be located in the same folder as the <tt>.htaccess</tt> file.

<div style="background: #f2dede; color: #a94442; border: 1px solid #a94442; border-radius: 5px; padding: 5px">'''Warning:''' Do not place sensitive files inside the web accessible folder.Make sure they are located in a folder outside the document root, or they will be downloadable through the webserver.</div>

It is adviced to only place the fcgi starter script, <tt>.htaccess</tt> and static files (images, stylesheets) inside the document root.

===Restarting your application===

If you've changed your application, you will need to restart it for these changes to take effect. However, because you're editing the application on a different server than were it is running, you do not have access to the running process. You'll have to create some sort of mechanism to restart the process.

In the Django example below, the starter script has been written so that when it is changed, the application is automatically restarted within 1 second. The same mechanism can be applied to other Python sites. You can change the modification date without actually changing the contents of the starter script by using <tt>touch</tt>:
<pre>touch starter.fcgi</pre>
Replace ''starter.fcgi'' with the name of your starter script.

===Example: Django===

If you want to make a website using [https://www.djangoproject.com/ Django], we recommend that you use a [http://virtualenv.readthedocs.org/ virtualenv]. This tool is already preinstalled on our shell servers.

You can use the following steps to get up and running with Django at ULYSSIS:

<ol>
<li>[[Accessing shell servers over SSH|Log in to a shell server]]</li>
<li>Create a new virtualenv, you can create one in <tt>~/.venv</tt>, for example:
<pre>virtualenv ~/.venv</pre>
Or, for Python 3:
<pre>virtualenv ~/.venv --python=python3</pre>
</li>
<li>Activate this virtualenv:
<pre>. ~/.venv/bin/activate</pre>
</li>
<li>
Install Django inside of this virtualenv:
<pre>pip install django</pre>
</li>
<li>
Create a new Django project:
<pre>django-admin.py startproject mysite</pre>
Replace ''mysite'' with your project's desired name.
</li>
<li>
Install flup for FastCGI:
<pre>pip install flup6</pre>
</li>
<li>
Put an <tt>.htaccess</tt> file in your site's directory, e.g. the <tt>www</tt> folder:
<pre>Options +ExecCGI
AddHandler fcgid-script .fcgi
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ mysite.fcgi/$1 [QSA,L]</pre>
</li>
<li>
Create the starter script (replace ''user'' with org if you are an organization, and ''username'' with your ULYSSIS username):
<pre>#!/home/user/username/.venv/bin/python

import sys, os, os.path
from threading import Thread

this_file = os.path.realpath(__file__)

site_dir = '/home/user/username/mysite'
sys.path.insert(0, site_dir)
os.chdir(site_dir)

os.environ['DJANGO_SETTINGS_MODULE'] = 'mysite.settings'

def stat_thread():
import time, os, signal
start_mtime = os.stat(this_file).st_mtime
while True:
cur_mtime = os.stat(this_file).st_mtime
if cur_mtime != start_mtime:
os.kill(os.getpid(), signal.SIGTERM)
time.sleep(1)

Thread(target=stat_thread).start()

from django.core.servers.basehttp import get_internal_wsgi_application
from flup.server.fcgi import WSGIServer
WSGIServer(get_internal_wsgi_application(), debug=False).run()
</pre>
Call this script <tt>mysite.fcgi</tt>.
</li>
<li>
Make the starter script executable:
<pre>chmod +x mysite.fcgi</pre>
</li>
<li>
Go to ''username''.ulyssis.be (or whatever URL you chose to use), and it should show you the default "Welcome to Django" page.
</li>
</ol>

This guide was based on, and you can find more information in the official Django documentation:
* [https://docs.djangoproject.com/en/stable/intro/tutorial01/ The Django tutorial]
* [http://flask.pocoo.org/docs/0.10/deploying/fastcgi/ Flask documentation for FastCGI]

Exporting your KU Leuven class schedule and calendar

2016-12-19T11:19:06Z

Lars:

While relatively unknown, it is possible to create an automatically updating iCal feed of your KULoket agenda without using external services.

