scripts.mit.edu

How do I enable additional PHP extensions?

Several PHP extensions are installed on the scripts servers, but not enabled by default. (Since most scripts do not use these extensions, this saves startup time and memory.) You can load any of these extensions by creating a text file called php.ini in the same directory as your PHP script, and adding a line with:

extension = [extension name].so

one line for each extension you want to enable.

Note that this will override some settings in the global php.ini — most importantly, this will cause magic_quotes_gpc to turn on! You should make sure that your application unsets this option, or set magic_quotes_gpc = no in your own php.ini file.

If your site is composed of several subdirectories, instead of creating a php.ini for each one you can add scripts and then fix-php-ini in the root directory of your site where your php.ini is located. fix-php-ini will traverse the directory and place symlinks as needed.

The following are the extensions installed on the scripts servers, with links to more information about them from the PHP website.

• bcmath
• curl
• dba
• dom
• fileinfo
• gd
• imap
• imagick
• json
• ldap
• mailparse
• mbstring
• mcrypt
• mysqlnd
• mysqli
• ncurses
• odbc
• pdo
• pdo_mysqlnd (requires mysqlnd and pdo)
• pdo_odbc (requires pdo)
• pdo_pgsql (requires pdo)
• pdo_sqlite (requires pdo)
• pgsql
• rrdtool
• snmp
• soap
• tidy
• xmlreader
• xmlrpc
• xmlwriter
• xsl
• zip

Why does my PEAR channel say it does "not have REST dependency information available"

PEAR writes out .txt files which, for historical reasons, are not served by default from Scripts to the world. Run fs sa PEAR_DIR/get system:anyuser read and athrun consult fsr sa PEAR_DIR/rest system:anyuser read. See also How do I make a file accessible to Apache

How can I install Ruby gems in my locker?

First, note that many Ruby gems are already installed on scripts.mit.edu, and we’re generally pretty willing to install generally-useful software globally; email us at scripts@mit.edu to ask. This has the advantage that you won’t have to worry about keeping the packages up to date; in some cases, using out-of-date modules could lead to security vulnerabilities in your site. Furthermore, a frequent practice in the Ruby community is to have sets of Ruby packages associated with deployments, in which case installing a gem in your locker might be too global.

In order to install a Ruby gem to your locker, you will first need to create the directory to install into and give scripts.mit.edu permission to it. From an Athena prompt, do the following, where lockername is the name of your locker:

add consult
mkdir /mit/lockername/.gem
mkdir /mit/lockername/.bundle
mkdir /mit/lockername/bin
fsr sa /mit/lockername/.gem daemon.scripts write
fsr sa /mit/lockername/.bundle daemon.scripts write
fsr sa /mit/lockername/bin daemon.scripts write

To tell a bundler configured app to use this local Gem store, run this command on a Scripts server, in the directory of your application:

bundle config path ~/.gem/ruby/1.9.1

Then, to install a gem, SSH into Scripts and run:

gem install -l gemname

Does scripts.mit.edu support Ruby on Rails?

Yes! We now have an autoinstaller for Ruby on Rails. Just run these commands on Athena to get started:

athena% add scripts
athena% scripts-rails

Does scripts.mit.edu support Jifty?

You can install Jifty apps on scripts using the jifty locker.

How do I use ASP.Net Applications on Scripts?

We do not recommend using ASP.NET on scripts.mit.edu, as few if any scripts team members and scripts-hosted sites use it, making it likely to break during server changes, and making you less likely to receive help with issues. We have a list of some recommended languages that you can look over instead.

That said, you may be able to get ASP.Net applications to work on Scripts with Mono.
To try, add the following to your .htaccess file:

DirectoryIndex index.aspx
Options ExecCGI FollowSymLinks
SetEnv MONO_SHARED_DIR "/tmp/$USERNAME"
AddHandler fcgid-script .asax .ashx .asmx .aspx .axd .config .cs .dll .rem .soap

FCGIWrapper "/usr/bin/fastcgi-mono-server2 /applications=/test:/mit/pweaver/web_scripts/test" .asax
FCGIWrapper "/usr/bin/fastcgi-mono-server2 /applications=/test:/mit/pweaver/web_scripts/test" .ashx
FCGIWrapper "/usr/bin/fastcgi-mono-server2 /applications=/test:/mit/pweaver/web_scripts/test" .asmx
FCGIWrapper "/usr/bin/fastcgi-mono-server2 /applications=/test:/mit/pweaver/web_scripts/test" .aspx
FCGIWrapper "/usr/bin/fastcgi-mono-server2 /applications=/test:/mit/pweaver/web_scripts/test" .ascx
FCGIWrapper "/usr/bin/fastcgi-mono-server2 /applications=/test:/mit/pweaver/web_scripts/test" .axd
FCGIWrapper "/usr/bin/fastcgi-mono-server2 /applications=/test:/mit/pweaver/web_scripts/test" .config
FCGIWrapper "/usr/bin/fastcgi-mono-server2 /applications=/test:/mit/pweaver/web_scripts/test" .cs
FCGIWrapper "/usr/bin/fastcgi-mono-server2 /applications=/test:/mit/pweaver/web_scripts/test" .dll
FCGIWrapper "/usr/bin/fastcgi-mono-server2 /applications=/test:/mit/pweaver/web_scripts/test" .rem
FCGIWrapper "/usr/bin/fastcgi-mono-server2 /applications=/test:/mit/pweaver/web_scripts/test" .soap

Replace /test:/mit/pweaver/web_scripts/test with the application’s name and path of you application in your web_scripts directory.

Is Java supported?

Short answer: No.

There are two aspects to this question: general Java programs (short answer: we try) and Java Servlets (short answer: we’d like to).

