# Connecting to notebooks from outside UCL

There are several ways in which you can easily run the jupyter notebooks from any computer, with the notebook displaying in a browser on your local machine and the processes running on the remote (UCL Geography) machine.

The main issue that we have to get around is that the UCL Geography computers that you wish to access are behind a firewall. This means that when you want to access a UCL Geography machine in the lab (e.g. `pyongyang.geog.ucl.ac.uk`), you must do this via a gateway computer.

#################################

            NOTICE

Direct access to this system from 
outside UCL will be stopped this 
academic year.

Please use one of the following 
for SSH access:

*  arch.geog.ucl.ac.uk
*  round.geog.ucl.ac.uk
*  square.geog.ucl.ac.uk
*  triangle.geog.ucl.ac.uk

#################################

## Using ssh to access a geog computer from home

We will assume that you are sat at a 'home' computer that is external to the UCL Geography network and that you want to access a UCL geography lab computer ('geog'). The homwe computer may be a Mac, windows or linux machine. Things are slightly more awkward on a windows machine, so we will concentrate on Mac and linux to start with:

We will assume that you have reasonable network speed between UCL Geography and where you are (home) and that you are able to use `ssh` from a command prompt to achieve access.

First, lets log in ('ssh in') from 'home' to 'geog'.

Before we attempt that, lets make sure we have access to the information we will require:


1. The `IP Address` or hostname of the firewall computer. Here we will assume the username `geogg122` and computer `round.geog.ucl.ac.uk`.

2. The `IP Address` or hostname of the 'geog' computer Here we will assume the username `geogg122` and computer `pyongyang.geog.ucl.ac.uk`.

3. Your login name and password on the geog computers (both firewall and geog). The example login above is `geogg122`, so the password on the geog machines corresponding to that.


You will need to open a 'shell' ('terminal') on your 'home' computer (i.e. somewhere you can type unix system commands).

To ssh in to geog from home via firewall, first lets get on to the firwall (gateway) machine: type:

`ssh geogg122@round.geog.ucl.ac.uk`

You will likely be prompted to confirm the connection and for your password on the computer.

This will take you onto the gateway machine. From there, log in to the 'geog' computer.

`ssh geogg122@pyongyang.geog.ucl.ac.uk`

You will likely be prompted to confirm the connection and for your password on the computer.

This will take you onto the geog machine. From here, you can access all of the files and software the same as you do from the geog computer lab. 


Try some basic unix commands such as `ls` or `cd` and navigate to where your course notes are, e.g.:

`cd DATA/geogg122`

`ls`

You can log out of the session as normal (`exit` or `^D`) -- remember to do this twice as you have to log out of the geog machine and the gateway machine.

 

## Using ssh to access home from a geog computer 

We will find it convenient to be able to log in (ssh) from the geog computer to your home computer.

You will require (as well as the information above):

1. The `IP Address` (or hostname) of the 'home' computer. The ip address will be a number such as `86.166.33.255` that allows you to refer to your home computer from the outside world. To access this, the simplest thing is to open [http://whatsmyip.org](http://whatsmyip.org) in a browser on your *home* machine. This will tell you e.g. that:

    `Your IP Address is 86.166.33.255`.    
    
  Here, we assume a hostname of `geogg122.duckdns.org` (see [Notes](#Notes:) or IP address of `86.166.33.255`. This will **not** be the same for you!

2. Your login name and password on the home computer. Here we assume `samiam` as the login name, so the password on your home computer corresponding to whatever you choose instead.

To test if this works, ssh in to a geog machine as above (e.g. pyongyang, via a gateway machine). Then try to connect from there to your home computer (clearly, it needs to be turned on and running):

`ssh samiam@geogg122.duckdns.org`

If this works, then you should be prompted for a password. This will be the password on your homwe computer associated with the account `samoiam`.

If it doesn't work, you will need to check whether ssh port forwarding is enabled on your home network (see below, or talk to your provider).


### Allowing ssh port forwarding

Depending on your 'home' network configuration, you may need to allow your router to accept incoming ssh calls on port 22 ('port forwarding'). 

This is generally done in your server tool. This will generally be accessible through a web browser, with an address such as (for BT bthomehub):

http://192.168.1.254

If you do not know how to access the router configuration, check the web pages from your internet provider or call them up to ask.

Alternatively, if on a mac, you should be able to type:

`route get www.google.com`

or on linux:

`route -nNvee -FC`

Alternatively, try:

`netstat -nr`

(a command to tell you how the traffic is routed) and under the information returned, it will have somehing like `gateway: bthomehub`.

Once you access the router configuration tool (there is probably a password for this, with a username such as `admin`)

Under the tab `settings` or `port forwarding` or similar, there should be an interface to let you open ports. In this case, we wish to open port 22 (the default for `ssh`). This may be listed as `SSH Server - Secure Shell`. The options available will probably only let you open the port for a specific computer on your home network, so make sure its the one you are using.


## Using ssh -R

Supposxe now that we are sat at home, logged in to the computer known to the world as `geogg122.duckdns.org` (or by the IP address `86.166.33.255`) under the account `samiam`.

