summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJan Dittberner <jan@dittberner.info>2016-04-24 19:10:51 +0200
committerJan Dittberner <jan@dittberner.info>2016-04-24 19:10:51 +0200
commitb608715c05c5a6d0ca852ab6c4a7530e2c63950a (patch)
tree76a316497aff0bb2110348633b9868a10cbe9079
parentc9e625f59df5e55b8ae7440c3eda7a016589f5c1 (diff)
downloadcacert-infradocs-b608715c05c5a6d0ca852ab6c4a7530e2c63950a.tar.gz
cacert-infradocs-b608715c05c5a6d0ca852ab6c4a7530e2c63950a.tar.xz
cacert-infradocs-b608715c05c5a6d0ca852ab6c4a7530e2c63950a.zip
Add blog system description
This commit adds the documentation for the blog system. The documentation is based on information from https://wiki.cacert.org/SystemAdministration/Systems/Blog and information gathered from the running system.
-rw-r--r--docs/certlist.rst24
-rw-r--r--docs/systems.rst1
-rw-r--r--docs/systems/arbitration.rst2
-rw-r--r--docs/systems/blog.rst371
4 files changed, 397 insertions, 1 deletions
diff --git a/docs/certlist.rst b/docs/certlist.rst
index 6bd6c37..e8c5fb2 100644
--- a/docs/certlist.rst
+++ b/docs/certlist.rst
@@ -1,3 +1,27 @@
==================
X.509 Certificates
==================
+
+.. _cert_blog_cacert_org:
+
+blog.cacert.org
+===============
+
+.. index::
+ ! single: Certificate; Blog
+
++------------------+------------------------------------------------------------------------+
+| Common Name | blog.cacert.org |
++------------------+------------------------------------------------------------------------+
+| Subject Altnames | none |
++------------------+------------------------------------------------------------------------+
+| Key kept at | :doc:`blog <systems/blog>`:file:`/etc/ssl/private/blog.cacert.org.key` |
++------------------+------------------------------------------------------------------------+
+| Cert kept at | :doc:`blog <systems/blog>`:file:`/etc/ssl/public/blog.cacert.org.crt` |
++------------------+------------------------------------------------------------------------+
+| Serial Number | 1173559 (0x11e837) |
++------------------+------------------------------------------------------------------------+
+| Expiration date | Mar 31 16:34:28 2018 GMT |
++------------------+------------------------------------------------------------------------+
+| SHA1 Fingerprint | ``69:A5:5F:3E:1B:D8:2E:CB:B3:AB:0B:E9:81:A6:CF:31:DF:C8:A4:5F`` |
++------------------+------------------------------------------------------------------------+
diff --git a/docs/systems.rst b/docs/systems.rst
index 40b8bf9..fb2db35 100644
--- a/docs/systems.rst
+++ b/docs/systems.rst
@@ -6,6 +6,7 @@ Systems
systems/infra02
systems/arbitration
+ systems/blog
systems/emailout
systems/monitor
diff --git a/docs/systems/arbitration.rst b/docs/systems/arbitration.rst
index 7496fcf..8b38813 100644
--- a/docs/systems/arbitration.rst
+++ b/docs/systems/arbitration.rst
@@ -208,7 +208,7 @@ SSH host keys
+-----------+-----------------------------------------------------+
| ECDSA | ``54:a3:76:46:66:fc:3f:2d:9b:e4:bd:49:ba:fe:98:09`` |
+-----------+-----------------------------------------------------+
-| ED25519 | - |
+| ED25519 | \- |
+-----------+-----------------------------------------------------+
.. todo:: setup ED25519 host key
diff --git a/docs/systems/blog.rst b/docs/systems/blog.rst
new file mode 100644
index 0000000..7814247
--- /dev/null
+++ b/docs/systems/blog.rst
@@ -0,0 +1,371 @@
+.. index::
+ single: Systems; Blog
+
+====
+Blog
+====
+
+Purpose
+=======
+
+This system hosts the blog, blog.cacert.org. The blog meets the needs of public
+relations and the CAcert community to publish CAcert's activities.
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: `Martin Gummi`_
+* Secondary: None
+
+.. todo:: find an additional admin
+
+.. _Martin Gummi: martin.gummi@cacert.org
+
+Application Administration
+--------------------------
+
++-----------------------+---------------------------------------------------+
+| Role | Users |
++=======================+===================================================+
+| Wordpress Admin | * `Alexander Bahlo`_ |
+| | * `Marcus Mängel`_ |
+| | * `Mario Lipinski`_ |
+| | * `Martin Gummi`_ |
++-----------------------+---------------------------------------------------+
+| Wordpress Editor | * PR Team |
+| | * `Support`_ |
++-----------------------+---------------------------------------------------+
+| Wordpress Author | * Anyone with a certificate |
++-----------------------+---------------------------------------------------+
+| Wordpress Contributor | * Anyone with contributor privileges |
++-----------------------+---------------------------------------------------+
+| Wordpress Subscriber | * Any Spammer or person who has not posted or has |
+| | not logged in |
++-----------------------+---------------------------------------------------+
+
+.. _Alexander Bahlo: alexander.bahlo@cacert.org
+.. _Marcus Mängel: markus.maengel@cacert.org
+.. _Mario Lipinski: mario@cacert.org
+.. _Support: support@cacert.org
+
+Contact
+-------
+
+* blog-admin@cacert.org
+
+Additional People
+-----------------
+
+`Jan Dittberner`_ and `Mario Lipinski`_ have :program:`sudo` access on that
+machine too.
