7b277d7c7d3b517355648c249c795d2e6275c0a4
[cacert-infradocs.git] / docs / systems / blog.rst
1 .. index::
2 single: Systems; Blog
3
4 ====
5 Blog
6 ====
7
8 Purpose
9 =======
10
11 This system hosts the blog, blog.cacert.org. The blog meets the needs of public
12 relations and the CAcert community to publish CAcert's activities.
13
14 Application Links
15 -----------------
16
17 Blog URL
18 https://blog.cacert.org/
19
20 Adding a category
21 https://blog.cacert.org/wp-admin/categories.php
22
23 Administration
24 ==============
25
26 System Administration
27 ---------------------
28
29 * Primary: :ref:`people_dirk`
30 * Secondary: None
31
32 .. todo:: find an additional admin
33
34 Application Administration
35 --------------------------
36
37 +-----------------------+-------------------------------------------------+
38 | Role | Users |
39 +=======================+=================================================+
40 | Wordpress Admin | :ref:`people_dirk`, |
41 | | :ref:`people_mario`, |
42 +-----------------------+-------------------------------------------------+
43 | Wordpress Editor | PR Team, |
44 | | `Support`_ |
45 +-----------------------+-------------------------------------------------+
46 | Wordpress Author | Anyone with a certificate |
47 +-----------------------+-------------------------------------------------+
48 | Wordpress Contributor | Anyone with contributor privileges |
49 +-----------------------+-------------------------------------------------+
50 | Wordpress Subscriber | Any Spammer or person who has not posted or has |
51 | | not logged in |
52 +-----------------------+-------------------------------------------------+
53
54 .. _Support: support@cacert.org
55
56 Contact
57 -------
58
59 * blog-admin@cacert.org
60
61 Additional People
62 -----------------
63
64 :ref:`Jan Dittberner <people_jandd>` and :ref:`Mario Lipinski <people_mario>` and :ref:`Dirk Astrath <people_dirk>`
65 have :program:`sudo` access on that machine too.
66
67 Basics
68 ======
69
70 Physical Location
71 -----------------
72
73 This system is located in an :term:`LXC` container on physical machine
74 :doc:`infra02`.
75
76 Logical Location
77 ----------------
78
79 :IP Internet: :ip:v4:`213.154.225.234`
80 :IP Intranet: :ip:v4:`172.16.2.13`
81 :IP Internal: :ip:v4:`10.0.0.13`
82 :MAC address: :mac:`00:ff:fa:af:b2:9b` (eth0)
83
84 .. seealso::
85
86 See :doc:`../network`
87
88 DNS
89 ---
90
91 .. index::
92 single: DNS records; Blog
93
94 ====================== ======== ============================================
95 Name Type Content
96 ====================== ======== ============================================
97 blog.cacert.org. IN A 213.154.225.234
98 blog.cacert.org. IN SSHFP 1 1 32CA6E4BA3275AAB0D65F0F46969B11A4C4B36E8
99 blog.cacert.org. IN SSHFP 2 1 AAFBA94EBE5C5C45CDF5EF10D0BC31BEA4D9ECEC
100 blog.intra.cacert.org. IN A 172.16.2.13
101 ====================== ======== ============================================
102
103 .. seealso::
104
105 See :wiki:`SystemAdministration/Procedures/DNSChanges`
106
107 Operating System
108 ----------------
109
110 .. index::
