This is file T:\Groups\Computing\Web\ParticlePhysics and LHC Webs.doc Last Change: 17th July 2009. Gareth Smith Overview of the ParticlePhysics and LHC webs. The following two webs are hosted on HEPWIN2003G: http://www.particlephysics.ac.uk/ http://www.lhc.ac.uk/ The contact for the LHC web is Ray Mathias. I don’t know the current contact for the ParticlePhysics web. Summary Bothe of these webs were created by PPARC. The content is managed via an external company (“Nomensa”) using their “Content Management System” called “DeFacto”. This is a web based system and a small number of people have editing access. Changes to each of these webs is carried out in the DeFacto system at Nomensa and are downloaded to HEPWIN2003G using rsync over a secure (ssl) connection. The update happens several times per day. Check the “Change Log” for more information. This was first set-up in November 2005, initially for the particlephysics.ac.uk web. The LHC web was added later. Detail The installation was done as per advice from one of the technical guys at Nomensa (Peter Shipley). Use a product called cwRsyncServer. See http://www.itefix.no/phpws/index.php?module=pagemaster&PAGE_user_op=view_page&PAGE_id=6&MMN_ position=23:23 This installs and runs a small cut-down version of Cygwin with only the right tools to do the job - in this case support Rsync for file transfer. As a windows application it will integrate as a Windows Service running as its own user so permissions can be allocated accordingly (those being the minimum required to manage the files being served for the PPUK web site). As an extra layer of security there is an option in the installer to install OpenSSH (http://www.openssh.com/). This is a highly secure and popular tool that will allow for secure, encrypted traffic between servers. This is accomplished by only allowing someone with the right software key (so no passwords are used) can access the server. The way it works: cwRsyncServer program installed on the target Windows server (hepwin2003g). Permissions set for the cwRsyncServer user running on that server. OpenSSH server running as a service on your server, only permitting someone with the right key to connect. This can be secured even more by restricting the connecting computer to just our server's IP address by a firewall. This is file T:\Groups\Computing\Web\ParticlePhysics and LHC Webs.doc Last Change: 17th July 2009. Gareth Smith We would then run a client on our server to connect to your server and synchronise the files to the target directory. Some settings to note: Using SSH the port will be 22 The IP address at Nomensa is 213.129.84.11 The firewall hole allows ssh in from this address to 130.246.43.157, the address on which the ssh server is set to respond. The user we will connect as is SvcwRsync. (Note: This was set-up as an administrator - I removed that permission). In the sshd_config file (in C:\Program Files\cwRsyncServer\etc) there is an entry called ListenAddress. Set this to the IP address the server should listen on (0.0.0.0 is the default to listen on any IP). Modified to be 130.246.43.157 (hepdoc.rl.ac.uk). Notes from the install: Replaced the sshd_config file with one supplied separately to the build by Peter. This tied down the access requiring the use ssh keys to control access. Had to modify the ListenAddress parameter as detailed above. Replaced the \var\.ssh\authorized_keys file with one from Peter (His file id_rsa.pub). Some issues with the access permissions on the authorized_keys file. These had emerged during earlier tests and here is the solution that was appplied here anyway. Used a BASH console to modify the permissions. (This appeared under the "Start Menu -> Programs -> cwRsync Server" following the install) cd c: cd "Program Files" ... etc. as far as Program Files/cwRsybServer/var/SvcwRsync chmod 700 .ssh cd .ssh chmod 600 authorized_keys chown SvcwRsync authorized_keys The web area is: D:\inetpub_ppuk\wwwroot Gave the SvcwRsync username modify access to this folder.