General Java programs

We try to allow running Java programs on Scripts (such as cron jobs or CGI programs). However, keeping Java programs working requires ongoing work from the maintainers and the maintainers don’t use Java and therefore often won’t notice when it breaks. Consequently, we recommend picking a better-supported language (such as Python) if you have a choice.

The issue with Java programs is that by default Java will attempt to allocate a large fraction of the system’s memory when it starts up. On most systems this is fine, because the operating system will not reserve the memory until Java writes to it, rather than merely allocates it. However, to ensure that Scripts remains responsive for our many users, we limit how much memory a single process can allocate (unfortunately, Linux does not allow limiting how much memory a process can use, except by limiting the amount a process can allocate). We attempt to configure Java and these memory limits such that Java can run within them, but sometimes part of this configuration breaks without our noticing.

Java Servlets

We do not currently support running Java Servlets. We would like to, and would welcome SIPB prospectives interested in adding support, but expect that it would take significant work.

How can I set a custom error page on Scripts?

If you want to make Scripts use a customized error page for a 404 (File Not Found) error, you need to place the following lines in your .htaccess file:

ErrorDocument 404 /~lockername/404.html

Remember to replace lockername with the name of your locker, and 404.html with the location of the customized error page.

If you have additional error pages, create an additional line for each error code. Typical error codes include 401 (Unauthorized) and 403 (Forbidden).

What are scripts.mit.edu security updates?

If you use the scripts.mit.edu automatic installers, the software that you install will be set up so that it can receive automatic security updates from the scripts.mit.edu maintainers. If you plan to manage security updates for your software on your own, you should remove system:scripts-security-upd from the AFS ACLs of the directories of your automatically-installed software.

(We will attempt to deal with security problems in the automatically-installed software, but we cannot realistically make meaningful guarantees about security, as we are volunteer-run.).

How do I redirect visitors from my web.mit.edu or www.mit.edu URL to my scripts.mit.edu website?

URLs on web.mit.edu (e.g., http://web.mit.edu/jbarnold/ or http://web.mit.edu/~jbarnold/, the tilde is optional) point to the top level of your Athena locker (/mit/jbarnold in this case).

URLs on www.mit.edu (e.g., http://www.mit.edu/~jbarnold/, the tilde is required) point to the www subdirectory of your Athena locker (/mit/jbarnold/www).

If you want visitors to your web.mit.edu or www.mit.edu URL to see your scripts site instead, first, cd to the directory corresponding to your web.mit.edu or www.mit.edu URL (for example, my directory /mit/jbarnold/www corresponds to the URL http://www.mit.edu/~jbarnold):

athena% attach jbarnold
athena% cd /mit/jbarnold/www

Next, create a .htaccess.mit file in this directory and add rewrite rules to it. For example, if I wanted to redirect both http://www.mit.edu/~jbarnold/ and http://web.mit.edu/jbarnold/www to https://jbarnold.scripts.mit.edu, I would add the following two lines:

Redirect 301 /~jbarnold https://jbarnold.scripts.mit.edu
Redirect 301 /jbarnold/www https://jbarnold.scripts.mit.edu

The first line handles redirecting http://www.mit.edu/~jbarnold to https://jbarnold.scripts.mit.edu and the second line (which is completely independent) handles redirecting http://web.mit.edu/~jbarnold to https://jbarnold.scripts.mit.edu.

Finally, if you placed this in your locker, rather in the www subdirectory, you may need to give the web.mit.edu server access to your locker, so it can read your .htaccess.mit file (warning: this will also cause all the files in your locker to be readable over web.mit.edu):

athena% fs sa . system:htaccess.mit read

You should check that the redirect is working, and that people cannot read your personal files via web.mit.edu (e.g., http://web.mit.edu/jbarnold/).

You can find more information about .htaccess files and Apache Redirect rules via Google. IS&T has a website about .htaccess.mit files, but it focuses on restricting content, not redirects. If you have questions about how you should set up your .htaccess.mit file, feel free to contact us by e-mailing scripts@mit.edu.

You can also redirect visitors from your scripts.mit.edu site to another website.

Can I set up my scripts site to forward/redirect to another website?

Yes. If you would like to redirect all web requests for a given URL on scripts.mit.edu to another website (such as web.mit.edu), follow these instructions:

Note: These directions are only appropriate for redirecting a URL on your scripts.mit.edu site to another URL that is not also on your scripts site. If you want to, for example, cause https://mylocker.scripts.mit.edu to take people to https://mylocker.scripts.mit.edu/wiki, please skip to the directions at the end of the page.

1. Create a directory for the redirect. In these examples, we will be redirecting https://mygroup.scripts.mit.edu/subpage/ to https://www.example.com/other/website/, so create the “subpage” directory:
athena% attach mygroup
athena% mkdir /mit/mygroup/web_scripts/subpage

2. Create a text file named .htaccess within your the new directory, e.g.:
athena% cd /mit/mygroup/web_scripts/subpage
athena% emacs .htaccess

3. Place two lines like the following in the .htaccess file:
RedirectPermanent /~mygroup/subpage/ https://www.example.com/other/site/
RedirectPermanent /subpage/ https://www.example.com/other/site/
This will send requests to either https://scripts.mit.edu/~mygroup/subpage/ or https://mygroup.scripts.mit.edu/subpage/ to the right address. It will also redirect, e.g., https://mygroup.scripts.mit.edu/subpage/foo.html to https://www.example.com/other/site/subpage/foo.html.

If you would like the redirect not to be cached by web browsers (e.g.,if you’re planning to change the redirect or set up a scripts site at this address), use “RedirectTemp” instead of “RedirectPermanent.”