+
+.. _Jan Dittberner: jandd@cacert.org
+.. _Mario Lipinski: mario@cacert.org
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.234`
+:IP Intranet: :ip:v4:`172.16.2.13`
+:IP Internal: :ip:v4:`10.0.0.13`
+:MAC address: :mac:`00:ff:fa:af:b2:9b` (eth0)
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; Blog
+
+====================== ======== ============================================
+Name Type Content
+====================== ======== ============================================
+blog.cacert.org. IN A 213.154.225.234
+blog.cacert.org. IN SSHFP 1 1 32CA6E4BA3275AAB0D65F0F46969B11A4C4B36E8
+blog.cacert.org. IN SSHFP 2 1 AAFBA94EBE5C5C45CDF5EF10D0BC31BEA4D9ECEC
+blog.intra.cacert.org. IN A 172.16.2.13
+====================== ======== ============================================
+
+.. seealso::
+
+ See https://wiki.cacert.org/SystemAdministration/Procedures/DNSChanges
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Jessie
+ single: Debian GNU/Linux; 8.4
+
+* Debian GNU/Linux 8.4
+
+Applicable Documentation
+------------------------
+
+A small (work in progress) guide can be found in the `Wiki
+<https://wiki.cacert.org/BlogDoc>`_.
+
+Services
+========
+
+Listening services
+------------------
+
+.. use the values from this table or add new lines if applicable
+
++----------+---------+---------+----------------------------+
+| Port | Service | Origin | Purpose |
++==========+=========+=========+============================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+---------+---------+----------------------------+
+| 25/tcp | smtp | local | mail delivery to local MTA |
++----------+---------+---------+----------------------------+
+| 80/tcp | http | ANY | application |
++----------+---------+---------+----------------------------+
+| 443/tcp | https | ANY | application |
++----------+---------+---------+----------------------------+
+| 5666/tcp | nrpe | monitor | remote monitoring service |
++----------+---------+---------+----------------------------+
+| 3306/tcp | mysql | local | MySQL database for blog |
++----------+---------+---------+----------------------------+
+| 9000/tcp | php-fpm | local | PHP FPM executor |
++----------+---------+---------+----------------------------+
+
+Running services
+----------------
+
+.. index::
+ single: openssh
+ single: Apache
+ single: cron
+ single: MySQL
+ single: PHP FPM
+ single: Postfix
+ single: nrpe
+
++--------------------+--------------------+----------------------------------------+
+| Service | Usage | Start mechanism |
++====================+====================+========================================+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+--------------------+----------------------------------------+
+| Apache httpd | Webserver for blog | init script |
+| | | :file:`/etc/init.d/apache2` |
++--------------------+--------------------+----------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++--------------------+--------------------+----------------------------------------+
+| MySQL | MySQL database | init script |
+| | server for blog | :file:`/etc/init.d/mysql` |
++--------------------+--------------------+----------------------------------------+
+| PHP FPM | PHP FPM executor | init script |
+| | for blog | :file:`/etc/init.d/php5-fpm` |
++--------------------+--------------------+----------------------------------------+
+| Postfix | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/postfix` |
+| | submission | |
++--------------------+--------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring | init script |
+| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+| | :doc:`monitor` | |
++--------------------+--------------------+----------------------------------------+
+
+Databases
+---------
+
++-------+------------+------------------------------+
+| RDBMS | Name | Used for |
++=======+============+==============================+
+| MySQL | blog | Wordpress blog |
++-------+------------+------------------------------+
+| MySQL | phpmyadmin | PHPMyAdmin settings database |
++-------+------------+------------------------------+
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+
+Outbound network connections
+----------------------------
+
+* HTTP (80/tcp) and HTTPS (443/tcp) `Ping-o-matic`_ blog update service [#f1]_
+* HTTP (80/tcp) and HTTPS (443/tcp) to Akismet anti spam service [#f2]_
+* HTTP (80/tcp) and HTTPS (443/tcp) to wordpress.org
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* ftp.nl.debian.org as Debian mirror
+* security.debian.org for Debian security updates
+* crl.cacert.org (rsync) for getting CRLs
+
+.. _Ping-o-matic: http://rpc.pingomatic.com/