111 single: Debian GNU/Linux; Jessie
112 single: Debian GNU/Linux; 8.8
113
114 * Debian GNU/Linux 8.8
115
116 Applicable Documentation
117 ------------------------
118
119 A small (work in progress) guide can be found in the :wiki:`BlogDoc`.
120
121 Services
122 ========
123
124 Listening services
125 ------------------
126
127 +----------+---------+---------+----------------------------+
128 | Port | Service | Origin | Purpose |
129 +==========+=========+=========+============================+
130 | 22/tcp | ssh | ANY | admin console access |
131 +----------+---------+---------+----------------------------+
132 | 25/tcp | smtp | local | mail delivery to local MTA |
133 +----------+---------+---------+----------------------------+
134 | 80/tcp | http | ANY | application |
135 +----------+---------+---------+----------------------------+
136 | 443/tcp | https | ANY | application |
137 +----------+---------+---------+----------------------------+
138 | 5666/tcp | nrpe | monitor | remote monitoring service |
139 +----------+---------+---------+----------------------------+
140 | 3306/tcp | mysql | local | MySQL database for blog |
141 +----------+---------+---------+----------------------------+
142 | 9000/tcp | php-fpm | local | PHP FPM executor |
143 +----------+---------+---------+----------------------------+
144
145 Running services
146 ----------------
147
148 .. index::
149 single: Apache
150 single: MySQL
151 single: PHP FPM
152 single: Postfix
153 single: cron
154 single: nrpe
155 single: openssh
156
157 +--------------------+--------------------+----------------------------------------+
158 | Service | Usage | Start mechanism |
159 +====================+====================+========================================+
160 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
161 | | remote | |
162 | | administration | |
163 +--------------------+--------------------+----------------------------------------+
164 | Apache httpd | Webserver for blog | init script |
165 | | | :file:`/etc/init.d/apache2` |
166 +--------------------+--------------------+----------------------------------------+
167 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
168 +--------------------+--------------------+----------------------------------------+
169 | MySQL | MySQL database | init script |
170 | | server for blog | :file:`/etc/init.d/mysql` |
171 +--------------------+--------------------+----------------------------------------+
172 | PHP FPM | PHP FPM executor | init script |
173 | | for blog | :file:`/etc/init.d/php5-fpm` |
174 +--------------------+--------------------+----------------------------------------+
175 | Postfix | SMTP server for | init script |
176 | | local mail | :file:`/etc/init.d/postfix` |
177 | | submission | |
178 +--------------------+--------------------+----------------------------------------+
179 | Nagios NRPE server | remote monitoring | init script |
180 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
181 | | :doc:`monitor` | |
182 +--------------------+--------------------+----------------------------------------+
183
184 Databases
185 ---------
186
187 +-------+------------+------------------------------+
188 | RDBMS | Name | Used for |
189 +=======+============+==============================+
190 | MySQL | blog | Wordpress blog |
191 +-------+------------+------------------------------+
192 | MySQL | phpmyadmin | PHPMyAdmin settings database |
193 +-------+------------+------------------------------+
194
195 Connected Systems
196 -----------------
197
198 * :doc:`monitor`
199
200 Outbound network connections
201 ----------------------------
202
203 * HTTP (80/tcp) and HTTPS (443/tcp) `Ping-o-matic`_ blog update service [#f1]_
204 * HTTP (80/tcp) and HTTPS (443/tcp) to Akismet anti spam service [#f2]_
205 * HTTP (80/tcp) and HTTPS (443/tcp) to wordpress.org
206 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
207 * :doc:`emailout` as SMTP relay
208 * ftp.nl.debian.org as Debian mirror
209 * security.debian.org for Debian security updates
210 * crl.cacert.org (rsync) for getting CRLs
211
212 .. _Ping-o-matic: http://rpc.pingomatic.com/
213 .. [#f1] http://blog.cacert.org/wp-admin/options-writing.php
214 .. [#f2] http://blog.cacert.org/wp-admin/plugins.php?page=akismet-key-config
215
216 .. - check network status
217
218 Security