If you’re also planning to get a mygroup.mit.edu-style address (a CNAME) to redirect to an outside site, then add at the bottom
RedirectPermanent / https://www.example.com/other/site/

If, instead of redirecting visitors to a different website, you wish to cause visitors who go to https://mylocker.scripts.mit.edu to be redirected to https://mylocker.scripts.mit.edu/wiki (or something similar), you can do the following:

1. Create a text file named .htaccess in your locker’s web_scripts directory (or edit an existing one), e.g.:
athena% cd /mit/mylocker/web_scripts
athena% emacs .htaccess

2. Place a line like the following near the top of the .htaccess file:
RedirectMatch ^/?$ /wiki
This will only send requests to https://mylocker.scripts.mit.edu to the initial address for the wiki. It will not interfere with the way the rest of your existing URLs work.

More information about redirect rules is available in the Apache documentation.

You can also set up your web.mit.edu or www.mit.edu site to forward to scripts.

How do I redirect all visitors to my site to a certificate-protected page?

See Can I authenticate people using MIT personal certificates?.

How do I move a scripts.mit.edu site from one locker to another?

If you are trying to move a MediaWiki, please use the detailed instructions here.

If you have a custom hostname that needs to be moved, perform the steps below and then contact scripts@mit.edu.

In this example, Ben Bitdiddle will be move a wiki to the 6.001 locker. First he makes sure the 6.001 locker is signed up for the scripts and SQL services:

athena% add scripts
athena% signup-web
...
athena% signup-sql
...

Then he copies over the files:

athena% attach bitdiddl 6.001
athena% cp -a /mit/bitdiddl/web_scripts/wiki /mit/6.001/web_scripts

Then he dumps the SQL database, creates a database named wiki for 6.001 by logging into sql.mit.edu as 6.001, and restores the dump into the 6.001 locker. A database dump can be created and restored either with phpMyAdmin, or with the command line:

athena% ssh -k scripts
[bitdiddl@scripts]$ mysqldump bitdiddl+wiki > database-dump.sql
[bitdiddl@scripts]$ exit
athena% mv database-dump.sql /mit/6.001/web_scripts
athena% ssh -k 6.001@scripts
[6.001@scripts]$ mysql 6.001+wiki < database-dump.sql

Finally, he edits the configuration files in /mit/6.001/web_scripts/wiki to use the 6.001 locker's username and password. For MediaWiki, this is done in the file LocalSettings.php.

How do I access the Authorization headers from a FastCGI?

Apache by default does not pass the Authorization header through to FastCGI scripts. If you want access to it (perhaps for use with Ruby on Rails), you need to add the following to a .htaccess file:

RewriteCond %{HTTP:Authorization} ^(.+)
RewriteRule ^(.*)$ $1 [E=HTTP_AUTHORIZATION:%1,PT]

Does scripts.mit.edu publish information about who runs which websites?

We don’t go out of our way to make this information available, nor to
protect it.

There is no listing of websites hosted on scripts.mit.edu or their
maintainers. If we’re asked to by IS&T staff (e.g., IT Security or User
Accounts) or law enforcement, we will identify the maintainer of a single
website. We may also do so if needed in the process of answering a
good-faith support ticket about the maintenance of that website.
Otherwise, we avoid giving this information out to the public for the
asking.

That said, for multiple technical reasons ranging from the configuration
of our servers to the properties of various parts of Athena infrastructure
we build upon, it’s generally possible to determine the ownership of a
website with some concerted effort, including which users or groups have
the ability to publish the site and who was the original creator of a file
in a locker. Most of this is due to the Athena locker model itself, and
applies equally to sites hosted on other services such as web.mit.edu.

Most other MIT hosting options will also reveal the owner’s identity
publicly through Moira’s hostname registry. If you wish to have a truly
anonymous website, you’ll need to get hosting independent of the MIT
infrastructure.

Can my group obtain a shorter URL?

If you have a reasonable reason for wanting a short URL (in specific technical jargon, a DNS CNAME pointing to the script server and a corresponding virtual host configuration on the server), you can request one using our hostname management system. Note that this step is absolutely not required to use scripts.mit.edu; the default LOCKER.scripts.mit.edu URL is usually sufficient.

There are several types of hostname you can request:

• By default, you are assigned a LOCKER.scripts.mit.edu host name; you can request arbitrary subdomains of this address (for example, blog.LOCKER.scripts.mit.edu). These host names are activated instantaneously, and do not require approval.

• If you own an external hostname (e.g. example.com), you can point it at the Scripts server. Configure your hostname with your registrar or DNS hosting as an A record for 18.4.86.46, then add your hostname using the online interface as usual. Alternatively, you can configure it as a CNAME for “scripts-vhosts.mit.edu.”, which is less cryptic but interferes with using your hostname with mail_scripts, and also doesn’t work for top-level URLs (i.e., you won’t be able to do it for example.com, but you could for www.example.com).

• For high visibility websites, you can request a .mit.edu hostname. You can use the stella command on Athena or via the web to check if the hostname you would like is available. You can also transfer hostnames that you or your group owns. These host names must be manually approved, and we recommend they be requested sparingly.

If our hostname management system doesn’t work for some reason, you can also request a hostname by e-mailing scripts@mit.edu. Please include the name you would like, and the directory you would like the host to point to (e.g., group.scripts.mit.edu or group.scripts.mit.edu/wiki/).

Can I add a vhost before I point my domain at scripts?

The easiest approach is simply to point the domain at scripts before you set it up, but if you wish to migrate a currently active website, you may want to have the vhost set up on scripts before changing the DNS to avoid interruption.

If you want to do this, scripts will require that you create a file in the root directory of your existing website. For instance, if you are trying to add the domain “example.com” and it asks for the file “scripts_870shdfs8.html”, you should make sure that http://example.com/scripts_870shdfs8.html exists (though its content is irrelevant).