+.. [#f1] http://blog.cacert.org/wp-admin/options-writing.php
+.. [#f2]
+ http://blog.cacert.org/wp-admin/plugins.php?page=akismet-key-config - check
+ network status
+
+Security
+========
+
+SSH host keys
+-------------
+
++-----------+-----------------------------------------------------+
+| Algorithm | Fingerprint |
++===========+=====================================================+
+| RSA | ``ec:cb:b5:13:7c:17:c4:c3:23:3d:ee:01:58:75:b5:8d`` |
++-----------+-----------------------------------------------------+
+| DSA | ``c6:a7:52:f6:63:ce:73:95:41:35:90:45:9e:e0:06:a5`` |
++-----------+-----------------------------------------------------+
+| ECDSA | ``00:d7:4b:3c:da:1b:24:76:74:1c:dd:2c:64:50:5f:81`` |
++-----------+-----------------------------------------------------+
+| ED25519 | \- |
++-----------+-----------------------------------------------------+
+
+.. todo:: setup ED25519 host key
+
+.. seealso::
+
+ See :doc:`../sshkeys`
+
+Dedicated user roles
+--------------------
+
++-------+--------------------------------------------------------------------+
+| Group | Purpose |
++=======+====================================================================+
+| blog | group owning the blog file content and temporary files. This group |
+| | is used to execute the Wordpress PHP code. |
++-------+--------------------------------------------------------------------+
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+* **Wordpress Plugins**
+
+ * `client-certificate-authentication
+ <http://wordpress.org/plugins/client-certificate-authentication/>`_
+ * akismet
+
+Risk assessments on critical packages
+-------------------------------------
+
++-------------+-------------+---------------------------------------------+
+| Software | Risk rating | Mitigation |
++=============+=============+=============================================+
+| *Wordpress* | high | Regular updates, avoid unnecessary plugins, |
+| | | Consider `Wordpress hardening`_ |
++-------------+-------------+---------------------------------------------+
+
+.. todo:: `Wordpress hardening`_
+
+.. _Wordpress hardening: http://codex.wordpress.org/Hardening_WordPress
+
+Critical Configuration items
+============================
+
+Keys and X.509 certificates
+---------------------------
+
+.. index::
+ single: Certificate; Blog
+
+* :file:`/etc/ssl/public/blog.cacert.org.crt` server certificate
+* :file:`/etc/ssl/private/blog.cacert.org.key` server key
+* :file:`/etc/ssl/certs/cacert.org/` directory containing CAcert.org Class 1
+ and Class 3 certificates (allowed CA certificates for client certificates)
+ and symlinks with hashed names as expected by OpenSSL
+* :file:`/etc/ssl/certs/cacert.org.pem` CAcert.org Class 1 certificate
+ (certificate chain for server certificate)
+
+.. seealso::
+
+ * :ref:`cert_blog_cacert_org` in :doc:`../certlist`
+ * https://wiki.cacert.org/SystemAdministration/CertificateList
+
+Apache configuration files
+--------------------------
+
+* :file:`/etc/apache2/cacert/blog.inc.conf`
+
+ Defines settings that are shared by the HTTP and the HTTPS VirtualHost
+ definitions. This file takes care of the PHP FCGI setup.
+
+* :file:`/etc/apache2/cacert/headers.inc.conf`
+
+ Defines HTTP headers that are shared by the HTTP and the HTTPS VirtualHost
+ definitions. The file is included by
+ :file:`/etc/apache2/cacert/blog.inc.conf`.
+
+* :file:`/etc/apache2/sites-available/blog-ssl.conf`
+
+ This file contains the HTTPS VirtualHost definition and defines client
+ certificate authentication for ``/wp-admin`` and ``/wp-login.php``.
+
+* :file:`/etc/apache2/sites-available/blog-nossl.conf`
+
+ This file defines the HTTP VirtualHost definition and takes care of
+ redirecting ``/wp-admin`` and ``/wp-login.php`` to the HTTPS VirtualHost.
+
+The following RewriteRule is used to redirect old blog URLs::
+
+ RewriteRule ^/[0-9]{4}/[0-9]{2}/([0-9]+)\.html$ ?p=$1 [R=302,L]
+
+Wordpress configuration
+-----------------------
+
+* :file:`/srv/www/blog/wp-config.php` contains the Wordpress database
+ configuration. The rest of the Wordpress configuration is stored in the
+ database (assumption).
+
+Tasks
+=====
+
+Planned
+-------
+
+.. todo:: setup IPv6
+
+.. todo::
+ setup CRL checks (can be borrowed from :doc:`svn`) for client certificates
+
+Changes
+=======
+
+System Future
+-------------
+
+.. * No plans
+
+Additional documentation
+========================
+
+.. seealso::
+
+ * https://wiki.cacert.org/PostfixConfiguration
+
+Adding a category
+-----------------
+
+* https://blog.cacert.org/wp-admin/categories.php
+
+References
+----------
+
+Blog URL
+ https::/blog.cacert.org/