Fix minor issues in system template
[cacert-infradocs.git] / docs / systems / blog.rst
1 .. index::
2 single: Systems; Blog
3
4 ====
5 Blog
6 ====
7
8 Purpose
9 =======
10
11 This system hosts the blog, blog.cacert.org. The blog meets the needs of public
12 relations and the CAcert community to publish CAcert's activities.
13
14 Administration
15 ==============
16
17 System Administration
18 ---------------------
19
20 * Primary: :ref:`people_martin`
21 * Secondary: None
22
23 .. todo:: find an additional admin
24
25 Application Administration
26 --------------------------
27
28 +-----------------------+-------------------------------------------------+
29 | Role | Users |
30 +=======================+=================================================+
31 | Wordpress Admin | :ref:`people_abahlo`, |
32 | | :ref:`people_marcus`, |
33 | | :ref:`people_mario`, |
34 | | :ref:`people_martin` |
35 +-----------------------+-------------------------------------------------+
36 | Wordpress Editor | PR Team, |
37 | | `Support`_ |
38 +-----------------------+-------------------------------------------------+
39 | Wordpress Author | Anyone with a certificate |
40 +-----------------------+-------------------------------------------------+
41 | Wordpress Contributor | Anyone with contributor privileges |
42 +-----------------------+-------------------------------------------------+
43 | Wordpress Subscriber | Any Spammer or person who has not posted or has |
44 | | not logged in |
45 +-----------------------+-------------------------------------------------+
46
47 .. _Support: support@cacert.org
48
49 Contact
50 -------
51
52 * blog-admin@cacert.org
53
54 Additional People
55 -----------------
56
57 :ref:`Jan Dittberner <people_jandd>` and :ref:`Mario Lipinski <people_mario>`
58 have :program:`sudo` access on that machine too.
59
60 Basics
61 ======
62
63 Physical Location
64 -----------------
65
66 This system is located in an :term:`LXC` container on physical machine
67 :doc:`infra02`.
68
69 Logical Location
70 ----------------
71
72 :IP Internet: :ip:v4:`213.154.225.234`
73 :IP Intranet: :ip:v4:`172.16.2.13`
74 :IP Internal: :ip:v4:`10.0.0.13`
75 :MAC address: :mac:`00:ff:fa:af:b2:9b` (eth0)
76
77 .. seealso::
78
79 See :doc:`../network`
80
81 DNS
82 ---
83
84 .. index::
85 single: DNS records; Blog
86
87 ====================== ======== ============================================
88 Name Type Content
89 ====================== ======== ============================================
90 blog.cacert.org. IN A 213.154.225.234
91 blog.cacert.org. IN SSHFP 1 1 32CA6E4BA3275AAB0D65F0F46969B11A4C4B36E8
92 blog.cacert.org. IN SSHFP 2 1 AAFBA94EBE5C5C45CDF5EF10D0BC31BEA4D9ECEC
93 blog.intra.cacert.org. IN A 172.16.2.13
94 ====================== ======== ============================================
95
96 .. seealso::
97
98 See https://wiki.cacert.org/SystemAdministration/Procedures/DNSChanges
99
100 Operating System
101 ----------------
102
103 .. index::
104 single: Debian GNU/Linux; Jessie
105 single: Debian GNU/Linux; 8.4
106
107 * Debian GNU/Linux 8.4
108
109 Applicable Documentation
110 ------------------------
111
112 A small (work in progress) guide can be found in the `Wiki
113 <https://wiki.cacert.org/BlogDoc>`_.
