Improve system documentation
[cacert-infradocs.git] / docs / systems / blog.rst
1 .. index::
2 single: Systems; Blog
3
4 ====
5 Blog
6 ====
7
8 Purpose
9 =======
10
11 This system hosts the blog, blog.cacert.org. The blog meets the needs of public
12 relations and the CAcert community to publish CAcert's activities.
13
14 Application Links
15 -----------------
16
17 Blog URL
18 https://blog.cacert.org/
19
20 Adding a category
21 https://blog.cacert.org/wp-admin/categories.php
22
23 Administration
24 ==============
25
26 System Administration
27 ---------------------
28
29 * Primary: :ref:`people_dirk`
30 * Secondary: None
31
32 .. todo:: find an additional admin
33
34 Application Administration
35 --------------------------
36
37 +-----------------------+-------------------------------------------------+
38 | Role | Users |
39 +=======================+=================================================+
40 | Wordpress Admin | :ref:`people_dirk`, |
41 | | :ref:`people_mario`, |
42 +-----------------------+-------------------------------------------------+
43 | Wordpress Editor | PR Team, |
44 | | `Support`_ |
45 +-----------------------+-------------------------------------------------+
46 | Wordpress Author | Anyone with a certificate |
47 +-----------------------+-------------------------------------------------+
48 | Wordpress Contributor | Anyone with contributor privileges |
49 +-----------------------+-------------------------------------------------+
50 | Wordpress Subscriber | Any Spammer or person who has not posted or has |
51 | | not logged in |
52 +-----------------------+-------------------------------------------------+
53
54 .. _Support: support@cacert.org
55
56 Contact
57 -------
58
59 * blog-admin@cacert.org
60
61 Additional People
62 -----------------
63
64 :ref:`Jan Dittberner <people_jandd>` and :ref:`Mario Lipinski <people_mario>`
65 have :program:`sudo` access on that machine too.
66
67 Basics
68 ======
69
70 Physical Location
71 -----------------
72
73 This system is located in an :term:`LXC` container on physical machine
74 :doc:`infra02`.
75
76 Logical Location
77 ----------------
78
79 :IP Internet: :ip:v4:`213.154.225.234`
80 :IP Intranet: :ip:v4:`172.16.2.13`
81 :IP Internal: :ip:v4:`10.0.0.13`
82 :MAC address: :mac:`00:ff:fa:af:b2:9b` (eth0)
83
84 .. seealso::
85
86 See :doc:`../network`
87
88 .. index::
89 single: Monitoring; Blog
90
91 Monitoring
92 ----------
93
94 :internal checks: :monitor:`blog.infra.cacert.org`
95
96 DNS
97 ---
98
99 .. index::
100 single: DNS records; Blog
101
102 ====================== ======== ====================================================================
103 Name Type Content
104 ====================== ======== ====================================================================
105 blog.cacert.org. IN A 213.154.225.234
106 blog.cacert.org. IN SSHFP 1 1 32CA6E4BA3275AAB0D65F0F46969B11A4C4B36E8
107 blog.cacert.org. IN SSHFP 1 2 3afb452ac3690cf7cd9a3332813bf7b13dbd288c7a4efbd9ab9dd4b4649ff2b6
108 blog.cacert.org. IN SSHFP 2 1 AAFBA94EBE5C5C45CDF5EF10D0BC31BEA4D9ECEC
109 blog.cacert.org. IN SSHFP 2 2 4d4384ebd1906125ae26d2fa976596af914b4b3587f2204a0e01368a3640f680
110 blog.cacert.org. IN SSHFP 3 1 8fa85a31215f10ea78fd0126d1c705c9a3662c86
111 blog.cacert.org. IN SSHFP 3 2 86d330b900db9bf0a8bc9ec34b126aa8261fec9e02b123ab61c2aee0b56ae047
112 blog.cacert.org. IN SSHFP 4 1 90903e8f4b35457bf41235f070adf592d7f724dd
113 blog.cacert.org. IN SSHFP 4 2 f24b770c16dcb91afc9461e62e6fe63a63d413efa4794751c039ed6d5213127b
114 blog.intra.cacert.org. IN A 172.16.2.13
115 ====================== ======== ====================================================================
116
117 .. seealso::
118
119 See :wiki:`SystemAdministration/Procedures/DNSChanges`
120
121 Operating System
122 ----------------
123
124 .. index::
