To date, all my sites have been on a Softsys reseller account and they've always done the behind the scenes work for me. I'm graduating to a WS2008/SQL2008 VPS (2GB) and trying to do it myself for the first time with a new 4.11.8 install. Headed towards having multiple Umbraco sites on it. Questions so far:
What's the best way to set permissions when you have to do it yourself (and are ignorant)? I've seen posts about it but nothing recent.
I think I'm going to end up running my personal sites in one app pool, then the rest of my client sites each with their own. Where do I do those chores? I'm assuming somewhere in IIS Mgr but... still ignorant there too.
My other sites have been set to ASP 4.0 but I thought I read somewhere it should be 4.0 Integrated... but now I can't find that either.
Last (for now) but not least, I recall reading some posts about when you have multiple sites in one install you can/should structure them with a node (I think...) at the top to contain common settings/data. Is there a current post/recommendation on doing that?
And of course, if you think of any other brilliant advice, I'm just the guy to need it!
Luckily there is some good documentation available here http://our.umbraco.org/documentation/Installation/install-umbraco-manually on how to install Umbraco manually. Skip through the webmatrix part in your case though. Make sure to read it through before you go and install so you are sure what parts are the ones you should be following.
When you setup your websites in IIS you can go to the "application pools" section and choose the settings (Run ASP.NET 4 and Integrated mode).
In regards to permissions you should set it for the IIS_IUSRS group, which conatinas the NETWORK SERVICE and IUSR accounts, which are the ones that need permissions.
I imagine that you have a setup where your sites are all in the same folder like this
D:\Sites\Umbraco\Client 1 D:\Sites\Umbraco\Client 2 D:\Sites\Umbraco\Client 3 etc.
So make sure to set the permissions on either the "Sites" or "Umbraco" folder so it's automatically inherited so you don't have to worry about setting up permissions when you add a new site.
Thank you for the reply, Jan and sorry for the slow response, I've been off doing more research as I don't want to be careful setting this up correctly and not creating security problems.
To add a bit more info, I'd been using WebSitePanel to setup new clients/websites and it's worked fine for single site accounts but I've had no control over custom app pools in that shared environment and I think I'm going to need more knowledge to implement multiple Umbraco installs and separate app pools.
If I may trouble you (or anyone) a bit (a lot) more:
Is it (or when is it) necessary to add the '<trust level="Full" />' into the system.web section of web.config? I only have one site with it in use, on my shared hosting account and things seem to work fine.
Softsys support says in IIS I can click the '.NET Trust Levels' icon and set it to 'full' there but that doesn't seem to be site specific so it doesn't seem it would be so secure. Does it automagically modify each individual site's web.config?
The IIS documentation to which you referred also says to set write permissions to the hosts file but I've never encountered that. Is that really necessary?
Softsys support has recommended setting folder permissions in WebSitePanel but hasn't said which folders or how to do it in IIS. Is it as simple as going into IIS Manager and right click on the website, choose 'Edit Permissions', on the Security tab in the wwwroot Properties dialog, click Edit, highlight NETWORK SERVICE and check everything except Full control?
Or, I've seen a suggestion to set read/write permissions for the website and NETWORK SERVICE on these folders: bin config css data media umbraco usercontrols xslt And on this Umbraco reference: http://our.umbraco.org/wiki/reference/files-and-folders/permissions, to do those (in a more granular way) and also: web.config App_Code App_Data MacroScripts Masterpages Scripts Umbraco_client That reference also points to doing it from the command line: http://our.umbraco.org/wiki/install-and-setup/set-umbraco-folder-permissions-from-command-line, and also implies that changing NETWORK SERVICE to 'IIS APPPOOL\{application-pool-name}' is more secure.
Both of these seem way more involved than the simple method suggested by Softsys support, although that has in fact worked for simple, single Umbraco sites so far. With these kinds of discrepencies, I wonder when/where security issues are going to rear their ugly heads, as in: just because you can doesn't mean you should.
And if the easy way is ok, can you then simply apply it to the intended multiple sites by selecting each site in IIS, clicking the 'Basic Settings...' link in the Actions column and picking the newly created app pool from the list there?
I don't think it matters here but where the heck do I find the 'IIS_IUSRS' mentioned in the document to which you referred? I've never seen that.
Also, I ran across this for running multiple domains under one umbraco: open config/umbracoSettings.config, change useDomainPrefixes to true (under requiestHandler). I never saw that anywhere else but I haven't really seen a concise document about how to setup Umbraco to run multiple sites in one install.
Thank you so much for your time and sharing your experience and expertise. Hopefully this will be some help for others. I see a lot of experts talking about these things but haven't found the detailed walkthroughs that can get the noobs and boobs going.
Installing on first VPS, set permissions, etc?
To date, all my sites have been on a Softsys reseller account and they've always done the behind the scenes work for me. I'm graduating to a WS2008/SQL2008 VPS (2GB) and trying to do it myself for the first time with a new 4.11.8 install. Headed towards having multiple Umbraco sites on it. Questions so far:
What's the best way to set permissions when you have to do it yourself (and are ignorant)? I've seen posts about it but nothing recent.