# Set up agenda sync on KU Loket
## Visit [https://kuloket.be/ KU Loket]
## Go to the '''Education & Students''' (Onderwijs & studenten) tab [[File:KULoket-Agenda-Step1.png|thumb|200px]]
## Click '''Agenda sync'''
## Click '''Configure agenda''' (Agenda instellen) [[File:KULoket-Agenda-Step2.png|thumb|200px]]
## Change the switch '''Show schedule in my agenda''' (Toon uurrooster in mijn agenda) to '''On'''. [[File:KULoket-Agenda-Step3.png|thumb|200px]] You will have to wait about 15 minutes before continuing to the next step.
# Visit https://owa.student.kuleuven.be and log in with your KU Leuven credentials.
# In the top menu bar, click '''Calendar''' (Agenda)
# On the top right (below the menu bar), click the '''Share''' (Delen) button. A side-panel appears.
# Enter a non-KU Leuven email address in the '''Share with''' (Delen met) textfield. After filling the email address, press the enter key.
# Make sure '''Full details''' (Volledige informatie) is selected in the dropdown next to your email address
# Click the '''Send''' (Verzenden) button at the top of the side-panel.
# You will receive an email with two weblinks. The first link shows your calendar in your webbrowser, the second link is your iCal feed.

Some applications will not accept a <code>webcal://</code> URL.
If that is the case you can simply modify the URL to start with <code>https://</code>

Exporting your KU Leuven class schedule and calendar

2016-12-19T10:56:59Z

Lars:

While relatively unknown, it is possible to create an automatically updating iCal feed of your KULoket agenda without using external services.

# Set up agenda sync on KU Loket
## Visit [https://kuloket.be/ KU Loket]
## Go to the '''Education & Students''' (Onderwijs & studenten) tab
## Click '''Agenda sync'''
## Click '''Configure agenda''' (Agenda instellen)
## Change the switch '''Show schedule in my agenda''' (Toon uurrooster in mijn agenda) to '''On'''. You will have to wait about 15 minutes before continuing to the next step.
# Visit https://owa.student.kuleuven.be and log in with your KU Leuven credentials.
# In the top menu bar, click '''Calendar''' (Agenda)
# On the top right (below the menu bar), click the '''Share''' (Delen) button. A side-panel appears.
# Enter a non-KU Leuven email address in the '''Share with''' (Delen met) textfield. After filling the email address, press the enter key.
# Make sure '''Full details''' (Volledige informatie) is selected in the dropdown next to your email address
# Click the '''Send''' (Verzenden) button at the top of the side-panel.
# You will receive an email with two weblinks. The first link shows your calendar in your webbrowser, the second link is your iCal feed.

Some applications will not accept a <code>webcal://</code> URL.
If that is the case you can simply modify the URL to start with <code>https://</code>

Exporting your KU Leuven class schedule and calendar

2016-11-08T15:27:27Z

Lars:

While relatively unknown, it is possible to create an automatically updating iCal feed of your KULoket agenda without using external services.

# Set up agenda sync as described in the [https://icts.kuleuven.be/docs/at/cm/ep/s/uurrooster/agenda ICTS manual]. You will have to wait about 15 minutes before continuing to the next step.
# Visit https://owa.student.kuleuven.be and log in with your KU Leuven credentials.
# In the top menu bar, click '''Calendar''' (Agenda)
# On the top right (below the menu bar), click the '''Share''' (Delen) button. A side-panel appears.
# Enter a non-KU Leuven email address in the '''Share with''' (Delen met) textfield. After filling the email address, press the enter key.
# Make sure '''Full details''' (Volledige informatie) is selected in the dropdown next to your email address
# Click the '''Send''' (Verzenden) button at the top of the side-panel.
# You will receive an email with two weblinks. The first link shows your calendar in your webbrowser, the second link is your iCal feed.

Some applications will not accept a <code>webcal://</code> URL.
If that is the case you can simply modify the URL to start with <code>https://</code>

Exporting your KU Leuven class schedule and calendar

2016-11-08T15:18:44Z

Lars:

While relatively unknown, it is possible to create an automatically updating iCal feed of your KULoket agenda without using external services.

# Set up agenda sync as described in the [https://icts.kuleuven.be/docs/at/cm/ep/s/uurrooster/agenda ICTS manual]. You will have to wait about 15 minutes before continuing to the next step.
# Visit https://owa.student.kuleuven.be and log in with your KU Leuven credentials.
# In the top menu bar, click '''Calendar''' (Agenda)
# On the top right (below the menu bar), click the '''Share''' (Delen) button. A side-panel appears.
# Enter a non-KU Leuven email address in the '''Share with''' (Delen met) textfield
# Make sure '''Full details''' (?) is selected in the dropdown next to your email address
# Click the '''Send''' (?) button at the top of the side-panel.
# You will receive an email with two weblinks. The first link shows your calendar in your webbrowser, the second link is your iCal feed.