219 ========
220
221 .. sshkeys::
222 :RSA: ec:cb:b5:13:7c:17:c4:c3:23:3d:ee:01:58:75:b5:8d
223 :DSA: c6:a7:52:f6:63:ce:73:95:41:35:90:45:9e:e0:06:a5
224 :ECDSA: 00:d7:4b:3c:da:1b:24:76:74:1c:dd:2c:64:50:5f:81
225
226 .. todo:: setup ED25519 host key
227
228 Dedicated user roles
229 --------------------
230
231 +-------+--------------------------------------------------------------------+
232 | Group | Purpose |
233 +=======+====================================================================+
234 | blog | group owning the blog file content and temporary files. This group |
235 | | is used to execute the Wordpress PHP code. |
236 +-------+--------------------------------------------------------------------+
237
238 Non-distribution packages and modifications
239 -------------------------------------------
240
241 * **Wordpress Plugins**
242
243 * `client-certificate-authentication
244 <http://wordpress.org/plugins/client-certificate-authentication/>`_
245 * akismet
246
247 Risk assessments on critical packages
248 -------------------------------------
249
250 +-------------+-------------+---------------------------------------------+
251 | Software | Risk rating | Mitigation |
252 +=============+=============+=============================================+
253 | *Wordpress* | high | Regular updates, avoid unnecessary plugins, |
254 | | | Consider `Wordpress hardening`_ |
255 +-------------+-------------+---------------------------------------------+
256
257 .. todo:: `Wordpress hardening`_
258
259 .. _Wordpress hardening: http://codex.wordpress.org/Hardening_WordPress
260
261 Critical Configuration items
262 ============================
263
264 Keys and X.509 certificates
265 ---------------------------
266
267 .. sslcert:: blog.cacert.org
268 :certfile: /etc/ssl/public/blog.cacert.org.crt
269 :keyfile: /etc/ssl/private/blog.cacert.org.key
270 :serial: 11e837
271 :expiration: Mar 31 16:34:28 2018 GMT
272 :sha1fp: 69:A5:5F:3E:1B:D8:2E:CB:B3:AB:0B:E9:81:A6:CF:31:DF:C8:A4:5F
273 :issuer: CAcert.org Class 1 Root CA
274
275 * :file:`/etc/ssl/certs/cacert.org/` directory containing CAcert.org Class 1
276 and Class 3 certificates (allowed CA certificates for client certificates)
277 and symlinks with hashed names as expected by OpenSSL
278 * :file:`/etc/ssl/certs/cacert.org.pem` CAcert.org Class 1 certificate
279 (certificate chain for server certificate)
280
281 .. seealso::
282
283 * :wiki:`SystemAdministration/CertificateList`
284
285 .. index::
286 pair: Apache httpd; configuration
287
288 Apache httpd configuration
289 --------------------------
290
291 * :file:`/etc/apache2/cacert/blog.inc.conf`
292
293 Defines settings that are shared by the HTTP and the HTTPS VirtualHost
294 definitions. This file takes care of the PHP FCGI setup.
295
296 * :file:`/etc/apache2/cacert/headers.inc.conf`
297
298 Defines HTTP headers that are shared by the HTTP and the HTTPS VirtualHost
299 definitions. The file is included by
300 :file:`/etc/apache2/cacert/blog.inc.conf`.
301
302 * :file:`/etc/apache2/sites-available/blog-ssl.conf`
303
304 This file contains the HTTPS VirtualHost definition and defines client
305 certificate authentication for ``/wp-admin`` and ``/wp-login.php``.
306
307 * :file:`/etc/apache2/sites-available/blog-nossl.conf`
308
309 This file defines the HTTP VirtualHost definition and takes care of
310 redirecting ``/wp-admin`` and ``/wp-login.php`` to the HTTPS VirtualHost.
311
312 The following RewriteRule is used to redirect old blog URLs::
313
314 RewriteRule ^/[0-9]{4}/[0-9]{2}/([0-9]+)\.html$ ?p=$1 [R=302,L]
315
316 .. index::
317 pair: Wordpress; configuration
318
319 Wordpress configuration
320 -----------------------
321
322 * :file:`/srv/www/blog/wp-config.php` contains the Wordpress database
323 configuration. The rest of the Wordpress configuration is stored in the
324 database (assumption).
325
326 Tasks
327 =====
328
329 Planned
330 -------
331
332 .. todo:: setup IPv6
333
334 .. todo::
335 setup CRL checks (can be borrowed from :doc:`svn`) for client certificates
336
337 Changes
338 =======
339
340 System Future
341 -------------
342
343 .. * No plans
344
345 Additional documentation
346 ========================
347
348 .. seealso::
349
350 * :wiki:`PostfixConfiguration`
351
352 References
353 ----------
354
355 Wordpress website
356 https://wordpress.org/