125 single: Debian GNU/Linux; Jessie
126 single: Debian GNU/Linux; 8.11
127
128 * Debian GNU/Linux 8.11
129
130 Applicable Documentation
131 ------------------------
132
133 A small (work in progress) guide can be found in the :wiki:`BlogDoc`.
134
135 Services
136 ========
137
138 Listening services
139 ------------------
140
141 +----------+---------+---------+----------------------------+
142 | Port | Service | Origin | Purpose |
143 +==========+=========+=========+============================+
144 | 22/tcp | ssh | ANY | admin console access |
145 +----------+---------+---------+----------------------------+
146 | 25/tcp | smtp | local | mail delivery to local MTA |
147 +----------+---------+---------+----------------------------+
148 | 80/tcp | http | ANY | application |
149 +----------+---------+---------+----------------------------+
150 | 443/tcp | https | ANY | application |
151 +----------+---------+---------+----------------------------+
152 | 5666/tcp | nrpe | monitor | remote monitoring service |
153 +----------+---------+---------+----------------------------+
154 | 3306/tcp | mysql | local | MySQL database for blog |
155 +----------+---------+---------+----------------------------+
156 | 9000/tcp | php-fpm | local | PHP FPM executor |
157 +----------+---------+---------+----------------------------+
158
159 Running services
160 ----------------
161
162 .. index::
163 single: apache httpd
164 single: cron
165 single: dbus
166 single: mysql
167 single: nrpe
168 single: openssh
169 single: postfix
170
171 +--------------------+--------------------+-------------------------------------------------+
172 | Service | Usage | Start mechanism |
173 +====================+====================+=================================================+
174 | Apache httpd | Webserver for blog | systemd unit ``apache2.service`` |
175 +--------------------+--------------------+-------------------------------------------------+
176 | cron | job scheduler | systemd unit ``cron.service`` |
177 +--------------------+--------------------+-------------------------------------------------+
178 | dbus-daemon | System message bus | systemd unit ``dbus.service`` |
179 | | daemon | |
180 +--------------------+--------------------+-------------------------------------------------+
181 | MySQL | MySQL database | systemd unit ``mysql.service`` |
182 | | server for blog | |
183 +--------------------+--------------------+-------------------------------------------------+
184 | openssh server | ssh daemon for | systemd unit ``ssh.service`` |
185 | | remote | |
186 | | administration | |
187 +--------------------+--------------------+-------------------------------------------------+
188 | Postfix | SMTP server for | systemd unit ``postfix.service`` |
189 | | local mail | |
190 | | submission | |
191 +--------------------+--------------------+-------------------------------------------------+
192 | Nagios NRPE server | remote monitoring | systemd unit ``/etc/init.d/nagios-nrpe-server`` |
193 | | service queried by | |
194 | | :doc:`monitor` | |
195 +--------------------+--------------------+-------------------------------------------------+
196
197 Databases
198 ---------
199
200 +-------+------------+------------------------------+
201 | RDBMS | Name | Used for |
202 +=======+============+==============================+
203 | MySQL | blog | Wordpress blog |
204 +-------+------------+------------------------------+
205 | MySQL | phpmyadmin | PHPMyAdmin settings database |
206 +-------+------------+------------------------------+
207
208 Connected Systems
209 -----------------
210
211 * :doc:`monitor`
212
213 Outbound network connections
214 ----------------------------
215
216 * HTTP (80/tcp) and HTTPS (443/tcp) `Ping-o-matic`_ blog update service [#f1]_
217 * HTTP (80/tcp) and HTTPS (443/tcp) to Akismet anti spam service [#f2]_
218 * HTTP (80/tcp) and HTTPS (443/tcp) to wordpress.org
219 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
220 * :doc:`emailout` as SMTP relay
221 * :doc:`proxyout` as HTTP proxy for APT
222 * crl.cacert.org (rsync) for getting CRLs
223
224 .. _Ping-o-matic: http://rpc.pingomatic.com/
225 .. [#f1] http://blog.cacert.org/wp-admin/options-writing.php
226 .. [#f2] http://blog.cacert.org/wp-admin/plugins.php?page=akismet-key-config
227
228 .. - check network status
229
230 Security
231 ========
232
233 .. sshkeys::
234 :RSA: SHA256:OvtFKsNpDPfNmjMygTv3sT29KIx6TvvZq53UtGSf8rY MD5:ec:cb:b5:13:7c:17:c4:c3:23:3d:ee:01:58:75:b5:8d
235 :DSA: SHA256:TUOE69GQYSWuJtL6l2WWr5FLSzWH8iBKDgE2ijZA9oA MD5:c6:a7:52:f6:63:ce:73:95:41:35:90:45:9e:e0:06:a5