Some applications will not accept a <code>webcal://</code> URL.
If that is the case you can simply modify the URL to start with <code>https://</code>

Exporting your KU Leuven class schedule and calendar

2016-11-08T14:14:01Z

Lars: Created page with "While relatively unknown, it is possible to create an automatically updating iCal feed of your KULoket agenda without using external services. # Set up agenda sync as describ..."

While relatively unknown, it is possible to create an automatically updating iCal feed of your KULoket agenda without using external services.

# Set up agenda sync as described in the [https://icts.kuleuven.be/docs/at/cm/ep/s/uurrooster/agenda ICTS manual]. You will have to wait about 15 minutes before continuing to the next step.
# Visit https://owa.kuleuven.be (Note: there is no ''student'' in there) and log in with your KU Leuven credentials.
# In the top menu bar, click '''Calendar''' (Agenda)
# On the top right (below the menu bar), click the '''Share''' (Delen) button. A side-panel appears.
# Enter a non-KU Leuven email address in the '''Share with''' (Delen met) textfield
# Make sure '''Full details''' (?) is selected in the dropdown next to your email address
# Click the '''Send''' (?) button at the top of the side-panel.
# You will receive an email with two weblinks. The first link shows your calendar in your webbrowser, the second link is your iCal feed.

Some applications will not accept a <code>webcal://</code> URL.
If that is the case you can simply modify the URL to start with <code>https://</code>

Using (Fast)CGI for non-PHP websites

2016-10-19T23:10:26Z

Lars: /* FastCGI */

You're not stuck with PHP if you want to make a dynamic website. You can use all sorts of frameworks and programming languages with ULYSSIS, as long as it has CGI or FastCGI support.

If you want to use a certain programming language or framework, and you can't get it to work, don't hesitate to contact us at [mailto:ulyssis@ulyssis.org ulyssis@ulyssis.org].

==CGI==

CGI is a simple way to create a dynamic website. We use Apache's [http://httpd.apache.org/docs/2.4/mod/mod_cgid.html mod_cgid] to provide support for CGI. Note, however, that CGI is inefficient and
in general we recommend you to use a framework together with FastCGI. There are many frameworks, ranging from very simple and lightweight, to more complex and feature rich.

If, for example, you want Apache to interpret all files with the extension <tt>.cgi</tt> as CGI scripts, use the following <tt>.htaccess</tt> file (to be placed in your <tt>www</tt> folder):
<pre>Options +ExecCGI
AddHandler cgi-script .cgi</pre>

Here's an example of a very simple Python CGI script (called <tt>hello.cgi</tt>):
<pre>#!/usr/bin/env python

print 'Content-Type: text/plain\n'
print 'Hello world!'</pre>

CGI scripts need to be executable, otherwise they won't work:
<pre>chmod +x hello.cgi</pre>

==FastCGI==

We use Apache's [http://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html mod_fcgid] to provide support for FastCGI.

In order to use FastCGI, you will generally need a starter script specific to your framework and application. Just do a web search for "''framework'' mod_fcgid", where you ''framework'' is the framework you're using, and you will find good instructions. There's a Django example below.

You'll want to treat this starter script as a <tt>mod_fcgid</tt> script, and usually, you'll want to redirect everything to this script, so you can use an <tt>.htaccess</tt> file that looks like this:
<pre>Options +ExecCGI
AddHandler fcgid-script .fcgi
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ starter.fcgi/$1 [QSA,L]</pre>
Replace ''starter.fcgi'' with the name of your starter script. Don't forget to make your starter script executable:
<pre>chmod +x starter.fcgi</pre>
The starter script must be located in the same folder as the <tt>.htaccess</tt> file.

===Restarting your application===

If you've changed your application, you will need to restart it for these changes to take effect. However, because you're editing the application on a different server than were it is running, you do not have access to the running process. You'll have to create some sort of mechanism to restart the process.

