Mirroring Your Web Site With rsync

This tutorial shows how you can mirror your web site from your main web server to a backup server (both running blackPanther OS 1x.x) that can take over if the main server fails. We use the tool rsync for this, and we make it run through a cron job that checks every x minutes if there is something to update on the mirror. Thus your backup server should usually be up to date if it has to take over. rsync updates only files that have changed, so you do not need to transfer 5 GB of data whenever you run rsync. It only mirrors new/changed files, and it can also delete files from the mirror that have been deleted on the main server. In addition to that it can preserve permissions and ownerships of mirrored files and directories; to preserve the ownerships, we need to run rsync as root which is what we do here.

If permissions and/or ownerships change on the main server, rsync will also change them on the backup server. In this tutorial we will tunnel rsync through SSH which is more secure; it also means you do not have to open another port in your firewall for rsync – it is enough if port 22 (SSH) is open. The problem is that SSH requires a password for logging in which is not good if you want to run rsync as a cron job.

The need for a password requires human interaction which is not what we want. But fortunately there is a solution: the use of public keys. We create a pair of keys (on our backup server server2.example.com), one of which is saved in a file on the remote system (server1.example.com). Afterwards we will not be prompted for a password anymore when we run rsync. This also includes cron jobs which is exactly what we want. As you might have guessed already from what I have written so far, the concept is that we initiate the mirroring of server1.example.com directly fromserver2.example.comserver1.example.com does not have to do anything to get mirrored. I will use the following setup here:

  • Main server (blackPanther OS 10.1): server1.example.com (server1) – IP address: 192.168.0.100
  • Mirror/backup server (blackPanther OS 10.1): server2.example.com (server2) – IP address: 192.168.0.101
  • The web site that is to be mirrored is in /var/www/html on server1.example.com.

rsync is for mirroring files and directories only I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

1 Install rsync

First we have to install rsync on both server1.example.com and server2.example.com:

server1/server2:

(We do this as root!)

installing rsync

2 Create An Unprivileged User On server1.example.com

Now we create an unprivileged user called someuser on server1.example.com that will be used by rsync on server2.example.com to mirror the directory/var/www/html (of course, someuser must have read permissions on /var/www/html on server1.example.com).

server1:

(We do this as root!)

adduser -d /home/someuser -m -s /bin/bash someuser

This will create the user someuser with the home directory /home/someuser and the login shell /bin/bash (it is important that someuser has a valid login shell – something like /bin/false does not work!). Now give someuser a password:

passwd someuser

3 Test rsync

Next we test rsync on server2.example.com. As root we do this:

server2:

rsync -avz -e ssh someuser@server1.example.com:/var/www/html/ /var/www/html/

You should see something like this. Answer with yes:

[root@server2 ~]# rsync -avz -e ssh someuser@server1.example.com:/var/www/html/ /var/www/html/
The authenticity of host ‘server1.example.com (192.168.0.100)’ can’t be established.
RSA key fingerprint is 96:1e:9d:39:25:40:9d:89:53:f6:71:8f:fd:79:89:18.
Are you sure you want to continue connecting (yes/no)? <– yes

Then enter someuser’s password, and you should see that server1.example.com’s /var/www/html directory is mirrored to /var/www/html onserver2.example.com.

You can check that like this on both servers:

server1/server2:

ls -la /var/www/html

You should see that all files and directories have been mirrored to server2.example.com, and the files and directories should have the same permissions/ownerships as on server1.example.com.

4 Create The Keys On server2.example.com

Now we create the private/public key pair on server2.example.com:

server2:

(We do this as root!)

mkdir /root/rsync
ssh-keygen -t dsa -b 1024 -f /root/rsync/mirror-rsync-key

You will see something like this:

[root@server2 ~]# ssh-keygen -t dsa -b 1024 -f /root/rsync/mirror-rsync-key
Generating public/private dsa key pair.
Enter passphrase (empty for no passphrase): <– ENTER
Enter same passphrase again: <– ENTER
Your identification has been saved in /root/rsync/mirror-rsync-key.
Your public key has been saved in /root/rsync/mirror-rsync-key.pub.
The key fingerprint is:
68:1e:9c:12:f1:f5:7f:53:d5:1d:d0:f2:dd:c2:88:f3 root@server2.example.com
The key’s randomart image is:
+–[ DSA 1024]—-+
|    .   .    .o.=|
|     o . .   . .+|
|    . .   .. oo +|
|     o o  o.. ooo|
|    . * S  o. o. |
|     + .    E. . |
|      .          |
|                 |
|                 |
+—————–+
[root@server2 ~]#

It is important that you do not enter a passphrase otherwise the mirroring will not work without human interaction so simply hit enter!

