Hosting on a webserver🌶

Here we describe how to host your Jupyter Book project on a TU Delft webserver, including requesting the server and setting it up as a webserver.

Requesting a TU Delft (web)server¶

Talk to your department’s IT support to ask for support in setting up a virtual TUD linux server (Faculty Managed Servers). If agreed upon, you can request a FMS, specifically a linux (Ubuntu) server with ports 22 (ssh), 80 (http) and 443 (https) open. Faculty domain specific servers are preferred (e.g. somesite.tnw.tudelft.nl over somesite.tudelft.nl).

When approved and made available, an email is sent with the first details:

Setup TU Delft webserver¶

1. Use putty to connect to the server via ssh. HostName is given under Step A (connect to linux-bastion). Click Open.

2. Click accept, allowing the computer to connect to the server.

3. Login with your netID (without @tudelft.nl)

4. Use the information under Step B (use SSH Key-Based Authentication). (ssh <servername>.tudelft.nl)

You are now logged in to the server.

5. We first install the webserver (apache). Run sudo apt install apache2.

6. We can check whether it successfully installed by going to the server’s IP address in a web browser. You should see the default apache page. Or confirm by running sudo systemctl status apache2 and checking whether the service is active (running).

7. Make a second user sudo adduser web, make a password (14 characters) for this user.

Everything that is in home/web/ will be visible on the webserver. You can use cd /home/web to navigate to this directory.

8. Assign your self the web user: sudo -u web bash - and navigate to home/web.

9. Make a directory call .ssh by running mkdir .ssh and navigate to it.

10. Create an ssh key by running ssh-keygen. Do not use a passphrase. This a vulnerability but is necessary for the webserver to be able to pull from GitHub without manual input.

Two keys are generated: id_rsa (private key) and id_rsa.pub (public key). The public key needs to be copied to an authorized_keys file.

11. Run cp id_rsa.pub authorized_keys to do this. You will need the private key later to add it to GitHub/GitLab.

We are now ready with setting up the server, but need to secure it.

12. Run sudo -i to open become a superuser. We need to install a firewall which can be done by running apt install ufw.

13. We need to allow ssh, http and https traffic through the firewall. This can be done by running ufw allow ssh, ufw allow http and ufw allow https. Enable the firewall by running ufw enable. You can check the status of the firewall by running ufw status.

14. Run apt install fail2ban to install fail2ban, which is a software that protects against brute-force attacks. It works by monitoring the log files for failed login attempts and banning the IP address after a certain number of failed attempts. You can check the status of fail2ban by running systemctl status fail2ban.

If you decided to maintain your server yourself, you will need to regularly check for updates and security patches. This can be done by running apt update and apt upgrade. You can also set up automatic updates by running apt install unattended-upgrades and configuring it to your needs.

Change start dir¶

Apache has set the home folder to var/www where we want it to be home/web. Using the terminal:

1. Run sudo nano /etc/apache2/sites-available/000-default.conf

2. Change DocumentRoot /var/www/html to DocumentRoot /home/web.

3. Add:

<Directory /home/web>
    Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>

4. Save the changes Ctrl+O, Enter, Ctrl+X and run sudo systemctl restart apache2

5. Follow steps 2-4 after: sudo nano /etc/apache2/sites-available/default-ssl.conf

6. Run

sudo a2ensite default-ssl.conf
sudo a2enmod ssl
sudo systemctl reload apache2

7. Check whether Syntax OK is shown after running: sudo apache2ctl configtest, else: sudo systemctl restart apache2

Request SSL-certificate¶

We need to request an SSL-certificate:

sudo apt update
sudo apt install certbot python3-certbot-apache
sudo certbot --apache -d <server>

and test:

sudo apache2ctl configtest
sudo systemctl reload apache2

Useful linux commands¶

To host your website on a university webserver you’ll need:

• a gitlab repo with CI/CD script (below)

• a (linux) webserver

• a runner

• an SSH key

How to set up a

:caption: .gitlab-ci.yml for TU server deployment

stages:
  - deploy

image: python:3.11-slim

variables:
  SSH_COMMAND: 'ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o IdentitiesOnly=yes'
  LOCAL_BUILD_DIR: "_build/html"
  HOST: "127.0.0.1"             # prevents running local host resulting in an error
  BASE_URL: ""                  # specify the base url, e.g. the folder from root
  
before_script:
  - apt-get update
  - apt-get install -y --no-install-recommends curl rsync openssh-client git

  # Node.js
  - curl -fsSL https://deb.nodesource.com/setup_20.x | bash -
  - apt-get install -y --no-install-recommends nodejs
  - node --version
  - npm --version

  # Python deps
  - python -m pip install --upgrade pip
  - pip install mystmd
  - pip install -r requirements.txt

  # SSH key laden
  - eval "$(ssh-agent -s)"
  - chmod 400 "$WEBSITE_UPLOAD_KEY"
  - ssh-add "$WEBSITE_UPLOAD_KEY"

deploy:
  stage: deploy
  script:
    # builds the book
    - myst build --html 
    
    # syncs with the server
    - rsync -ravz "${LOCAL_BUILD_DIR}/" -e "${SSH_COMMAND} -i ${WEBSITE_UPLOAD_KEY}" "${DEPLOY_USER}@${DEPLOY_HOST}:${DEPLOY_PATH}/"