Setting up a WebJames Server

Does anyone know of any good guides for setting up a WebJames server on a Pi?

I could do it with FreeBSD and nginx (or similar) but kinda want to use RISC OS for no definable rational reason…

A short one: decompress, launch :)

More seriously, there are a few robots.txt tricks to apply to be sure that Google (and the other web crawlers) will not load your pages too quickly. It’ll reduce the amount of crashes.

I really would like to put some Pi inside a datacenter to play with. Unfortunately I don’t find an hardware console to reset the Pi PSU remotely. And I’m not good enough in electronics to make one.

British/German/French experts: contact me.

but kinda want to use RISC OS for no definable rational reason

Le cœur a ses raisons que la raison ignore.

And I’m not good enough in electronics to make one.

How does the data centre reset work? A relay that shorts the input wires?

The Pi has a two pole connection marked RUN. Attaching a wire to each pole, and then just short them together momentarily to reset…

https://blog.adafruit.com/2014/10/10/making-a-reset-switch-for-your-raspberry-pi-model-b-run-pads-piday-raspberrypi-raspberry_pi/

A short one: decompress, launch :)

David is right. !Webjames just works – right out of the box.

I really would like to put some Pi inside a datacenter to play with.

A RISCOS/Webjames webserver will work very well at home – with a fixed IP address – even on a standard ADSL internet connection

It’ll reduce the amount of crashes.

What crashes? And the hackers don’t know where to start with Webjames :)

The Pi has a two pole connection marked RUN.

Another useful hint from Rick :)

Cool thanks!

Does it support subdomains?

I have a spare SD card set up and will experiment tonight I think.

And I’m not good enough in electronics to make one

I could make you something…probably even do a wireless one using LoRaWAN or something similar…if you have a specific thing in mind head over to http://xsltpro.co.uk/content/contact.html and let me know what it is you would like…

Does it support subdomains?

I have never actually tried it with anything but www.mydomain.co.uk (and www is a subdomain), so I don’t see why other subdomains will not work.

In fact, aren’t all domains actually subdomains. mydomain.co.uk is a sub of co.uk. etc.

I think all that Webjames is looking for is the host name.

The technical bit is getting the internet to route the requests to your server.

A RISCOS/Webjames webserver will work very well at home – with a fixed IP address – even on a standard ADSL internet connection

Indeed you don’t even need that much. A No-IP address (annoying but trouble free “renewal” once a month) means that my device is visible to the world without a fixed IP address. Luckily my ADSL box supports No-IP to update my IP as necessary. The end result? http://heyrick.ddns.net/
A BASIC program reads the data and builds the webpage every five minutes. WebJames faithfully serves it. Uptimes can be measured in weeks. Possibly longer if I didn’t crash it from time to time when seeing what does/doesn’t run on Aemulor (FCFS stiffs the machine – oops!).

Another useful hint from Rick :)

;) It amuses me that “RUN” is the connection to make to stop the machine. I’d have labeled this one “RST” (or maybe “OMG”)…

I think WebJames can support subdomains, but the problem is in getting multiple domains to point to the same machine? It’ll probably be like everything else and respond to the “Host” header.

The configuration is pretty epic when you look into it. For example [heyrick.ddns.net]/desklib points to a page, while desklib/DeskLib32 points to DeskLib:o.DeskLib32, and /desklib/source/ points to the source code files. While /mana is a subdirectory in the site directory (where all the served files are), the DeskLib stuff is in a completely different place.

Well it turned out to be remarkably easy in the end and I now have it up and running, so its just a matter of configuring it properly…

The technical bit is getting the internet to route the requests to your server.

I’m quite happy with that – I have a static IP address which I bought for the princely sum of £5 from my ISP, I was thinking of using some kind of dynamic DNS with it but at that price I thought I might as well go static. I have also got the router configured nicely so it routes HTTP traffic to one IP address and SSH traffic to another (so I have the potential to remote log-in to a different server and diagnose any problems).

but the problem is in getting multiple domains to point to the same machine?

I used my config page from my domain registrar to create the subdomains and pointed them all to my static IP address and since the router is routing all HTTP requests to the internal IP address of the RISC OS machine then all the subdomains currently get through to the RISC OS webserver so they all display the same page. Now its working though I am happy to dig around inside the built-in help to see if I can get the different sites set up properly.

