This is file T:\Groups\Computing\Web\ParticlePhysics and LHC Webs.doc
Last Change: 17th July 2009. Gareth Smith
Overview of the ParticlePhysics and LHC webs.
The following two webs are hosted on HEPWIN2003G:


http://www.particlephysics.ac.uk/
http://www.lhc.ac.uk/
The contact for the LHC web is Ray Mathias. I don’t know the current contact for the ParticlePhysics
web.
Summary
Bothe of these webs were created by PPARC. The content is managed via an external company
(“Nomensa”) using their “Content Management System” called “DeFacto”. This is a web based
system and a small number of people have editing access.
Changes to each of these webs is carried out in the DeFacto system at Nomensa and are
downloaded to HEPWIN2003G using rsync over a secure (ssl) connection. The update happens
several times per day.
Check the “Change Log” for more information. This was first set-up in November 2005, initially for
the particlephysics.ac.uk web. The LHC web was added later.
Detail
The installation was done as per advice from one of the technical guys at Nomensa (Peter Shipley).
Use a product called cwRsyncServer. See
http://www.itefix.no/phpws/index.php?module=pagemaster&PAGE_user_op=view_page&PAGE_id=6&MMN_
position=23:23
This installs and runs a small cut-down version of Cygwin with only the right tools to do the job - in
this case support Rsync for file transfer.
As a windows application it will integrate as a Windows Service running as its own user so
permissions can be allocated accordingly (those being the minimum required to manage the files
being served for the PPUK web site).
As an extra layer of security there is an option in the installer to install OpenSSH
(http://www.openssh.com/). This is a highly secure and popular tool that will allow for secure,
encrypted traffic between servers. This is accomplished by only allowing someone with the right
software key (so no passwords are used) can access the server.
The way it works:

cwRsyncServer program installed on the target Windows server (hepwin2003g).

Permissions set for the cwRsyncServer user running on that server.

OpenSSH server running as a service on your server, only permitting someone with the
right key to connect. This can be secured even more by restricting the connecting computer
to just our server's IP address by a firewall.
This is file T:\Groups\Computing\Web\ParticlePhysics and LHC Webs.doc
Last Change: 17th July 2009. Gareth Smith

We would then run a client on our server to connect to your server and synchronise the
files to the target directory.
Some settings to note:

Using SSH the port will be 22

The IP address at Nomensa is 213.129.84.11

The firewall hole allows ssh in from this address to 130.246.43.157, the address on which
the ssh server is set to respond.

The user we will connect as is SvcwRsync.
(Note: This was set-up as an administrator - I removed that permission).
In the sshd_config file (in C:\Program Files\cwRsyncServer\etc) there is an entry called
ListenAddress. Set this to the IP address the server should listen on
(0.0.0.0 is the default to listen on any IP). Modified to be 130.246.43.157 (hepdoc.rl.ac.uk).
Notes from the install:

Replaced the sshd_config file with one supplied separately to the build by Peter.

This tied down the access requiring the use ssh keys to control access.

Had to modify the ListenAddress parameter as detailed above.

Replaced the \var\.ssh\authorized_keys file with one from Peter (His file id_rsa.pub).

Some issues with the access permissions on the authorized_keys file. These had emerged
during earlier tests and here is the solution that was appplied here anyway.
Used a BASH console to modify the permissions. (This appeared under the "Start Menu -> Programs
-> cwRsync Server" following the install)
cd c:
cd "Program Files"
... etc. as far as Program Files/cwRsybServer/var/SvcwRsync
chmod 700 .ssh
cd .ssh
chmod 600 authorized_keys
chown SvcwRsync authorized_keys

The web area is: D:\inetpub_ppuk\wwwroot

Gave the SvcwRsync username modify access to this folder.