If you want to use a wildcard (e.g. *.example.com), you should make sure that all subdomains matching the wildcard point to the same place, and contain the file listed – for instance, for *.example.com, a.example.com, b.example.com and c.example.com should all contain the file.

Can I limit access to my scripts and/or other content using passwords?

Yes. Follow these instructions to limit web access to a subdirectory of your web_scripts directory:

1. Decide upon one or more usernames and passwords that will be allowed to access the content. Do not use your Athena password!
2. On Athena, cd to the directory to which you want to limit access.
3. Run “add scripts”.
4. Run “webaccess allow USER_NAME” and enter the desired password for USER_NAME upon request.
5. Repeat step #4 for every username that you want to be able to access the content.
6. Use a web browser to confirm that access is being restricted correctly.

“webaccess remove USER_NAME” will remove a user’s access.
“webaccess reset” will clear all access restrictions on a directory.

(webaccess works by creating .htaccess and .htpasswd files for you)

You can also limit access using MIT certificates.

Can I authenticate people using MIT personal certificates?

Yes. There are two ways to do so: one will limit access to an entire directory (with an .htaccess file), and the second will provide the information in the MIT personal certificate to your scripts.

Limiting access with .htaccess

Create a plain-text file called .htaccess in the directory to which you want to restrict access (for example, in the base directory of your wiki or other piece of software).

• To allow anybody with an MIT certificate to access your site (i.e., to make your site MIT-only), add the following lines to the .htaccess file:

AuthType SSLCert
Require valid-user
ErrorDocument 401 /__scripts/needcerts

• You can expand on the previous example as follows to restrict access for a single file. Replace “filename” with the name of the page you want to restrict in quotes:

<Files "filename">
AuthType SSLCert
Require valid-user
ErrorDocument 401 /__scripts/needcerts
</Files>

• To restrict access to a particular set of one or more usernames:

AuthType SSLCert
Require user _username1_ _username2_
ErrorDocument 401 /__scripts/needcerts

• To restrict access to members of a Moira list (aka traditional or blanche list) that is an AFS group:

AuthType SSLCert
Require afsgroup system:_group1_ system:_group2_
ErrorDocument 401 /__scripts/needcerts

• If you want to allow access to members of either an existing list or a list of usernames, you’ll need to create a new list containing the existing list and any additional usernames.

(The ErrorDocument 401 /__scripts/needcerts line ensures that users are redirected to an HTTPS connection on port 444, which is configured to accept certificates. If the user has no certificates, they will be presented with a default error page; to use a custom error page, you can instead use ErrorDocument 401 /__scripts/needcerts/~username/customerror.cgi.)

If you are restricting a WordPress installation, you may need to edit the WordPress address and/or site address in the WordPress admin interface to add :444 after the hostname, to avoid an infinite redirect loop.

Note that the list in question must be visible and an AFS group. You can check the status by running blanche group -i at an Athena prompt: it should say “visible” under flags and “is a group” on the next line. (If you own the list, you can change these by running blanche group -V to make it visible and blanche group -G to make it an AFS group.)

Please double-check that the restrictions are enforced properly, e.g., by using a computer that doesn’t have certificates or asking someone else to try accessing the page. Note that scripts does not support .htaccess.mit files.

If you have any questions about using this system for restricting access, please contact scripts@mit.edu.

Finding certificate information from CGI scripts

If you access your website with HTTPS on port 444 (https://username.scripts.mit.edu:444/), the scripts server will request a certificate from the user. It will then create special SSL environment variables based on the user’s identity. The most useful is the variable SSL_CLIENT_S_DN_Email, which can be used to determine the Athena username of the individual currently accessing your script.

Here’s an example of listing these environment variables with Perl:
code | output without SSL | output with SSL

Here’s another example, using PHP to detect whether you’re using certificates:
code | output without SSL | output with SSL

If you’re using Django, a certificate authentication backend is available:
Details on the web | Code: git://snippets.scripts.mit.edu/.git or /afs/sipb.mit.edu/project/snippets/

You can also limit access using passwords.

Do my scripts need to be world-readable?

No. By default, your scripts are not readable to other users.

How do I enable FastCGI?

CGI vs FastCGI

Normal CGI scripts are initialized, run, and destroyed for every single browser request. The advantage of this model is that it is very simple, and thus robust.

If performance or latency becomes an issue, you can enable FastCGI. FastCGI is a web server module that speeds up your applications by keeping one interpreter running for multiple requests, instead of launching a separate interpreter for each request made while loading your page.

When FastCGI can help

This can lead to improvements in latency (responsiveness), for example if:

• The language you are using takes a long time to start an interpreter, or to load libraries you are importing
• You have a script which has significant repetitive launching overhead
• Your scripts make the same, very large, database requests which (while cached by MySQL) still have to be read from memory and possibly cross an internal network
• You are using a web framework like CherryPy, Turbogears, Pylons, or Ruby on Rails which prefers to run like a daemon

Caveats

There are some complications however:

• The script in not guaranteed to die unless it kills itself
• If you update your fcgi script, the old process (using the old script) may still be running with outdated code
• The Scripts service automatically load-balances scripts across servers, just like regular CGI; new scripts may not even be launched on the servers the old scripts are running on, and thus cannot “kill all older versions of myself” since they may be on different servers

The canonical way around these issues is to have the script watch the timestamps of the files it has loaded, and kill itself if a modification timestamp changes. If you are using a framework such as CherryPy, this is already handled for you.

(Minor note: This method lends itself to race conditions on very short timescales during an update. It is also expensive if you are watching many files. Other solutions include updating a single “watch me” file with a version or hash after every update, or using transactional semantics. This is almost never an issue however.)

