summaryrefslogtreecommitdiff
path: root/docs/systems/proxyout.rst
blob: ec28ef1a8c84030c46b64fe8f8219cf202eedf61 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
.. index::
   single: Systems; Proxyout

========
Proxyout
========

Purpose
=======

This system acts as outgoing HTTP and HTTPS proxy for access to APT
repositories.

Application Links
-----------------

This system has no publicly visible URLs.


Administration
==============

System Administration
---------------------

* Primary: :ref:`people_jandd`
* Secondary: None

.. todo:: find an additional admin
.. people_<name> are defined in people.rst

Application Administration
--------------------------

+-------------+---------------------+
| Application | Administrator(s)    |
+=============+=====================+
| Squid       | :ref:`people_jandd` |
+-------------+---------------------+

Contact
-------

* proxyout-admin@cacert.org

Additional People
-----------------

* None

Basics
======

Physical Location
-----------------

This system is located in an :term:`LXC` container on physical machine
:doc:`infra02`.

Logical Location
----------------

:IP Internet: None
:IP Intranet: None
:IP Internal: :ip:v4:`10.0.0.201`
:MAC address: :mac:`00:16:3e:15:b8:8c` (eth0)

.. seealso::

   See :doc:`../network`

DNS
---

.. index::
   single: DNS records; Proxyout

.. todo:: setup DNS records (in infra.cacert.org zone)

.. seealso::

   See :wiki:`SystemAdministration/Procedures/DNSChanges`

Operating System
----------------

.. index::
   single: Debian GNU/Linux; Stretch
   single: Debian GNU/Linux; 9.1

* Debian GNU/Linux 9.1

Applicable Documentation
------------------------

The system is managed by :doc:`puppet`. The puppet repository is browsable at
https://git.cacert.org/gitweb/?p=cacert-puppet.git;a=summary.

Services
========

Listening services
------------------

+----------+-----------+-----------+-----------------------------------------+
| Port     | Service   | Origin    | Purpose                                 |
+==========+===========+===========+=========================================+
| 22/tcp   | ssh       | ANY       | admin console access                    |
+----------+-----------+-----------+-----------------------------------------+
| 25/tcp   | smtp      | local     | mail delivery to local MTA              |
+----------+-----------+-----------+-----------------------------------------+
| 3128/tcp | http      | internal  | squid http/https proxy                  |
+----------+-----------+-----------+-----------------------------------------+

Running services
----------------

.. index::
   single: puppet agent
   single: cron
   single: exim4
   single: squid
   single: openssh

+----------------+--------------------+--------------------------------------+
| Service        | Usage              | Start mechanism                      |
+================+====================+======================================+
| openssh server | ssh daemon for     | init script :file:`/etc/init.d/ssh`  |
|                | remote             |                                      |
|                | administration     |                                      |
+----------------+--------------------+--------------------------------------+
| cron           | job scheduler      | init script :file:`/etc/init.d/cron` |
+----------------+--------------------+--------------------------------------+
| Exim           | SMTP server for    | init script                          |
|                | local mail         | :file:`/etc/init.d/exim4`            |
|                | submission         |                                      |
+----------------+--------------------+--------------------------------------+
| Puppet agent   | local Puppet agent | init script                          |
|                |                    | :file:`/etc/init.d/puppet`           |
+----------------+--------------------+--------------------------------------+
| Squid          | Caching and        | init script                          |
|                | filtering http/    | :file:`/etc/init.d/squid`            |
|                | https proxy for    |                                      |
|                | internal machines  |                                      |
+----------------+--------------------+--------------------------------------+

Connected Systems
-----------------

* :doc:`motion`
* :doc:`proxyin`
* :doc:`puppet`
* :doc:`svn`

Outbound network connections
----------------------------

* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
* :doc:`emailout` as SMTP relay
* :doc:`puppet` (tcp/8140) as Puppet master
* .debian.org Debian mirrors
* apt.puppetlabs.com as Debian repository for puppet packages

Security
========

.. sshkeys::
   :ECDSA:   74:70:63:b9:3e:6b:9f:a2:34:0e:9a:92:77:dd:93:73
   :ED25519: 43:0d:1e:ec:1b:5f:c3:84:38:c7:75:b7:be:3c:1b:d4
   :RSA:     1e:8e:1d:06:a5:fa:d6:08:95:e9:68:fb:ae:16:24:8f

Risk assessments on critical packages
-------------------------------------

Squid is a proven http and https proxy installed from distribution packages
with low risk.

Critical Configuration items
============================

All configuration is managed in Puppet. There are no certificates or private
keys used on this machine.

Tasks
=====

Planned
-------

Change all infrastructure hosts to use this machine as APT proxy to avoid flaky
firewall configurations on :doc:`infra02`.

Additional documentation
========================

.. seealso::

   * :wiki:`Exim4Configuration`

References
----------

* http://www.squid-cache.org/