Using rsync To Backup a Joomla Website

Last Updated on Monday, 22 November 2010 13:53 Written by Joe Aldeguer Tuesday, 10 February 2009 15:34

There are a good number of Joomla backup extension programs which do a good job of backing up a Joomla web site. The problem is, it stores the backup on the same server hosting my production Joomla web sites. Even if the backup program allows me to download the backup it still entails me having to remember to download a backup copy daily. Now let us assume the server gets hacked, or after installing an update to the OS, it has caused the server to not boot up, etc. What do I do now? I could start the disaster recovery process which could take hours depending on the problem. But let us say one of the Joomla web site I am hosting got hacked. I would no longer trust the server to hosts my Joomla web sites so much so I'd prefer to reinstall everything. This is were Rsync and Vmware ESXi (I have snapshots for the virtual server also serving as backups) comes in to make my disaster recovery easier and a bit less time consuming. Now all I have to do is make the backup server become the primary in DNS, while I work on the damaged server.

For example purposes I will be using two servers one called Production the other called Backup. Both production and backup are virtual servers running on an ESXi host. Both servers will have indentical OS and other related software programs to properly run a Joomla web site.

Disclaimer: There is no guarantee this will work for you the information provided is for the author's personal use.

Note: Words in italics are commands to typed at shell prompt.

Done at Backup server:

I will install rsync on both Backup and Production server's.

apt-get install rsync

I will now generate a private and public key for my root account on the backup server.

ssh-keygen -t rsa (Click enter when asked for a passphrase do not create a passphase.)

This will create a private and public key which will be stored in /root/.ssh/.

cd /root/.ssh

I'll then use SCP to copy over the public key of the root account to my production server.

scp ' -P 12345' key.pub root@joealdeguer.com:~/backup_publickey (I have to use the option '-P 12345' since I am using a different port for SSH.)

Repeat the steps above for the user account of the web site being backup. This will ensure the web site owner on the backup server is also able to login into the production web server without using a password.

Done at Production server:

After I have SCP the public key of backup server's root account into the production server. I will make sure the SSH server running on production only accepts RSA authentication. To edit SSH server config files by hand go into /etc/ssh/sshd_config. Both server's also have Denyhost installed to stop and block password guessing programs. I also have OSSEC installed to monitor the logs for failed login attempts which gets e-mailed to me. To use Webmin to change SSH server's authentication option go to Servers | SSH server | Authentication.

At the shell prompt of Production server type the following:

apt-get update

apt-get install rsync

cd /home/joealdeguer

mkdir .ssh

cd .ssh/

chmod 700 ~/.ssh
touch authorized_keys
chmod 600 authorized_keys

I'll copy the root public key of the backup server into the web site owners .ssh/ folder then run cat to add it in authorized_keys. When I'm done I will delete the backup server's root backup_publickey.

cat backup_publickey >> authorized_keys

rm backup_publickey

Done at Backup server:

Try connecting using SSH now to Production.

ssh -l root -p 12345 joealdeguer.com

I'm now logged in without using a password. Now that I have confirmed I can login without using a password I will log back out.

At the shell prompt on the backup server I'll initialize the rsync by pulling the web site data off the production server.

(Since I'm using a different port for SSH to listen on at the backup server I have to use 'ssh -p 12345'.)

Type the following on one line. (Substituting the home path to reflect the location of your public_html.)

rsync -avz -e 'ssh -p 12345' joealdeguer@joealdeguer.com:/home/joealdeguer/public_html/ /home/joealdeguer/public_html/

Heads Up: After typing the above rsync command and you're still prompted for a password even though you thought you have already copied the public key to the production server. Check again. Since we're running rsync as the user root we need to make sure the public key of the user root from the backup server has also been added into the home owner's website's .ssh/authorized_key file at the production server.

After the initial rsync copy has completed I can now cron the rsync command to pull any changes from the production server back into my backup server. I do so by using Webmin's Scheduled Cron Jobs module. Go to System | Scheduled Cron Jobs | Create new scheduled cron job.

The command below can either be typed at the shell prompt or entered into cron. This should be typed in one line. The (--delete --exclude=**) options tells rsync to ignore my configuration.php file on the backup server since I have some of the settings set to work only for the backup server. I can just copy and paste the commands below into Webmin or I could issue the command crontab -e.

Note: If you are creating an rsync cron task for each website being hosted at the production server make sure to connect using domian (example: user@domain.com) part of each website. Replacing user wtih the owner of the website and using the actual domain name being rsync. This will allow you to add the keyhost. First time initiating an rsync over SSH you will be asked to answer yes or no in accepting key. Answer yes.

rsync -avz -e 'ssh -p 1234' --delete --exclude=**configuration.php joealdeguer@joealdeguer.com:/home/joealdeguer/public_html/ /home/joealdeguer/public_html/

Cron task will produce the output below if I click run now. Normally this cron task will run in the background during its scheduled time. Any changes which occur at the production server will be copied over to the backup server.

At the production server I have MySQL scheduled to do nightly backups which stores it in a folder /var/backups/mysql. Then at the backup server I have an rsync schedule to pull the contents of the MySQL backup daily. I now have copies of the web document root of all my web sites including its corresponding databases.

I also want to limit web access to my backup site to just my IPs, this is in case there is a zero day exploit which was used to compromise the Joomla websites on my production server it couldn't be used against my backup server. I can easily accomplish this by adding the following rules into Joomla's .htaccess.