Enabling FastCGI

FastCGI is enabled by default for files with the .fcgi extension. To enable FastCGI for another extension, such as .rb, add the following lines to a plain text file named .htaccess in the top directory of your website:

<Files *.rb>
  SetHandler fcgid-script
</Files>

To enable FastCGI for another languages, change rb to your language’s extension (e.g., php, pl, etc.)

Are .htaccess.mit files supported?

scripts.mit.edu uses .htaccess files instead of .htaccess.mit files.

You can use .htaccess files in order to restrict access to your website using MIT certificates.

You can also protect content using passwords.

Why isn't my symlink working?

Although you can use symlinks underneath your web_scripts directory to point to other files to point to other files underneath your web_scripts directory, you cannot use symlinks to point to executables outside of your web_scripts directory (for example, you cannot point at executables in another Athena locker). scripts.mit.edu expects all of your web scripts to reside underneath your web_scripts directory.

Can I use scripts.mit.edu to generate an Apache-style log file for my web.mit.edu site?

Yes. The combination of Server Side Includes on web.mit.edu, a Perl script, and the SIPB web script service allows you to get a log file similar to the data you would be able to get if you were hosting the web pages on your own server.

How to set it up:

1. Sign up to use scripts.mit.edu.
2. Save the fake_log.pl script into your ~/web_scripts directory with a name that ends in .pl.
3. Make sure your web pages have the extension .shtml, and insert the following code into your web pages, replacing USERNAME with your username (and, if you called fake_log.pl something else, use the name that you chose):

<!-- Generate data that looks like an Apache log -->
<img src="https://USERNAME.scripts.mit.edu/~USERNAME/fake_log.pl?uri=
<!--#echo var="DOCUMENT_URI" -->&amp;ref=
<!--#echo var="HTTP_REFERER" -->&amp;met=
<!--#echo var="REQUEST_METHOD" -->&amp;pro=
<!--#echo var="SERVER_PROTOCOL" -->" 
width="1" height="1" alt="fake image for tracking"/>

4. The fake_log.pl script logs each hit to a file called fake.log in your ~/web_scripts directory. This log is designed to be compatible with Apache log files, so that you can use any of the myriad tools for analyzing and visualizing data from Apache log files.

Some questions and answers:

How does this work?

The fake_log.pl script works by taking the data returned from several Server Side Includes that work on web.mit.edu and using that and other data to write out an entry with the same format that Apache uses.

Since you’re just feeding information into a Perl script instead of getting the real server logs, couldn’t someone feed the Perl script garbage, or misleading information?

Yes. Invalid information will probably make the Perl script just plain fail. This method of logging data does not prevent people from deliberately feeding you bad data, but in most cases, no one will care to take the time to do so.

Will this log hits from text-only browsers?
Since this tracking method relies on the browser loading images, this will not log hits from text-only browsers.

What file extensions are served directly to the web using my scripts.mit.edu account?

When a file with one of the following extensions 1) is underneath your web_scripts directory and 2) is not protected by a .htaccess file, it will be served directly to the web using your scripts.mit.edu account (you may want to read this description of what files your account can access). In other words, you do not need to make files with the following extensions world-readable in order for them to be served directly to the web:

avi
css
doc
docm
docx
dot
dotm
dotx
eot
gif
htm
html
ico
il
jar
jpeg
jpg
js
mid
midi
mov
mp3
mpeg
mpg
odb
odc
odf
odg
odi
odm
odp
ods
odt
otf
otg
oth
otp
ots
ott
pdf
png
pot
potm
potx
ppa
ppam
pps
ppsm
ppsx
ppt
pptm
pptx
ps
svg
swf
tar
tgz
tif
tiff
ttf
wav
wmv
woff
woff2
xaml
xap
xhtml
xla
xlam
xls
xlsb
xlsm
xlsx
xlt
xltm
xltx
xml
xsl
zip

May I include that stylish "powered by scripts" image on my website?

You are indeed welcome to include this “powered by scripts” image on any website served by scripts.mit.edu. If you include this image, we recommend that you make it a link to scripts.mit.edu using the following HTML:

<a href="https://scripts.mit.edu/">
<img alt="powered by scripts.mit.edu"
src="https://scripts.mit.edu/media/powered_by.gif" /></a>

Why shouldn't I use scripts.mit.edu/~locker URLs?

Early versions of the scripts.mit.edu webhosting platform used URLs of the form http://scripts.mit.edu/~locker/ (or https://scripts-cert.mit.edu/~locker/). Those URLs still work, but have long since been deprecated in favor of URLs like https://locker.scripts.mit.edu/. Current autoinstallers and documentation all use the new form of the URLs (if you find exceptions, please contact us).

The older ~ form of URLs, in addition to being aesthetically unpleasing, is incompatible with the modern web’s security model. Under the “same-origin policy”, browsers consider a site at https://scripts.mit.edu/~locker/ to be run by the same group as one at https://scripts.mit.edu/~evil/, and allow JavaScript from the latter to interfere with the former. (You can read more at Wikipedia or the Mozilla Developer Network.) As a result, using ~ URLs is discouraged and will stop working entirely at some point in the future.

How do I enable file uploads to my MediaWiki?

To enable uploads, edit the LocalSettings.php file in your MediaWiki install directory, and change the line reading $wgEnableUploads = false; to $wgEnableUploads = true;.

MediaWiki by default allows uploads of images with the following extensions: png, gif, jpg, and jpeg. To upload more file types, you will also need to add lines such as

$wgFileExtensions[] = 'doc';
$wgFileExtensions[] = 'pdf';

for each extension (.doc and .pdf in this example) you would like to allow your site to upload. You can add these lines anywhere after the line starting with require_once and before the ?> at the end of the file.