We wish to run a process on some port on a geog machine, `pyongyang.geog.ucl.ac.uk` with the account `geogg122` and access it from the home computer. The easiest way to do this is to establish a link **from**  `geogg122@pyongyang.geog.ucl.ac.uk` **to** `samiam@geogg122.duckdns.org` that maps from one port number on `pyongyang` to a different port number on `geogg122.duckdns.org`.

As an example of this, we will run `jupyter notebook` on `pyongyang` and access the notebooks through a web browser on `geogg122.duckdns.org`.

### some security

It is best to set up some security for this process.

This involves setting the following in your jupyter configuration file, i.e. put:

    c.NotebookApp.certfile = u'/home/geogg122/.jupyter/mycert.pem'
    c.NotebookApp.keyfile = u'/home/geogg122/.jupyter/keyfile.pem'
    c.NotebookApp.ip = '*'
    c.NotebookApp.password = u'sha1:e36...b7'
    c.NotebookApp.open_browser = False
    c.NotebookApp.port = 9999

into the file `~/.jupyter/jupyter_notebook_config.py`.

You would do this by logging in to `pyongyang`, generating the encoded password `'sha1:e36...b7'` and generating the files `/home/geogg122/.jupyter/mycert.pem` and `/home/geogg122/.jupyter/keyfile.pem`.

To generate the certificate and keyfiles, use the following unix commands and respond appropriately to the prompts:

    cd /home/geogg122
    mkdir -p .jupyter
    cd .jupyter
    openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout mycert.pem -out mycert.pem
    
Then, set a password to secure your notebooks (the 'notebook password'):

    ipython
    
    In [1]: from IPython.lib import passwd
    In [2]: passwd()
    Enter password:
    Verify password:
    Out[2]: 'sha1:67c9e60bb8b6:9ffede0825894254b2e042ea597d771089e11aed'
    
    
copy the encrypted password and put it in the copy the encrypted password and put it in the `c.NotebookApp.password` field in the file `~/.jupyter/jupyter_notebook_config.py`. See [the ipython docs](https://ipython.org/ipython-doc/3/notebook/public_server.html) for more info.

### putting it together

1. log in to `pyongyang` and run

      `cd ~/DATA/geogg122`
      
      `jupyter notebook`
    
    If you have set up the security information above, you should get a response such as:
       
        [I 17:46:16.538 NotebookApp] The port 9999 is already in use, trying another random port.
        [I 17:46:16.547 NotebookApp] Serving notebooks from local directory: /archive/rsu_raid_0/plewis/geogg122
        [I 17:46:16.547 NotebookApp] 0 active kernels 
        [I 17:46:16.547 NotebookApp] The IPython Notebook is running at: https://[all ip addresses on your system]:10099/
        [I 17:46:16.547 NotebookApp] Use Control-C to stop this server and shut down all kernels (twice to skip confirmation).
        
        
    This tells us that the notebook server is running, and that it is using port `10099`.
    
2. In another window/shell, log in to `pyongyang` again and run

        ssh -NR 10100:localhost:10099 samiam@geogg122.duckdns.org
        
    You will be prompted for the password associated with `samiam` on the machine `samiam@geogg122.duckdns.org` (i.e. your home machine).
    
    What we have done here is to set up a tunnel between pyongyang and the home machine with reverse port forwarding, here, forwarding port `10099` on `pyongyang` to port `10100` on `geogg122.duckdns.org`. 
    
    It should be clear to you that this requires that we can log on (ssh) **from** `pyongyang` to `geogg122.duckdns.org`, which is why we had to open the ssh port on `geogg122.duckdns.org`. One of the main advantages of this approach is that you avoid having to directly tunnel through the gateway machine. If you *do* want to try it that way around, use `-L` instead of `-R`.
    
    If this has worked, open a browser on your home machine (if it doesn't seem to work on one browser, try another ... for instance, I had problems with chrome on a mac, and went for Safari in the end). In the browser, open [https://localhost:10100](https://localhost:10100) (for some browsers, you may need http://localhost:10100). Note that `10100` refers to the port that we mapped earlier.
    
    If this works, you should see a jupyter wondow on your local computer (password protected remember - use the 'notebook password'). Once past the password, you have access to all notebooks and other scripts, *running on pyongyang, behind the firewall*, but displayed, and accessible from your local computer.

Notes:
=====
Free Dynamic DNS
-------------------
Using the IP address can sometimes be awkward, as, depending on the setup you have, it may change over time. If this is the case, then you may want to set up a dynamic name server (DNS) account. An example is to use  [https://www.duckdns.org](https://www.duckdns.org). You can sign in with [twitter](https://www.duckdns.org/login?generateRequest=twitter), [google](https://www.duckdns.org/login?generateRequest=google) or other means to create an account. Using e.g. duckdns, you will be able to set a *name* to refer to your computer from the outside world, rather than using the IP address. If you set up the dynamic dns correctly, this name will refer to your home computer, even if the IP address changes.

For example, 

    samiam@geogg122.duckdns.org

refers to the username `samiam` on the computer known to duckdns as `geogg122.duckdns.org`.