I think I'm going to end up running my personal sites in one app pool, then the rest of my client sites each with their own. Where do I do those chores? I'm assuming somewhere in IIS Mgr but... still ignorant there too.
My other sites have been set to ASP 4.0 but I thought I read somewhere it should be 4.0 Integrated... but now I can't find that either.
Last (for now) but not least, I recall reading some posts about when you have multiple sites in one install you can/should structure them with a node (I think...) at the top to contain common settings/data. Is there a current post/recommendation on doing that?
And of course, if you think of any other brilliant advice, I'm just the guy to need it!
Thanks much,
Matthew
Hi Matthew
Luckily there is some good documentation available here http://our.umbraco.org/documentation/Installation/install-umbraco-manually on how to install Umbraco manually. Skip through the webmatrix part in your case though. Make sure to read it through before you go and install so you are sure what parts are the ones you should be following.
When you setup your websites in IIS you can go to the "application pools" section and choose the settings (Run ASP.NET 4 and Integrated mode).
In regards to permissions you should set it for the IIS_IUSRS group, which conatinas the NETWORK SERVICE and IUSR accounts, which are the ones that need permissions.
I imagine that you have a setup where your sites are all in the same folder like this
D:\Sites\Umbraco\Client 1
D:\Sites\Umbraco\Client 2
D:\Sites\Umbraco\Client 3
etc.
So make sure to set the permissions on either the "Sites" or "Umbraco" folder so it's automatically inherited so you don't have to worry about setting up permissions when you add a new site.
Hope this makes sense.
/Jan
Thank you for the reply, Jan and sorry for the slow response, I've been off doing more research as I don't want to be careful setting this up correctly and not creating security problems.
To add a bit more info, I'd been using WebSitePanel to setup new clients/websites and it's worked fine for single site accounts but I've had no control over custom app pools in that shared environment and I think I'm going to need more knowledge to implement multiple Umbraco installs and separate app pools.
If I may trouble you (or anyone) a bit (a lot) more:
Is it (or when is it) necessary to add the '<trust level="Full" />' into the system.web section of web.config? I only have one site with it in use, on my shared hosting account and things seem to work fine.
Softsys support says in IIS I can click the '.NET Trust Levels' icon and set it to 'full' there but that doesn't seem to be site specific so it doesn't seem it would be so secure. Does it automagically modify each individual site's web.config?
The IIS documentation to which you referred also says to set write permissions to the hosts file but I've never encountered that. Is that really necessary?
Softsys support has recommended setting folder permissions in WebSitePanel but hasn't said which folders or how to do it in IIS. Is it as simple as going into IIS Manager and right click on the website, choose 'Edit Permissions', on the Security tab in the wwwroot Properties dialog, click Edit, highlight NETWORK SERVICE and check everything except Full control?
Or, I've seen a suggestion to set read/write permissions for the website and NETWORK SERVICE on these folders:
bin
config
css
data
media
umbraco
usercontrols
xslt
And on this Umbraco reference: http://our.umbraco.org/wiki/reference/files-and-folders/permissions, to do those (in a more granular way) and also:
web.config
App_Code
App_Data
MacroScripts
Masterpages
Scripts
Umbraco_client
That reference also points to doing it from the command line:
http://our.umbraco.org/wiki/install-and-setup/set-umbraco-folder-permissions-from-command-line, and also implies that changing NETWORK SERVICE to 'IIS APPPOOL\{application-pool-name}' is more secure.
Both of these seem way more involved than the simple method suggested by Softsys support, although that has in fact worked for simple, single Umbraco sites so far. With these kinds of discrepencies, I wonder when/where security issues are going to rear their ugly heads, as in: just because you can doesn't mean you should.
Which brings up the question, is creating a separate application pool as simple as, in IIS, right click on Application Pools, select 'Add application pool...', name it and select the .NET + mode? One forum post referred to needing to register a new apppool (http://stackoverflow.com/questions/4890245/how-to-add-asp-net-4-0-as-application-pool-on-iis-7-windows-7#answer-4890368).
And if the easy way is ok, can you then simply apply it to the intended multiple sites by selecting each site in IIS, clicking the 'Basic Settings...' link in the Actions column and picking the newly created app pool from the list there?
I don't think it matters here but where the heck do I find the 'IIS_IUSRS' mentioned in the document to which you referred? I've never seen that.
Also, I ran across this for running multiple domains under one umbraco: open config/umbracoSettings.config, change useDomainPrefixes to true (under requiestHandler). I never saw that anywhere else but I haven't really seen a concise document about how to setup Umbraco to run multiple sites in one install.
Thank you so much for your time and sharing your experience and expertise. Hopefully this will be some help for others. I see a lot of experts talking about these things but haven't found the detailed walkthroughs that can get the noobs and boobs going.
is working on a reply...