Certain file types, such as .zip, cannot be properly uploaded with the default file-type detection system. If you have problems uploading certain file types, you may need to use an additional file-type detector, named “file”, with this command:

$wgMimeDetectorCommand = 'file -bi';

If you run into trouble, please check the MediaWiki web site or contact scripts@mit.edu.

How do I reset my password for MediaWiki?

The easiest way to avoid this problem is to set an e-mail address in your account, so you can use the “Mail me a new password” feature. However, if you find that you’ve forgotten the password to an account on your wiki, and you don’t have an e-mail address set for it, you can reset its password as follows:

1. Log in to phpMyAdmin with your SQL password.
2. From the menu on the left, select the database corresponding to your wiki, and select the “user” table within it.
3. Click “Browse” at the top, and note down the user ID for the account whose password you want to reset. (This will be 1 for the first account.)
4. Click “SQL” at the top, and run the following command, replacing “uid” with the user ID and “newpassword” with the new password for the account:
• UPDATE user SET user_password = MD5)) WHERE user_id = uid

How do I move my MediaWiki to a new locker?

Unfortunately, it is a multi-step process to move a MediaWiki installation to a new locker.

To move a MediaWiki located in directory /mit/A/web_scripts/index to a new directory /mit/B/web_scripts/index:

1. Attach the two directories so as to make administrative tasks easier:
athena% attach A
athena% attach B

2. To sign up the second locker (if necessary)
athena% add scripts
athena% signup-web B

3. Copy the Databases using SQL.
3b) While in Locker B signup for sql
athena% signup-sql
3c) Sign into phpMyAdmin web interface at https://sql.mit.edu/
3d) You will need the username and password located in the .my.cnf file of each locker (i.e. /mit/A/.my.cnf).
3e) Sign into the SQL account for locker A using phpMyAdmin first.
3f) Click on A+index
3g) Use the export button to download a copy of the database to your computer.
3h) Exit and Sign into the SQL account for locker B (NOT phpMyAdmin)
3i) Create a new database using the “add” field in the bottom right of the list of databases.
3j) Sign into phpMyAdmin for locker B
3k) Click on B+index
3l) Use the import tool to import the file you just exported from your
desktop. Be sure to select the correct character set.

4. Recursively copy the software,
athena% cp -r /mit/A/web_scripts/index /mit/B/web_scripts

5. Update settings:
5a) Update the /mit/B/web_scripts/index/LocalSettings.php with the wgSitename,
wgScriptPath, wgDBname, wgDBuser, and wbDBpassword lines to reflect
the new locker

5b) Update the /mit/B/web_scripts/index/php.ini file with the correct locker username for the
upload_tmp_dir and the session.save_path (otherwise the computer will not
remember that you are logged in)

6) Be happy.

Helpful site: https://www.mediawiki.org/wiki/Manual:Moving_a_wiki

How do I enable math support in my MediaWiki wiki?

Here is the procedure for enabling math support for a scripts.mit.edu wiki:

1) ssh to scripts.mit.edu

2) cd to your wiki’s math directory and run make

3) Edit the LocalSettings.php file in the base directory of your wiki so that the line

$wgUseTeX = false;

reads

$wgUseTeX = true;

You will then need to re-save any existing pages that contain equations in order to have the equations appear correctly.

If you encounter trouble with this procedure, please contact scripts@mit.edu.

How can I move a WordPress install?

WordPress saves the URL to use to access it in its configuration. If you move the directory you installed WordPress into or start using a short URL without first updating that URL, you may accidentally lock yourself out of the WordPress admin interface.

1. Wait until you’re ready to start using the new URL. In particular, if you’re requesting a new hostname (like MY_GROUP.mit.edu), wait until the Scripts team contacts you to tell you that the new hostname is working, and confirm that http://MY_GROUP.mit.edu/ works. If you don’t wait, you will lock yourself out of the WordPress admin interface.
2. Log into the WordPress admin interface using the old URL
3. Select the “Settings” link in the sidebar
4. Change both the “WordPress Address (URL)” and the “Site Address (URL)” to the address you want to be able to access it at.
5. You may get a “404 Not Found” message when you save the changes. This is likely not a problem, and you should see if finishing the move fixes it.
6. Once you move the PHP scripts in AFS or your new hostname gets activated, you should be able to use the new URL

How can I restrict my Trac instance to only certain users?

If you wish to restrict access to your Trac instance to only certain people with MIT certificates, you may do so by editing the .htaccess file in the directory you installed Trac into. Note: There is also a .htaccess file in the tracdata subdirectory, and that file should not be changed.

Initially, when you've used the Trac autoinstaller, the .htaccess file will look similar this:

AuthType SSLCert
AuthSSLCertAuthoritative off
AuthSSLCertVar SSL_CLIENT_S_DN_Email
AuthSSLCertStripSuffix @MIT.EDU
Require valid-user
AuthOptional on

RewriteEngine on

RewriteCond %{HTTPS} =on
RewriteRule ^logout http://%{SERVER_NAME}%{REQUEST_URI} [R,L]

RewriteCond %{REQUEST_URI} !^/~yourlocker/trac-path/trac.fcgi
RewriteRule ^(.*)$ /~yourlocker/trac-path/trac.fcgi/$1 [L]

<Files login>
AuthOptional off
ErrorDocument 401 /__scripts/needcerts
</Files>

You will want to change it to be similar to the following (changes are highlighted in red):

AuthType SSLCert
#AuthSSLCertAuthoritative off
AuthSSLCertVar SSL_CLIENT_S_DN_Email
AuthSSLCertStripSuffix @MIT.EDU
Require user moe larry curly
#AuthOptional on
ErrorDocument 401 /__scripts/needcerts

RewriteEngine on

RewriteCond %{HTTPS} =on
RewriteRule ^logout http://%{SERVER_NAME}%{REQUEST_URI} [R,L]

RewriteCond %{REQUEST_URI} !^/~yourlocker/tracpath/trac.fcgi
RewriteRule ^(.*)$ /~yourlocker/trac-path/trac.fcgi/$1 [L]

<Files login>
AuthOptional off
ErrorDocument 401 /__scripts/needcerts
</Files>

How can I import an outside Django project?