As far as administration goes, I will almost certainly be running this headless (at least when it comes to the remote access via the other server…from which I could create a little circuit that would reset the RISC OS server if need be). So what is the best way to administer a RISC OS webserver remotely? VNC server?

So what is the best way to administer a RISC OS webserver remotely?

That probably depends on how remote.

A headless server on the same local network can have the website files shared; making it easy to change them.

VNC server is certainly an option particularly with today’s fast CPUs (Pi 2, 3, etc)

I am happy to dig around inside the built-in help to see if I can get the different sites set up properly.

The vhosts section of the built-in help files should give you all you need to know.

VNC server is certainly an option particularly with today’s fast CPUs (Pi 2, 3, etc)

But something that should be used with caution, since the current server isn’t terribly secure.

But something that should be used with caution, since the current server isn’t terribly secure.

VNC’s security record on any platform isn’t a shining beacon. It’s one of a list of remote access/management tools that we, at work, don’t allow – even across the LAN.¹

In this kind of use case access from local network is OK but exposure to the internet would be suicidal.

¹ Of course in our setup “data leakage” as it’s known is a concern that all you UK residents should always hope is high on our list. Home data is your own personal concern (provided you have no personal data relating to anyone else where the GDPR kicks in)

How does the data centre reset work? A relay that shorts the input wires?

There is no facility provided to reset servers.
Best option would be a Pi server able to reset the other Pi.

VNC’s security record on any platform isn’t a shining beacon. It’s one of a list of remote access/management tools that we, at work, don’t allow – even across the LAN

Really? What specifically is wrong with VNC and what do you use instead?

I would only be using the VNC connection over the LAN and then forwarding it over SSH via X11/xorg.

What specifically is wrong with VNC and what do you use instead?

A quick web search for “vnc vulnerabilities” will give you plenty of reading and you will see the exploits vary between issues with the client, issues with the server, or both. This page deals with issues with the RealVNC implementation

It’s an enterprise setup so there’s quite a few VMware hosted machines so accessing via the VCentre console is the preferred route, not least because that can give access when the hosted machine is actually off the net.

Like I said, the home use stuff has lower security requirements in the main.

I’m sure it will probably be OK for what I’m going to be using it for…

That is if I can get it working – tried setting up the vhosts and each of my subdomains simply open a file/directory listing of the main domain so not sure what I’m doing wrong.

Okay… Just had a play with WebJames as I was tweaking my config.

My main private server (that gets mentioned here from time to time) is http://heyrick.ddns.net/ This is set as the default, so it’ll work if I go to localhost or call it from another machine by IP address (none of which would set the “Host” line correctly).

It just so happens that I also have the address heyrick.no-ip.biz which was the one I set up originally, then stopped using once I found “ddns.net” (which was more pleasing to look at).

So…

I created a directory within my main site called “noipbiz” ( http://heyrick.ddns.net/noipbiz/ ) and set up a virtual host to point to that, as follows:

This is at the end of !Boot.Choices.WebJames.attributes:

# Try something different for heyrick.no-ip.biz
<virtualhost>
ServerName heyrick.no-ip.biz
DocumentRoot SDFS::RISCOSPi.$.webite.noipbiz
<location />
defaultfile index.html
</location>
</virtualhost>

Then, went out in the rain and walked half way up the lane to get a decent mobile signal, to confirm that http://heyrick.no-ip.biz/ works as expected and serves up this little page instead of the usual weather report.

So, it works, and it’s easy.

PS: Looking at the help, it looks like you can even suffix the domain name with a colon and then a port number, should you prefer to have the other domain visible on a different port than the usual.

PS: Looking at the help, it looks like you can even suffix the domain name with a colon and then a port number, should you prefer to have the other domain visible on a different port than the usual.

Yes. Many port numbers can be used.

Hmmm I wonder what I was doing wrong?

Will have another go when time allows and report back…

all you UK residents should always hope is high on our list.

And here’s wondering if you guys will be the only NHS facility not to trot out one of:

• Oh, we didn’t know!
• Oh, we didn’t have time to prepare!
• Oh, it costs too much!
• Oh, there’s nothing to worry about!
• Oh, it was the subcontractor!
• Oh, all of the above!