236 :ECDSA: SHA256:htMwuQDbm/CovJ7DSxJqqCYf7J4CsSOrYcKu4LVq4Ec MD5:00:d7:4b:3c:da:1b:24:76:74:1c:dd:2c:64:50:5f:81
237 :ED25519: SHA256:8kt3DBbcuRr8lGHmLm/mOmPUE++keUdRwDntbVITEns MD5:0c:fe:c7:a1:bd:e6:43:e6:70:5a:be:5a:15:4d:08:9d
238
239 Dedicated user roles
240 --------------------
241
242 +-------+--------------------------------------------------------------------+
243 | Group | Purpose |
244 +=======+====================================================================+
245 | blog | group owning the blog file content and temporary files. This group |
246 | | is used to execute the Wordpress PHP code. |
247 +-------+--------------------------------------------------------------------+
248
249 Non-distribution packages and modifications
250 -------------------------------------------
251
252 * **Wordpress Plugins**
253
254 * `client-certificate-authentication
255 <http://wordpress.org/plugins/client-certificate-authentication/>`_
256 * akismet
257
258 Risk assessments on critical packages
259 -------------------------------------
260
261 +-------------+-------------+---------------------------------------------+
262 | Software | Risk rating | Mitigation |
263 +=============+=============+=============================================+
264 | *Wordpress* | high | Regular updates, avoid unnecessary plugins, |
265 | | | Consider `Wordpress hardening`_ |
266 +-------------+-------------+---------------------------------------------+
267
268 .. todo:: `Wordpress hardening`_
269
270 .. _Wordpress hardening: http://codex.wordpress.org/Hardening_WordPress
271
272 Critical Configuration items
273 ============================
274
275 Keys and X.509 certificates
276 ---------------------------
277
278 .. sslcert:: blog.cacert.org
279 :altnames: DNS:blog.cacert.org
280 :certfile: /etc/ssl/public/blog.cacert.org.crt
281 :keyfile: /etc/ssl/private/blog.cacert.org.key
282 :serial: 1381E6
283 :expiration: Mar 16 09:17:48 2020 GMT
284 :sha1fp: E9:92:97:26:01:C1:00:3C:D7:BC:A2:2D:F4:F7:24:1C:47:C0:01:51
285 :issuer: CA Cert Signing Authority
286
287 * :file:`/etc/ssl/certs/cacert.org/` directory containing CAcert.org Class 1
288 and Class 3 certificates (allowed CA certificates for client certificates)
289 and symlinks with hashed names as expected by OpenSSL
290 * :file:`/etc/ssl/certs/cacert.org.pem` CAcert.org Class 1 certificate
291 (certificate chain for server certificate)
292
293 .. seealso::
294
295 * :wiki:`SystemAdministration/CertificateList`
296
297 .. index::
298 pair: Apache httpd; configuration
299
300 Apache httpd configuration
301 --------------------------
302
303 * :file:`/etc/apache2/cacert/blog.inc.conf`
304
305 Defines settings that are shared by the HTTP and the HTTPS VirtualHost
306 definitions. This file takes care of the PHP FCGI setup.
307
308 * :file:`/etc/apache2/cacert/headers.inc.conf`
309
310 Defines HTTP headers that are shared by the HTTP and the HTTPS VirtualHost
311 definitions. The file is included by
312 :file:`/etc/apache2/cacert/blog.inc.conf`.
313
314 * :file:`/etc/apache2/sites-available/blog-ssl.conf`
315
316 This file contains the HTTPS VirtualHost definition and defines client
317 certificate authentication for ``/wp-admin`` and ``/wp-login.php``.
318
319 * :file:`/etc/apache2/sites-available/blog-nossl.conf`
320
321 This file defines the HTTP VirtualHost definition and takes care of
322 redirecting ``/wp-admin`` and ``/wp-login.php`` to the HTTPS VirtualHost.
323
324 The following RewriteRule is used to redirect old blog URLs::
325
326 RewriteRule ^/[0-9]{4}/[0-9]{2}/([0-9]+)\.html$ ?p=$1 [R=302,L]
327
328 .. index::
329 pair: Wordpress; configuration
330
331 Wordpress configuration
332 -----------------------
333
334 * :file:`/srv/www/blog/wp-config.php` contains the Wordpress database
335 configuration. The rest of the Wordpress configuration is stored in the
336 database (assumption).
337
338 Tasks
339 =====
340
341 .. todo:: add a section documenting wordpress and plugin updates
342 .. todo:: add a section documenting wordpress user management
343
344 Changes
345 =======
346
347 Planned
348 -------
349
350 .. todo:: switch to Puppet management
351 .. todo:: replace nrpe with icinga2 agent
352 .. todo:: update wordpress to 5.x
353 .. todo:: update to Debian 9/10
354 .. todo:: setup IPv6
355
356 .. todo::
357 setup CRL checks (can be borrowed from :doc:`svn`) for client certificates
358
359 System Future
360 -------------
361
362 * No plans
363
364 Additional documentation
365 ========================
366
367 .. seealso::
368
369 * :wiki:`PostfixConfiguration`
370
371 References
372 ----------
373
374 Wordpress website
375 https://wordpress.org/