Configuring an outside Django project to run on scripts can be a bit tricky if you’ve only before had experience with “./manage.py runserver”. Here’s one way to get a Django project running on scripts.mit.edu:

1. Start with the regular scripts Django autoinstaller
2. Move the created /mit/lockername/Scripts/django/projname aside to /mit/lockername/Scripts/django/projname.auto
3. Copy in your application’s code to /mit/lockername/Scripts/django/projname
4. Update the paths in /mit/lockername/web_scripts/progname/index.fcgi
   1. Make sure that the sys.path.insert line points to the directory containing projname (likely /mit/lockername/Scripts/django/)
   2. Possibly add a sys.path.insert line that points to /mit/lockername/Scripts/django/projname, if your includes are appname.models, not projname.appname.models (or similar)
   3. Make sure the chdir line is right —- it should point to the directory containing your project code
5. Add a symbolic link from /mit/lockername/web_scripts/projname/media/ to /mit/lockername/Scripts/django/projname/media/
6. Merge the autoinstalled settings.py (that is, /mit/lockername/Scripts/django/projname.auto/settings.py) into your settings.py
   1. Copy the database information
   2. Copy the SECRET_KEY, or make your own new one
   3. Copy the ADMIN_MEDIA_PREFIX —- for scripts.mit.edu, this should be “/__scripts/django/static/admin/”
   4. Make sure the value of MEDIA_URL is reasonable (generally “/projname/media/”)
7. Make sure to install any necessary dependencies (see How can I install Python modules in my locker? for instructions how to do so with easy_install)
8. Set up your database appropriately, either by running “./manage.py syncdb” or by installing a database dump from a running copy of your project
9. Once you’ve confirmed that your Django project works, delete /mit/lockername/Scripts/django/projname.auto/

How do I do certificate authentication with Django?

Using certificate authentication with Django probably requires configuring another authentication backend. SIPB’s snippets collection has code and limited documentation on how to do this. If you have issues with those instructions, please let us know.

How can I signup my personal or group locker for the MySQL service?

If your group does not already have a locker, start by mailing accounts@mit.edu to get one.

Individuals or groups that have lockers can easily register for a MySQL account at an Athena prompt:

athena$ add scripts
athena$ signup-sql

Individuals wishing to register an account for themselves should select option #1 at the first prompt. To register an account for a group, select option #2 at the first prompt.

You may get an error message that says The MySQL login information in your .my.cnf file appears to be incorrect. If this happens, you will need to manually set your MySQL password. Go to sql.mit.edu and log in via your MIT certificate. Click Account and create a new MySQL password. Your MySQL password should be different from your Athena account password. Copy this password into the .my.cnf file in your Athena home directory after the password=. Your MySQL account should then work correctly.

If you do not get an error when running signup-sql, you can then read your password from /mit/locker/.sql/my.cnf. You can use this to log in to sql.mit.edu under the “SQL Password” option. You will need to create and drop databases from sql.mit.edu, but you can do all other operations from any MySQL client. We recommend using phpMyAdmin.

How can I access my MySQL databases?

First you’ll need to sign up for sql.mit.edu.

After that, you must use the sql.mit.edu web interface to create and drop databases. A regular MySQL client, such as phpMyAdmin (described below), cannot be used for these operations.

All other SQL commands can be issued from any host, client, and/or script of your choice; simply connect to the MySQL server at sql.mit.edu using your new MySQL username and password. You can also access your databases using an online web interface called phpMyAdmin.

What is .my.cnf? What is my sql.mit.edu password?

Your sql.mit.edu login information is in your locker, in the file “.my.cnf”. This is a hidden file (dotfile), so you will need to use ls -a instead of ls to see it. You can still view and edit the file just by specifying the filename.

athena% *cd /mit/*_locker_
athena% cat .my.cnf
[mysql]
host=sql.mit.edu
user=username
password=password

This file should be a link to “.sql/my.cnf” in your locker, and only accessible by the locker owner and the scripts server (regardless of whether the root of the locker is publicly readable or not).

If you update your MySQL password on the MIT SIPB MySQL interface, you will need to update this file manually with your new MySQL password. Otherwise, the scripts auto-installers, as well as the mysql command-line client, will not be able to log in properly. If you have already installed software, you will need to update the password there too (LocalSettings.php for MediaWiki, wp-config.php for WordPress, etc.)

If you have lost your MySQL password and, it’s not in your .my.cnf file, you can reset it for your personal account by logging into sql.mit.edu with your MIT certificate. If you have lost the password for a group locker, please e-mail sql@mit.edu for help getting it reset.

How can I backup and restore MySQL data?

You can back up your SQL data in two ways: via the command-line, or using the phpMyAdmin graphical user interface. Note that phpMyAdmin cannot import large databases (to get around this limitation, you can import and export databases using the command-line).

Backing up and restoring with the command-line client

First, perform a kerberised ssh to scripts.mit.edu after sshing to an Athena workstation (lockername@scripts if your website is in a locker). Then, to export the database:

mysqldump user+database > filename.sql

To import a database dump, make sure the database exists (you may need to create it from sql.mit.edu) and run the command

mysql user+database < filename.sql

Backing up and restoring with phpMyAdmin

You can use phpMyAdmin to backup and restore data. However, importing will not work for large databases.

