Topic: Best practice for alternative web server backup.

[ber]

HI I'm looking at options to setup a backup server for a couple of websites that I host on my SME 8.0. I have an onsite backup server using Affa.

Problem occurs if there is a prolonged power failure or internet outage- as occurred earlier this year. I was at the mercy of the Telco agents and just had to sit and wait.( internet outage lasted 3 days-    ).
I would like to setup a minimum and automated "switchover" by simply updating the domain DNS settings to re-route webtraffic.
My thoughts are; however way it works- run a seperate SME server at an alternative site with the required ibays synced to my production server.
When I have a internet outage- simply update the DNS settings and web traffic is routed to the alternative site and websites stay online.

Proposed solution: I have another site where I could setup a SME box and use rsync to sync the web files. I was looking at Affa to sync my production server but am unsure whether using the rise feature would cause IP link issues as the alternative site would have different IP range. It would mean travelling there onsite and making IP and connectivity changes so the Server is correctly "found" with the updated DNS.

Could AFFA or a rsync script be used to simply sync the suggested i-bays and when the outage occurs, update the DNS settings with the new IP address of the server and all should be well. 

Ive done some research in the Forums- some good info but some things that I'm not too sure about.
I am aware that AFFA is no longer maintained but the current version seem to work well for me, its used with the "rise" feature to backup the production server onsite.
I am looking at a solution that may not be standard practice: unsure, am happy to take on some suggestions.

Any thoughts. Thanks

[janet]

ber

Could AFFA or a rsync script be used to simply sync the suggested i-bays and when the outage occurs, update the DNS settings with the new IP address of the server and all should be well. 

Yes, that is probably the simplest approach. Use rsync rather than affa.
For what you describe, using the rise feature is the wrong thing to do in that situation.

When an outage occurs, simply login to external DNS records & change the public IP the domain name points at.
This server would sit on the Internet all the time with rsync updating it as often as you want, then when the main server goes down you manually change external DNS records (temporarily).

I assume your web sites are static pages, in that data is not changed or saved by users etc.
If users do or can change data, then you will have additional issues syncing data from databases back to the main server.

[mmccarn]

Here are some notes on one way to copy an ibay from one SME to another:
http://forums.contribs.org/index.php/topic,50449.msg253803.html#msg253803

(You'll need to include a database backup / transfer / restore in your 'rsync' process if your websites are *not* made up entirely of static pages...)

Here is a post on (specifically) automating the backup of a wordpress site from (almost) any linux server to a SME server:
http://forums.contribs.org/index.php/topic,49233.msg245622.html#msg245622

[ber]

Great Thanks- Ive got some simple rsync scripts which worked when setup locallly, also the webpages are static and have no database.
McCarn, Ill keep your reference for sites with databases- a simple rsync script with a cronjob looks like its the solution.

Installing this afternoon and will test over the next coming days. will keep informed on the progress.

[ber]

Update....I have been able to connect via ssh from by backup server (remote location) to my production server using non standard ports:

[root@server ~]# ssh "-p 2221" admin@****.com
admin@****'s password:


My production and backup server is using non-standard ports.(security)
Ive run the rsync scripts and am getting connectivity or specific syntax error- out of my depth thus far.
Here is a link to the site where I got some info on rsync scripts to sync some of ibays on my production server to the backup; amended for my purpose.
http://www.tecmint.com/sync-two-apache-websites-using-rsync/


Remote Backup server address: *.*.*.* ssh port:2221

Production Server: *.*.*.* ssh port 2221

Here is the script I'm using and would like some comments on where I'm going wrong...

[root@server ~]# [root@server ~]# rsync -avzhe ssh "-p 2221" admin@berltd.dyndns-ip.com:/home/e-smith/files/ibays/hs/html /home/e-smith/files/ibays/hs/html/
rsync: -p 2221: unknown option
rsync error: syntax or usage error (code 1) at main.c(1554) [client=3.1.0]

My main purpose is to setup remote site backup server for some of my websites in case of internet outages.

