Uploading files to start a website

The most common use of our Linux accounts is for hosting a website. HCS provides the distinct advantage (compared to other free web-hosting solutions at Harvard) of running dynamic content technologies such as PHP, MySQL, Ruby on Rails, and Node.js. With these frameworks, your student group can run most of the cool web technologies out there today: wiki's, bulletin boards, blogs, community-managed content... the possibilities are innumerable. The most basic advantage provided by all of these applications is that many people can contribute content to your site, instead of a few webmasters who know HTML.

However, all websites need files. In the earlier tutorial about What to do at the prompt, you wrote a few simple files via the terminal that could comprise a couple very basic webpages. More likely however, you'll want to put together a more complicated site on your own computer, and then upload it all in one shot. (We don't blame you, designing multiple pages in nano or emacs or vi can be a bit tedious.) Or, perhaps you want to install one of the newfangled web apps above, like a TWiki, so that you can design and administrate your site dynamically through a browser; this likewise involves uploading a bunch of files to your ~/web directory.

We hope you've followed the SSH keys tutorial and set them up, because it will make uploading a snap to do on a day-to-day basis. Directions are available for Mac OS X, or skip down for directions on Windows.

On a Mac

First, we need to download an SFTP client. You may have heard of FTP, or file transfer protocol, which is commonly used to transfer files across the internet; SFTP is similar except tunneled through an encrypted SSH connection. HCS only supports file transfer via SFTP.

You can get a number of free SFTP clients from the web. MacSFTP is the one FASCS provides, but it's rather crummy. Fetch is popular and is free for students/educators, but we will use a popular open-source alternative called Cyberduck. It's Swiss, so it has to be good.

Download the .dmg from their website and drag Cyberduck.app to your Applications folder. Then start it up. It should look something like this:

Open the bookmarks bar using the Bookmarks button, and then click the [+] button to add a new bookmark. Set up all the options like this (of course, substitute group-name with the name of your HCS account). If you set up SSH keys, you will want to roll down More Options and check Use Public Key Authentication. When you do that, it will ask which key you want, so select the id_rsa key that you created in the SSH keys tutorial. Important: you want the id_rsa file (your private key), not the id_rsa.pub file!

Now close the bookmark properties window and admire your new connection in the bookmarks bar. Go ahead and double-click it to begin connecting.

If you have an SSH key with a passphrase, you'll be prompted to decrypt it. If you didn't set a passphrase (tsk tsk) you won't see this.

That's it, you should be looking at your home directory! Use of Cyberduck is essentially equivalent to using the finder: double-click on directories to open them, and drag stuff in and out of the window to transfer. If you want, you can set Cyberduck up with an editor like TextWrangler or BBEdit to edit files directly on the server: check Preferences>General. Any tasks that don't have a toolbar icon (renaming things, making new folders, etc.) can be found inside the Action button. And to go up to a parent directory, use the menu at the top of the filelist, or the up arrow next to it.

Enjoy your new graphical filesystem! See the last section for some important pointers.

On Windows

First, we need to download an SFTP client. You may have heard of FTP, or file transfer protocol, which is commonly used to transfer files across the internet; SFTP is similar except tunneled through an encrypted SSH connection. HCS only supports file transfer via SFTP.

We'll use WinSCP, which you can download here. Download and install it with the default options. Start WinSCP and you will be at the main Session dialog. Fill in "hcs.harvard.edu" in the Host name dialog, place your HCS group account name in the User name field.

Since you've already set up SSH keys, click the ... in the "Private key file" box and select your private key file from wherever you saved it on the computer. It is probably named key.ppk.

Click "Save..." to save this configuration for the future, and then click Login to connect to your account! WinSCP has an interface reminiscent of Windows Explorer. You will have your remote window, which shows files on HCS. Your local computer's files are in another window. Both windows have the familiar filetree on the left side for navigation. Simply drag stuff between the two windows or use the cut/copy/paste buttons you see on the toolbar to begin transferring stuff! Most everything should work the way Explorer does. For some closing tips, see the bottom of the page.

The Final Word: Staying Secure

Now you can upload whatever you want to your HCS site with relative ease, but be sure to stay under quota: you can always check your remaining space by typing quota at the command line. Note that only files under the directory web/ in your home directory will be available to the public on the internet. We want you to be able to use all kind of interesting code on your site, so go ahead and put everything you can in there: PHP scripts, some Web 2.0 shlock, RSS feeds, the lot. But be mindful: it is very easy to put dynamic content on your site in a way that can get your whole account compromised.

A way to prevent this is to make sure that permissions are set correctly on your website. If permissions are set too low, you will get 403 Forbidden errors when loading pages; if they're set too high, an attacker may be able to rewrite anything on your site at will. To fix permissions on your account, SSH into HCS and enter the following commands at the prompt, one line at a time:

chmod 711 ~
chmod 711 ~/web/
chmod -R ugo+r ~/web/
chmod -R go-w ~/web/
chmod -R u+w ~/web/

This should prevent others from writing to your files, although insecure PHP code can still be used to hose your website with spam; we'll cover that later. But for now, if you're new to PHP and Ruby on Rails, try to only use well-maintained and well-known packages like Wordpress or Drupal, follow their instructions carefully, and keep your code up-to-date.