;-)

I would expect a mix of behaviour across the UK.

What I can say for certain is that there are two of us in the office that regularly hear “we don’t have to do this at xyz NHS Trust and dozens of others” and reply “we don’t care how many other people do it wrong so just live with it or close the door quietly on your way out”
Past experience is that the suppliers “speak with forked tongue” and although one or two people go along with the bull that isn’t as common as they make out.

Firewalls and data security in general tend to be easier when you start from a premise of everything locked down and then open up only the bare minimum to get the job done and only for as long as the job actually requires.
Interestingly I interrupted typing this to answer a (work)mail regarding firewalls. Back to leisure and mug of tea now.

Just getting back around to this after a wee while away doing other things and I wonder if you would all share some opinions on my options with regard to running a WebJames server headless.

First I would set it up using an HDMI monitor and USB keyboard/mouse then unplug it all except power and Ethernet then reboot. So I don’t need to go through the trouble of plugging it all back in when I want to make a change I will have to be able to modify the files at the very least so will need to share them somehow. If I get really fancy, I might put a file in there that contains something I can then use as a hook to a program which would do other things (i.e., the file might contain ‘rebootnow=yes’ which a program would check regularly and if it does contain that it would reboot the server, then on power-up reset it to ‘rebootnow=no’…or something else useful…)

Anyway, I have come up with the following options:

1. A VNCServer running on the RISC OS computer
2. Website folder on the RISC OS computer shared by ShareFS
3. Website folder on the RISC OS computer shared by Moonfish
4. Website folder on the RISC OS computer shared by Samba
5. Website folder on NAS and mounted by Sunfish/Omniclient at boot of RISC OS machine
6. An FTP Server on the RISC OS computer (FTPs…? I have FTPc but don’t know where to get FTPs from)
7. Something else?

As mentioned above VNC can be insecure (which is why I tunnel all my VNC connections between UNIX/UNIX-like computers over SSH…but I can’t do that in RISC OS). How secure/usable/sensible are the other options?

Just to be clear, I have a firewall protecting my LAN that is only allowing external HTTP traffic (i.e., port 80) to this server and currently SSH traffic (port 25) to another server but that will be disabled shortly so the only incoming traffic will be on port 80 if my firewall is doing its job properly.

How secure/usable/sensible are the other options?

Secure from the perspective of directly exposing to the internet? Probably only option 5, and only if you can trust your NAS (is is vulnerable to any of the many SMBv1 vulnerabilities?)

If you’re able to set up an SSH tunnel then I expect any approach will work.

Secure from the perspective of directly exposing to the internet?

I’m not sure I made myself clear enough—the only port directly exposed to the Internet would be port 80 and everything else would be behind the firewall. So as long as I don’t open port 445 on the firewall (for Samba for exmaple) then nothing external to the LAN would be able to access the Samba share on the RISC OS webserver surely?

Also it occurred to me last night that the NAS is not on 24/7 so that wouldn’t be good to host the files! I will have to rule out 5 for that reason…so…what’s the next best option?

Is it conceivable that someone could get in through port 80, do something to the server that would then enable some other way in or some other way onto the LAN? Wouldn’t my firewall have to be compromised for that?

edit: OK I just checked and there is at least one backdoor into my firewall that I was not aware about—reminds me never to fully trust off the shelf stuff. I see why it is there and I see why it would be useful (its so the manufacturer can push firmware updates to the device) but I am not entirely sure I’m comfortable with it! Will have to put “build my own firewall” back on my list of jobs…and yet…then I would have to manage it myself and who says I would do a better job than the company who is currently managing it…?

The best advice for using WebJames as a server available to the public is: don’t.

I don’t think it will stay up, free of problems, for long. You may get it crashed (DoS) or the contents compromised. Neither WebJames nor RISC OS is robust enough against the evil people out there.

I’ve got a WebJames server up and running, but exclusively behind an OpenVPN server so that only I can access it. That’s an entirely different proposition.

Actually I’m not too bothered about the server getting zapped—its not going to have anything critical or irreplaceable on there and is more for a bit of fun really.

I was only concerned that there might be a way in to the rest of the LAN via the server.