Also can someone comment on the "cronjob  automated sync" and the "passwordless connection". I havent been able to progress that far with the setup.
Would these instructions be void due to SME's template system?

Regarding the non-standard port security. Is this a recommended practice to secure possible attacks to my production server. i want to take some reasonable measures to protect external access.

Thanks in advance.

[janet]

ber

Firstly you should not use passwords for ssh, you should setup public private keys on both servers so they "trust" each other.
There is a Howto all about this on contribs.org
You can use any available ports you want, it does not really add greatly to security by using ports other than port 22 if you still use passwords. Hackers can scan for open connection on any ports, it's just a matter of time.

Have you set the correct ports to use for ssh in server manager panel ?

So setup public private keys & get that working & then relook at rsync scripts.

I'm sure there are numerous examples buried in various Howtos or Contribs or Forum posts published here, (or elsewhere on the Net), that are specifically applicable to sme server. So do some serious searching through the Forum posts etc on this site
Your should really take a look at the old DAR2 contrib to see how it works (search the Forums for initial instructions when it was released many years ago), & also look at the rdiff backup contrib. You will find suitable ssh rsync commands in there.

When & if time permits, I will look at my notes & see what I can find, no promise when though.

I'm sure others could offer you decent rsync scripts.

[mmccarn]

SSH_Public-Private_Keys

I think rsync is looking for the entire remote command inside the first set of quotes, so instead of this:
rsync -avzhe ssh "-p 2221" admin@berltd.dyndns-ip.com:/home/e-smith/files/ibays/hs/html /home/e-smith/files/ibays/hs/html/

Try this:
rsync -avzhe "ssh -p 2221" admin@berltd.dyndns-ip.com:/home/e-smith/files/ibays/hs/html /home/e-smith/files/ibays/hs/html/

Here is how I would do it:

Code: [Select]

# Use env vars for the variables...
SSHPORT=2221
SSHUSER=admin
SSHHOST=berltd.dyndns-ip.com
IBAY=hs
# set SSHKEY to point to the private key file created for public/private key access to the remote server.
SSHKEY=/root/.ssh/berltd-id_rsa
#
# Do it...
rsync -rlptDzq -e "ssh -i $SSHKEY -p $SSHPORT" "$SSHUSER@$SSHHOST:/home/e-smith/files/ibays/$IBAY/html/" "/home/e-smith/files/ibays/$IBAY/html/"


[ber]

Hi mmccarn

I took up Janets recommendation and switched the ssh port to standard and connected without the additional options to rsync.
You are probably right regarding the cause of the error.  I took it from a website rsync how to.

Also tightened up my  my password after enabling external access.
Sorting out the automated cron settings and am testing this afternoon.  Thanks all for the input. Valuable learning exercise.

[janet]

ber

Using standard ports ie 22 was not what I recommended
I said using non standard ports eg 2221 does not add much to security if you still use password access.

My recommendation was to use public private keys & follow the steps in the Howto for this, that is the ONLY way you will have secure ssh connections. I would also recommend to use non standard ports eg 2222 etc.
Also part of that recommendation is that after you setup pp keys & get it all working (which is relatively straightforward to do), then you should disable password access for ssh (in server manager panel).

While a stronger password is better than a weaker one, if you use passwords your whole server command line is accessible to hackers if they try hard enough & get lucky.

[ber]

Yes janet I was not using your advise as a recommendation for enhanced security but as a fix for rsync not necessarily needing to use non standard port.

As noted on my initial post I had already connected via ssh and setup a private key between the two servers for security.

As mmccarn rightly noted I could have used the non standard port with the corrected script that he advised.
I'm using the non standard port and am happy with the security features that I've employed.

Thanks all the same.

[janet]

ber

As noted on my initial post I had already connected via ssh and setup a private key between the two servers for security.

I do not see that, unless you are referring to the internal workings of Affa which uses a secure key that it generates.

If you use secure keys (either created by Affa or using the Howto), then disable password access, or you are no better off than just using passwords alone.