114
115 Services
116 ========
117
118 Listening services
119 ------------------
120
121 +----------+---------+---------+----------------------------+
122 | Port | Service | Origin | Purpose |
123 +==========+=========+=========+============================+
124 | 22/tcp | ssh | ANY | admin console access |
125 +----------+---------+---------+----------------------------+
126 | 25/tcp | smtp | local | mail delivery to local MTA |
127 +----------+---------+---------+----------------------------+
128 | 80/tcp | http | ANY | application |
129 +----------+---------+---------+----------------------------+
130 | 443/tcp | https | ANY | application |
131 +----------+---------+---------+----------------------------+
132 | 5666/tcp | nrpe | monitor | remote monitoring service |
133 +----------+---------+---------+----------------------------+
134 | 3306/tcp | mysql | local | MySQL database for blog |
135 +----------+---------+---------+----------------------------+
136 | 9000/tcp | php-fpm | local | PHP FPM executor |
137 +----------+---------+---------+----------------------------+
138
139 Running services
140 ----------------
141
142 .. index::
143 single: openssh
144 single: Apache
145 single: cron
146 single: MySQL
147 single: PHP FPM
148 single: Postfix
149 single: nrpe
150
151 +--------------------+--------------------+----------------------------------------+
152 | Service | Usage | Start mechanism |
153 +====================+====================+========================================+
154 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
155 | | remote | |
156 | | administration | |
157 +--------------------+--------------------+----------------------------------------+
158 | Apache httpd | Webserver for blog | init script |
159 | | | :file:`/etc/init.d/apache2` |
160 +--------------------+--------------------+----------------------------------------+
161 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
162 +--------------------+--------------------+----------------------------------------+
163 | MySQL | MySQL database | init script |
164 | | server for blog | :file:`/etc/init.d/mysql` |
165 +--------------------+--------------------+----------------------------------------+
166 | PHP FPM | PHP FPM executor | init script |
167 | | for blog | :file:`/etc/init.d/php5-fpm` |
168 +--------------------+--------------------+----------------------------------------+
169 | Postfix | SMTP server for | init script |
170 | | local mail | :file:`/etc/init.d/postfix` |
171 | | submission | |
172 +--------------------+--------------------+----------------------------------------+
173 | Nagios NRPE server | remote monitoring | init script |
174 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
175 | | :doc:`monitor` | |
176 +--------------------+--------------------+----------------------------------------+
177
178 Databases
179 ---------
180
181 +-------+------------+------------------------------+
182 | RDBMS | Name | Used for |
183 +=======+============+==============================+
184 | MySQL | blog | Wordpress blog |
185 +-------+------------+------------------------------+
186 | MySQL | phpmyadmin | PHPMyAdmin settings database |
187 +-------+------------+------------------------------+
188
189 Connected Systems
190 -----------------
191
192 * :doc:`monitor`
193
194 Outbound network connections
195 ----------------------------
196
197 * HTTP (80/tcp) and HTTPS (443/tcp) `Ping-o-matic`_ blog update service [#f1]_
198 * HTTP (80/tcp) and HTTPS (443/tcp) to Akismet anti spam service [#f2]_
199 * HTTP (80/tcp) and HTTPS (443/tcp) to wordpress.org
200 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
201 * :doc:`emailout` as SMTP relay
202 * ftp.nl.debian.org as Debian mirror
203 * security.debian.org for Debian security updates
204 * crl.cacert.org (rsync) for getting CRLs
205
206 .. _Ping-o-matic: http://rpc.pingomatic.com/
207 .. [#f1] http://blog.cacert.org/wp-admin/options-writing.php
208 .. [#f2]
209 http://blog.cacert.org/wp-admin/plugins.php?page=akismet-key-config - check
210 network status
211
212 Security
213 ========
214
215 SSH host keys
216 -------------
217
218 +-----------+-----------------------------------------------------+
219 | Algorithm | Fingerprint |
220 +===========+=====================================================+
221 | RSA | ``ec:cb:b5:13:7c:17:c4:c3:23:3d:ee:01:58:75:b5:8d`` |
222 +-----------+-----------------------------------------------------+
