November 20 2018 Tuesday
Want to keep your Apache or Nginx cluster configuration files in sync? Here you go.....
Well, any file really, but this script is targeted at keeping the configuration files, ssl certificates and modsecurity rules in sync across a cluster of reverse proxy servers. While this script is targeted at Apache (or Nginx) on Ubuntu a few changed lines and it should work on any distro, If any changes are detected from the primary then the backup apache server is restarted.
For this particular example I have two apache reverse proxies running in HA (using pacemaker, et al), and I only every want to edit the configuration files on one server and have them copied to the other. No more forgetting to copy apache configs (which you only ever find out about when one goes down).
As usual, use at your own risk and YMMV unless you are paying me. It's far from perfect, so feel free change as you will.
Here we go:
# while technically this is for Ubuntu servers,
# you can easily change the paths to match CentOS, RHEL, etc
#
# Darren Duke https://blog.darrenduke.net
#
# Provide as-is. No warranty or guarantee is implied nor given
#Change the remoteIP to be your primary server IP address
remoteIP=10.200.200.7
#Change this to your user that you are using
rsyncusername=rsyuser
#for nginx change the line below to 'nginx'
serviceName=apache2
# Add to each array the folders you wish to sync
sourceFilesArray=("/etc/apache2/sites-available/*.conf" "/etc/apache2/sites-enabled/*.conf" "/etc/modsecurity/modsecurity.conf" "/etc/apache2/sts_ssl/2018/*" "/etc/apache2/sts_ssl/*")
targetFilesArray=("/etc/apache2/sites-available/" "/etc/apache2/sites-enabled/" "/etc/modsecurity/modsecurity.conf" "/etc/apache2/sts_ssl/2018/" "/etc/apache2/sts_ssl/")
restartApache=0
count=0
for i in "${sourceFilesArray[@]}"
do
RSYNC_COMMAND=$(rsync -alizhe ssh $rsyncusername@$remoteIP:$i ${targetFilesArray[count]})
if [ $? -eq 0 ]; then
# Connected, we're doing something right!
echo $i
if [ -n "${RSYNC_COMMAND}" ]; then
echo 'in -n, so set restartApache so later it can be restarted'
restartApache=1
else
echo 'in else, so no changes were made'
fi
else
# Error....hum!
exit 1
fi
echo $count
count=$[$count+1]
done
echo "restart $serviceName: " $restartApache
if [ $restartApache -eq 1 ]; then
service $serviceName restart
echo "$serviceName restarted";
fi
As you will notice there are two arrays in the script, one lists the files you want to copy from the primary (handily called sourceFilesArray), the other is this target folder of file that sourceArray{x] will get copied to (also handily called targetFilesArray). One of the really cool things about
Once you have it working the way you want, simply create a cronjob on the backup server:
For this particular example I have two apache reverse proxies running in HA (using pacemaker, et al), and I only every want to edit the configuration files on one server and have them copied to the other. No more forgetting to copy apache configs (which you only ever find out about when one goes down).
As usual, use at your own risk and YMMV unless you are paying me. It's far from perfect, so feel free change as you will.
Here we go:
- Never test in production. Just saying.
- There are two servers, primary and backup. Primary is the source of the files, backup is the target. So any changes on primary will be reflected on backup at whatever cron frequency you see fit (I use 5 minutes).
- I'm using a user called rsyuser. This user is created on both servers and has read and write access to all the files/folders in question at both ends (I created a group and added this new user and root to it).
- The rsyuser user also has a SSH key created in order to do this password-less. This SSH key is created on the backup server using this command on the backup server logged in as rsyuser
ssh-keygen -t rsa -b 2048(make sure just to hit enter, and do not enter a password). Once created, copy both files to the root users ssh folder (/root/.ssh) and make the files you just copied owned by rsyuser and leave the group as root . - The public key of this user is copied to the primary server with this command from the backup
ssh-copy-id -i /home/rsyuser/.ssh/id_rsa.pub rsyuser@your_primary_server_ip_address - You probably want to make sure you can now copy between the servers by manually running
rsyncfrom the backup and get files from the primary before you go any further..... - Change the script to your IP addresses, services, and user and place the script below in /home/rsyuser/ and make it executable (+x).
# while technically this is for Ubuntu servers,
# you can easily change the paths to match CentOS, RHEL, etc
#
# Darren Duke https://blog.darrenduke.net
#
# Provide as-is. No warranty or guarantee is implied nor given
#Change the remoteIP to be your primary server IP address
remoteIP=10.200.200.7
#Change this to your user that you are using
rsyncusername=rsyuser
#for nginx change the line below to 'nginx'
serviceName=apache2
# Add to each array the folders you wish to sync
sourceFilesArray=("/etc/apache2/sites-available/*.conf" "/etc/apache2/sites-enabled/*.conf" "/etc/modsecurity/modsecurity.conf" "/etc/apache2/sts_ssl/2018/*" "/etc/apache2/sts_ssl/*")
targetFilesArray=("/etc/apache2/sites-available/" "/etc/apache2/sites-enabled/" "/etc/modsecurity/modsecurity.conf" "/etc/apache2/sts_ssl/2018/" "/etc/apache2/sts_ssl/")
restartApache=0
count=0
for i in "${sourceFilesArray[@]}"
do
RSYNC_COMMAND=$(rsync -alizhe ssh $rsyncusername@$remoteIP:$i ${targetFilesArray[count]})
if [ $? -eq 0 ]; then
# Connected, we're doing something right!
echo $i
if [ -n "${RSYNC_COMMAND}" ]; then
echo 'in -n, so set restartApache so later it can be restarted'
restartApache=1
else
echo 'in else, so no changes were made'
fi
else
# Error....hum!
exit 1
fi
echo $count
count=$[$count+1]
done
echo "restart $serviceName: " $restartApache
if [ $restartApache -eq 1 ]; then
service $serviceName restart
echo "$serviceName restarted";
fi
As you will notice there are two arrays in the script, one lists the files you want to copy from the primary (handily called sourceFilesArray), the other is this target folder of file that sourceArray{x] will get copied to (also handily called targetFilesArray). One of the really cool things about
rsync (the engine behind all of this) is that is will take a wildcard and expand it, real-time as the script is executing. That is why you will see some sourceArray elements having a wildcard (*) in them. This saves you a ton of array elements. Once you have it working the way you want, simply create a cronjob on the backup server:
*/2 * * * * /home/rsyuser/rsync_apache.sh
Darren Duke
|
November 20 2018 02:49:08 AM
|
apache nginx security linux
|