In the Django example below, the starter script has been written so that when it is changed, the application is automatically restarted within 1 second. The same mechanism can be applied to other Python sites. You can change the modification date without actually changing the contents of the starter script by using <tt>touch</tt>:
<pre>touch starter.fcgi</pre>
Replace ''starter.fcgi'' with the name of your starter script.

===Example: Django===

If you want to make a website using [https://www.djangoproject.com/ Django], we recommend that you use a [http://virtualenv.readthedocs.org/ virtualenv]. This tool is already preinstalled on our shell servers.

You can use the following steps to get up and running with Django at ULYSSIS:

<ol>
<li>[[Accessing shell servers over SSH|Log in to a shell server]]</li>
<li>Create a new virtualenv, you can create one in <tt>~/.venv</tt>, for example:
<pre>virtualenv ~/.venv</pre>
Or, for Python 3:
<pre>virtualenv ~/.venv --python=python3</pre>
</li>
<li>Activate this virtualenv:
<pre>. ~/.venv/bin/activate</pre>
</li>
<li>
Install Django inside of this virtualenv:
<pre>pip install django</pre>
</li>
<li>
Create a new Django project:
<pre>django-admin.py startproject mysite</pre>
Replace ''mysite'' with your project's desired name.
</li>
<li>
Install flup for FastCGI:
<pre>pip install flup6</pre>
</li>
<li>
Put an <tt>.htaccess</tt> file in your site's directory, e.g. the <tt>www</tt> folder:
<pre>Options +ExecCGI
AddHandler fcgid-script .fcgi
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ mysite.fcgi/$1 [QSA,L]</pre>
</li>
<li>
Create the starter script (replace ''user'' with org if you are an organization, and ''username'' with your ULYSSIS username):
<pre>#!/home/user/username/.venv/bin/python

import sys, os, os.path
from threading import Thread

this_file = os.path.realpath(__file__)

site_dir = '/home/user/username/mysite'
sys.path.insert(0, site_dir)
os.chdir(site_dir)

os.environ['DJANGO_SETTINGS_MODULE'] = 'mysite.settings'

def stat_thread():
import time, os, signal
start_mtime = os.stat(this_file).st_mtime
while True:
cur_mtime = os.stat(this_file).st_mtime
if cur_mtime != start_mtime:
os.kill(os.getpid(), signal.SIGTERM)
time.sleep(1)

Thread(target=stat_thread).start()

from django.core.servers.basehttp import get_internal_wsgi_application
from flup.server.fcgi import WSGIServer
WSGIServer(get_internal_wsgi_application(), debug=False).run()
</pre>
Call this script <tt>mysite.fcgi</tt>.
</li>
<li>
Make the starter script executable:
<pre>chmod +x mysite.fcgi</pre>
</li>
<li>
Go to ''username''.ulyssis.be (or whatever URL you chose to use), and it should show you the default "Welcome to Django" page.
</li>
</ol>

This guide was based on, and you can find more information in the official Django documentation:
* [https://docs.djangoproject.com/en/stable/intro/tutorial01/ The Django tutorial]
* [http://flask.pocoo.org/docs/0.10/deploying/fastcgi/ Flask documentation for FastCGI]

Using (Fast)CGI for non-PHP websites

2016-10-19T23:10:07Z

Lars: /* FastCGI */

You're not stuck with PHP if you want to make a dynamic website. You can use all sorts of frameworks and programming languages with ULYSSIS, as long as it has CGI or FastCGI support.

If you want to use a certain programming language or framework, and you can't get it to work, don't hesitate to contact us at [mailto:ulyssis@ulyssis.org ulyssis@ulyssis.org].

==CGI==

CGI is a simple way to create a dynamic website. We use Apache's [http://httpd.apache.org/docs/2.4/mod/mod_cgid.html mod_cgid] to provide support for CGI. Note, however, that CGI is inefficient and
in general we recommend you to use a framework together with FastCGI. There are many frameworks, ranging from very simple and lightweight, to more complex and feature rich.

If, for example, you want Apache to interpret all files with the extension <tt>.cgi</tt> as CGI scripts, use the following <tt>.htaccess</tt> file (to be placed in your <tt>www</tt> folder):
<pre>Options +ExecCGI
AddHandler cgi-script .cgi</pre>

Here's an example of a very simple Python CGI script (called <tt>hello.cgi</tt>):
<pre>#!/usr/bin/env python

print 'Content-Type: text/plain\n'
print 'Hello world!'</pre>

CGI scripts need to be executable, otherwise they won't work:
<pre>chmod +x hello.cgi</pre>

==FastCGI==

We use Apache's [http://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html mod_fcgid] to provide support for FastCGI.