Next, we copy our public key to server1.example.com:

server2:

(Still, we do this as root.)

scp /root/rsync/mirror-rsync-key.pub someuser@server1.example.com:/home/someuser/

The public key mirror-rsync-key.pub should now be available in /home/someuser on server1.example.com.

5 Configure server1.example.com

Now log in through SSH on server1.example.com as someuser (not root!)… server1: su someuser … and do this: server1: (Please do this as someuser!) mkdir ~/.ssh chmod 700 ~/.ssh mv ~/mirror-rsync-key.pub ~/.ssh/ cd ~/.ssh touch authorized_keys chmod 600 authorized_keys cat mirror-rsync-key.pub >> authorized_keys By doing this, we have appended the contents of mirror-rsync-key.pub to the file /home/someuser/.ssh/authorized_keys./home/someuser/.ssh/authorized_keys should look similar to this: server1: (Still as someuser!) mcedit  /home/someuser/.ssh/authorized_keys

ssh-dss AAAAB3NzaC1[...]qqOyXtbUx7HOMEw== root@server2.example.com

Now we want to allow connections only from server2.example.com, and the connecting user should be allowed to use only rsync, so we add

command=”/home/someuser/rsync/checkrsync”,from=”server2.example.com”,no-port-forwarding,no-X11-forwarding,no-pty right at the beginning of /home/someuser/.ssh/authorized_keys: server1: (Still as someuser!) mcedit /home/someuser/.ssh/authorized_keys

command=”/home/someuser/rsync/checkrsync”,from=”server2.example.com”,no-port-forwarding,no-X11-forwarding,no-pty ssh-dss AAAAB3NzaC1[…]qqOyXtbUx7HOMEw== root@server2.example.com

It is important that you use a FQDN like server2.example.com instead of an IP address after from=, otherwise the automated mirroring will not work!

Now we create the script /home/someuser/rsync/checkrsync that rejects all commands except rsync.
server1:

(We still do this as someuser!)
mkdir ~/rsync

mcedit ~/rsync/checkrsync

#!/bin/sh

case "$SSH_ORIGINAL_COMMAND" in
        *\&*)
                echo "Rejected"
                ;;
        *\(*)
                echo "Rejected"
                ;;
        *\{*)
                echo "Rejected"
                ;;
        *\;*)
                echo "Rejected"
                ;;
        *\<*)
                echo "Rejected"
                ;;
        *\`*)
                echo "Rejected"
                ;;
        rsync\ --server*)
                $SSH_ORIGINAL_COMMAND
                ;;
        *)
                echo "Rejected"
                ;;
esac

chmod 700 ~/rsync/checkrsync

6 Test rsync On server2.example.com

Now we must test on server2.example.com if we can mirror server1.example.com without being prompted for someuser’s password. We do this: server2: (We do this as root!) rsync -avz –delete –exclude=**/stats –exclude=**/error –exclude=**/files/pictures -e “ssh -i /root/rsync/mirror-rsync-key” someuser@server1.example.com:/var/www/html/ /var/www/html/ (The –delete option means that files that have been deleted on server1.example.com should also be deleted on server2.example.com. The –exclude option means that these files/directories should not be mirrored; e.g. –exclude=**/error means “do not mirror /var/www/html/error”. You can use multiple –exclude options. I have listed these options as examples; you can adjust the command to your needs. Have a look at man rsync for more information.) You should now see that the mirroring takes place… [root@server2 ~]# rsync -avz –delete –exclude=**/stats –exclude=**/error –exclude=**/files/pictures -e “ssh -i /root/rsync/mirror-rsync-key” someuser@server1.example.com:/var/www/html/ /var/www/html/ receiving incremental file list sent 62 bytes received 48 bytes 73.33 bytes/sec total size is 20 speedup is 0.18 [root@server2 ~]# … without being prompted for a password! This is what we wanted.

7 Create A Cron Job

We want to automate the mirroring, that is why we create a cron job for it on server2.example.com. Run crontab -e as root: server2: (We do this as root!)

crontab -e

and create a cron job like this:

*/5 * * * * /usr/bin/rsync -azq --delete --exclude=**/stats --exclude=**/error \
--exclude=**/files/pictures -e "ssh -i /root/rsync/mirror-rsync-key" \
someuser@server1.example.com:/var/www/html/ /var/www/html/

This would run rsync every 5 minutes; adjust it to your needs (see

man 5 crontab

). I use the full path to rsync here (/usr/bin/rsync) just to go sure that cron knows where to find rsync. Your rsync location might differ. Run

server2:

(We do this as root!)

which rsync

to find out where yours is.

admin

About admin