To backup your data using phpMyAdmin:

1. Log in to phpMyAdmin with your SQL password.
2. Select the database or table you want to export (if you want to export just one database or table), and click the link at the top-right labeled Export.
3. If a list of databases or tables displays at the top, select the databases or tables you want to export: either use “Select All”, or Ctrl-click / Cmd-click to select multiple items. (There is no need to backup information_schema, since this is a read-only system table.)
4. Ensure the export type is “SQL”. Check the “Save as file” box near the bottom, and select “gzipped” if you want to compress your exported data.
5. Click Go and save the downloaded file somewhere safe.

To restore your data using phpMyAdmin:

1. Make sure the database that you’re restoring into exists by creating it on the sql.mit.edu web interface (not phpMyAdmin) if necessary.
2. Log in to phpMyAdmin with your SQL password.
3. If you want to import a single database, choose that database from the left menu.
4. Click Import at the top.
5. Select the backup you downloaded previously (or any SQL-formatted database dump) and click Go.

How can I make Dreamweaver work with my MySQL databases?

Dreamweaver’s MySQL interface interprets a “+” character as a space, so when looking for database “USERNAME+DBNAME” it looks for “USERNAME DBNAME”.

CGI scripts on the web have a long history of using + as a substitute for space.

To prevent Dreamweaver from doing this, percent-encode the “+” sign as “%2B”. Ask it to use a database name like:

• USERNAME%2BDBNAME

for example,

• presbrey%2Bwiki

Why do my mail scripts not generate bounces?

The scripts server interprets procmail failures as temporary failures, queueing the mail until the procmailrc is fixed. This is useful if your procmailrc is unreadable or broken, but it can make debugging difficult. If you want to explicitly bounce a message, you can use a stanza similar to this in your procmailrc file:

:0:
* ^Delivered-To:.*USER_NAME\+TAG@.*
{
        EXITCODE=67
        HOST
}

The list of recognized exit codes can be found in the sysexits(3) manpage.

How do I list my current crontab? How do I remove my crontab?

ssh to scripts.mit.edu from an Athena computer. “crontab -l” will list your current crontab. “crontab -r” will remove your crontab. Note that you must ssh from an Athena computer; no password will be required.

Can I serve Subversion or Git repositories on scripts.mit.edu?

Yes, scripts supports virtual hosting for Subversion and Git repositories.

git autoinstaller

For git, we now provide an autoinstaller that will create a git repository and set it up for access using git’s smart HTTP transport, the git daemon (read-only), ssh (for locker administrators only), or standard filesystem access. To use the autoinstaller:

athena% add scripts
athena% scripts-git

To configure write access to your repository, edit the .htaccess file in the ~/web_scripts/repo folder that was setup. For example, you can setup client auth or you can restrict both read/write access by moving the access control lines outside of the <Files> block.

Manual setup for Subversion or git

If you want to use Subversion or set up git by hand, the process is more involved.

Create a folder named ~/Scripts/git or ~/Scripts/svn:

athena% add scripts
athena% signup-minimal
athena% mkdir -p ~/Scripts/git
athena% mkdir -p ~/Scripts/svn

Then either place your repository in that directory or create a symbolic link to your repository:

athena% ln -s ~/cool-repo.git ~/Scripts/git/

Make sure that your repository is readable by scripts, including all its subdirectories. For example, run:

athena% add consult
athena% fsr sa ~/Scripts/svn/repository/ daemon.scripts read

If you are using git, you need to make sure that your repository is marked as exportable:

athena% touch ~/Scripts/git/cool-repo.git/git-daemon-export-ok

Users can checkout the repository using:

git clone git://lockername.scripts.mit.edu/cool-repo.git
svn co svn://lockername.scripts.mit.edu/repo

scripts currently doesn’t support pushing via the git protocol. The smart HTTP transport will work, though to use that you should read git’s documentation or use our autoinstaller (described above). Subversion does support unencrypted commits, which you can configure with the files in the conf/ subdirectory of your repository. For this to work, scripts must also have write access to your repository, e.g.:

athena% athrun consult fsr sa ~/Scripts/svn/repository/ daemon.scripts write

You will also need to enable password authentication by removing the # from the start of the “password-db = passwd” line in ~/Scripts/svn/repository/conf/svnserve.conf, and by adding passwords to ~/Scripts/svn/repository/conf/passwd.

How can I avoid typing my password repeatedly when using git with the smart HTTP transport?

It is possible to use git with client certificates. This avoids needing to repeatedly type passwords when using git with the smart HTTP transport. First, you will need a git repository on scripts using the smart HTTP transport. Our autoinstaller (add scripts; scripts-git) will do this for you.

Extracting a certificate

Next, you need to get a copy of your certificate. The easiest way to do this is probably to extract it from your browser.

In Chromium, go to Preferences, search for “SSL”, pick “Manage Certificates” -> “Your Certificates”, and then export your certificate. In Firefox, go to Preferences -> Advanced -> Encryption -> View Certificates and then export your certificates.

This will export your certificate as a PKCS#12 file, which git doesn’t know how to handle. To convert it to something git does know how to handle, run openssl pkcs12 -in cert.p12 -out cert.pem -nodes (leave off the -nodes if you want your certificate to be encrypted, but be aware that you’ll need to type your password repeatedly in that case).

Telling git to use your cert

To tell git about your certificate and the server, you’ll want to run

  git config http.sslCert ~/path/to/ssl/cert.pem
  git remote set-url origin https://locker.scripts.mit.edu/repo/repo.git
  git remote set-url --push origin https://locker.scripts.mit.edu:444/repo/repo.git

In particular, note the :444 in the latter URL, which causes scripts.mit.edu to use certificates.

Configuring the server to accept client auth

You’ll also need to make sure that the server accepts you when identified by cert. Replace the indented lines between “<Files _git-auth.cgi>” and “</Files>” in the .htaccess with one of the snippets from the certificate authorization FAQ.