In order to use FastCGI, you will generally need a starter script specific to your framework and application. Just do a web search for "''framework'' mod_fcgid", where you ''framework'' is the framework you're using, and you will find good instructions. There's a Django example below.

You'll want to treat this starter script as a <tt>mod_fcgid</tt> script, and usually, you'll want to redirect everything to this script, so you can use an <tt>.htaccess</tt> file that looks like this:
<pre>Options +ExecCGI
AddHandler fcgid-script .fcgi
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ starter.fcgi/$1 [QSA,L]</pre>
Replace ''starter.fcgi'' with the name of your starter script. Don't forget to make your starter script executable:
<pre>chmod +x starter.fcgi</pre>
The starter script must be located in the same folder as the <tt>.htaccess</tt> file

===Restarting your application===

If you've changed your application, you will need to restart it for these changes to take effect. However, because you're editing the application on a different server than were it is running, you do not have access to the running process. You'll have to create some sort of mechanism to restart the process.

In the Django example below, the starter script has been written so that when it is changed, the application is automatically restarted within 1 second. The same mechanism can be applied to other Python sites. You can change the modification date without actually changing the contents of the starter script by using <tt>touch</tt>:
<pre>touch starter.fcgi</pre>
Replace ''starter.fcgi'' with the name of your starter script.

===Example: Django===

If you want to make a website using [https://www.djangoproject.com/ Django], we recommend that you use a [http://virtualenv.readthedocs.org/ virtualenv]. This tool is already preinstalled on our shell servers.

You can use the following steps to get up and running with Django at ULYSSIS:

<ol>
<li>[[Accessing shell servers over SSH|Log in to a shell server]]</li>
<li>Create a new virtualenv, you can create one in <tt>~/.venv</tt>, for example:
<pre>virtualenv ~/.venv</pre>
Or, for Python 3:
<pre>virtualenv ~/.venv --python=python3</pre>
</li>
<li>Activate this virtualenv:
<pre>. ~/.venv/bin/activate</pre>
</li>
<li>
Install Django inside of this virtualenv:
<pre>pip install django</pre>
</li>
<li>
Create a new Django project:
<pre>django-admin.py startproject mysite</pre>
Replace ''mysite'' with your project's desired name.
</li>
<li>
Install flup for FastCGI:
<pre>pip install flup6</pre>
</li>
<li>
Put an <tt>.htaccess</tt> file in your site's directory, e.g. the <tt>www</tt> folder:
<pre>Options +ExecCGI
AddHandler fcgid-script .fcgi
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ mysite.fcgi/$1 [QSA,L]</pre>
</li>
<li>
Create the starter script (replace ''user'' with org if you are an organization, and ''username'' with your ULYSSIS username):
<pre>#!/home/user/username/.venv/bin/python

import sys, os, os.path
from threading import Thread

this_file = os.path.realpath(__file__)

site_dir = '/home/user/username/mysite'
sys.path.insert(0, site_dir)
os.chdir(site_dir)

os.environ['DJANGO_SETTINGS_MODULE'] = 'mysite.settings'

def stat_thread():
import time, os, signal
start_mtime = os.stat(this_file).st_mtime
while True:
cur_mtime = os.stat(this_file).st_mtime
if cur_mtime != start_mtime:
os.kill(os.getpid(), signal.SIGTERM)
time.sleep(1)

Thread(target=stat_thread).start()

from django.core.servers.basehttp import get_internal_wsgi_application
from flup.server.fcgi import WSGIServer
WSGIServer(get_internal_wsgi_application(), debug=False).run()
</pre>
Call this script <tt>mysite.fcgi</tt>.
</li>
<li>
Make the starter script executable:
<pre>chmod +x mysite.fcgi</pre>
</li>
<li>
Go to ''username''.ulyssis.be (or whatever URL you chose to use), and it should show you the default "Welcome to Django" page.
</li>
</ol>

This guide was based on, and you can find more information in the official Django documentation:
* [https://docs.djangoproject.com/en/stable/intro/tutorial01/ The Django tutorial]
* [http://flask.pocoo.org/docs/0.10/deploying/fastcgi/ Flask documentation for FastCGI]