223 | DSA | ``c6:a7:52:f6:63:ce:73:95:41:35:90:45:9e:e0:06:a5`` |
224 +-----------+-----------------------------------------------------+
225 | ECDSA | ``00:d7:4b:3c:da:1b:24:76:74:1c:dd:2c:64:50:5f:81`` |
226 +-----------+-----------------------------------------------------+
227 | ED25519 | \- |
228 +-----------+-----------------------------------------------------+
229
230 .. todo:: setup ED25519 host key
231
232 .. seealso::
233
234 See :doc:`../sshkeys`
235
236 Dedicated user roles
237 --------------------
238
239 +-------+--------------------------------------------------------------------+
240 | Group | Purpose |
241 +=======+====================================================================+
242 | blog | group owning the blog file content and temporary files. This group |
243 | | is used to execute the Wordpress PHP code. |
244 +-------+--------------------------------------------------------------------+
245
246 Non-distribution packages and modifications
247 -------------------------------------------
248
249 * **Wordpress Plugins**
250
251 * `client-certificate-authentication
252 <http://wordpress.org/plugins/client-certificate-authentication/>`_
253 * akismet
254
255 Risk assessments on critical packages
256 -------------------------------------
257
258 +-------------+-------------+---------------------------------------------+
259 | Software | Risk rating | Mitigation |
260 +=============+=============+=============================================+
261 | *Wordpress* | high | Regular updates, avoid unnecessary plugins, |
262 | | | Consider `Wordpress hardening`_ |
263 +-------------+-------------+---------------------------------------------+
264
265 .. todo:: `Wordpress hardening`_
266
267 .. _Wordpress hardening: http://codex.wordpress.org/Hardening_WordPress
268
269 Critical Configuration items
270 ============================
271
272 Keys and X.509 certificates
273 ---------------------------
274
275 .. index::
276 single: Certificate; Blog
277
278 * :file:`/etc/ssl/public/blog.cacert.org.crt` server certificate
279 * :file:`/etc/ssl/private/blog.cacert.org.key` server key
280 * :file:`/etc/ssl/certs/cacert.org/` directory containing CAcert.org Class 1
281 and Class 3 certificates (allowed CA certificates for client certificates)
282 and symlinks with hashed names as expected by OpenSSL
283 * :file:`/etc/ssl/certs/cacert.org.pem` CAcert.org Class 1 certificate
284 (certificate chain for server certificate)
285
286 .. seealso::
287
288 * :ref:`cert_blog_cacert_org` in :doc:`../certlist`
289 * https://wiki.cacert.org/SystemAdministration/CertificateList
290
291 Apache configuration files
292 --------------------------
293
294 * :file:`/etc/apache2/cacert/blog.inc.conf`
295
296 Defines settings that are shared by the HTTP and the HTTPS VirtualHost
297 definitions. This file takes care of the PHP FCGI setup.
298
299 * :file:`/etc/apache2/cacert/headers.inc.conf`
300
301 Defines HTTP headers that are shared by the HTTP and the HTTPS VirtualHost
302 definitions. The file is included by
303 :file:`/etc/apache2/cacert/blog.inc.conf`.
304
305 * :file:`/etc/apache2/sites-available/blog-ssl.conf`
306
307 This file contains the HTTPS VirtualHost definition and defines client
308 certificate authentication for ``/wp-admin`` and ``/wp-login.php``.
309
310 * :file:`/etc/apache2/sites-available/blog-nossl.conf`
311
312 This file defines the HTTP VirtualHost definition and takes care of
313 redirecting ``/wp-admin`` and ``/wp-login.php`` to the HTTPS VirtualHost.
314
315 The following RewriteRule is used to redirect old blog URLs::
316
317 RewriteRule ^/[0-9]{4}/[0-9]{2}/([0-9]+)\.html$ ?p=$1 [R=302,L]
318
319 Wordpress configuration
320 -----------------------
321
322 * :file:`/srv/www/blog/wp-config.php` contains the Wordpress database
323 configuration. The rest of the Wordpress configuration is stored in the
324 database (assumption).
325
326 Tasks
327 =====
328
329 Planned
330 -------
331
332 .. todo:: setup IPv6
333
334 .. todo::
335 setup CRL checks (can be borrowed from :doc:`svn`) for client certificates
336
337 Changes
338 =======
339
340 System Future
341 -------------
342
343 .. * No plans
344
345 Additional documentation
346 ========================
347
348 .. seealso::
349
350 * https://wiki.cacert.org/PostfixConfiguration
351
352 Adding a category
353 -----------------
354
355 * https://blog.cacert.org/wp-admin/categories.php
356
357 References
358 ----------
359
360 Blog URL
361 https::/blog.cacert.org/