Add new SSHFP DNS records for blog and bugs
[cacert-infradocs.git] / docs / systems / blog.rst
1 .. index::
2 single: Systems; Blog
3
4 ====
5 Blog
6 ====
7
8 Purpose
9 =======
10
11 This system hosts the blog, blog.cacert.org. The blog meets the needs of public
12 relations and the CAcert community to publish CAcert's activities.
13
14 Application Links
15 -----------------
16
17 Blog URL
18 https://blog.cacert.org/
19
20 Adding a category
21 https://blog.cacert.org/wp-admin/categories.php
22
23 Administration
24 ==============
25
26 System Administration
27 ---------------------
28
29 * Primary: :ref:`people_dirk`
30 * Secondary: None
31
32 .. todo:: find an additional admin
33
34 Application Administration
35 --------------------------
36
37 +-----------------------+-------------------------------------------------+
38 | Role | Users |
39 +=======================+=================================================+
40 | Wordpress Admin | :ref:`people_dirk`, |
41 | | :ref:`people_mario`, |
42 +-----------------------+-------------------------------------------------+
43 | Wordpress Editor | PR Team, |
44 | | `Support`_ |
45 +-----------------------+-------------------------------------------------+
46 | Wordpress Author | Anyone with a certificate |
47 +-----------------------+-------------------------------------------------+
48 | Wordpress Contributor | Anyone with contributor privileges |
49 +-----------------------+-------------------------------------------------+
50 | Wordpress Subscriber | Any Spammer or person who has not posted or has |
51 | | not logged in |
52 +-----------------------+-------------------------------------------------+
53
54 .. _Support: support@cacert.org
55
56 Contact
57 -------
58
59 * blog-admin@cacert.org
60
61 Additional People
62 -----------------
63
64 :ref:`Jan Dittberner <people_jandd>`, :ref:`Mario Lipinski <people_mario>` and
65 :ref:`Dirk Astrath <people_dirk>` have :program:`sudo` access on that machine
66 too.
67
68 Basics
69 ======
70
71 Physical Location
72 -----------------
73
74 This system is located in an :term:`LXC` container on physical machine
75 :doc:`infra02`.
76
77 Logical Location
78 ----------------
79
80 :IP Internet: :ip:v4:`213.154.225.234`
81 :IP Intranet: :ip:v4:`172.16.2.13`
82 :IP Internal: :ip:v4:`10.0.0.13`
83 :MAC address: :mac:`00:ff:fa:af:b2:9b` (eth0)
84
85 .. seealso::
86
87 See :doc:`../network`
88
89 DNS
90 ---
91
92 .. index::
93 single: DNS records; Blog
94
95 ====================== ======== ====================================================================
96 Name Type Content
97 ====================== ======== ====================================================================
98 blog.cacert.org. IN A 213.154.225.234
99 blog.cacert.org. IN SSHFP 1 1 32CA6E4BA3275AAB0D65F0F46969B11A4C4B36E8
100 blog.cacert.org. IN SSHFP 1 2 3afb452ac3690cf7cd9a3332813bf7b13dbd288c7a4efbd9ab9dd4b4649ff2b6
101 blog.cacert.org. IN SSHFP 2 1 AAFBA94EBE5C5C45CDF5EF10D0BC31BEA4D9ECEC
102 blog.cacert.org. IN SSHFP 2 2 4d4384ebd1906125ae26d2fa976596af914b4b3587f2204a0e01368a3640f680
103 blog.cacert.org. IN SSHFP 3 1 8fa85a31215f10ea78fd0126d1c705c9a3662c86
104 blog.cacert.org. IN SSHFP 3 2 86d330b900db9bf0a8bc9ec34b126aa8261fec9e02b123ab61c2aee0b56ae047
105 blog.cacert.org. IN SSHFP 4 1 90903e8f4b35457bf41235f070adf592d7f724dd
106 blog.cacert.org. IN SSHFP 4 2 f24b770c16dcb91afc9461e62e6fe63a63d413efa4794751c039ed6d5213127b
107 blog.intra.cacert.org. IN A 172.16.2.13
108 ====================== ======== ====================================================================
109
110 .. seealso::
111
112 See :wiki:`SystemAdministration/Procedures/DNSChanges`
113
114 Operating System
115 ----------------
116
117 .. index::
118 single: Debian GNU/Linux; Jessie
119 single: Debian GNU/Linux; 8.10
120
121 * Debian GNU/Linux 8.10
122
123 Applicable Documentation
124 ------------------------
125
126 A small (work in progress) guide can be found in the :wiki:`BlogDoc`.
127
128 Services
129 ========
130
131 Listening services
132 ------------------
133
134 +----------+---------+---------+----------------------------+
135 | Port | Service | Origin | Purpose |
136 +==========+=========+=========+============================+
137 | 22/tcp | ssh | ANY | admin console access |
138 +----------+---------+---------+----------------------------+
139 | 25/tcp | smtp | local | mail delivery to local MTA |
140 +----------+---------+---------+----------------------------+
141 | 80/tcp | http | ANY | application |
142 +----------+---------+---------+----------------------------+
143 | 443/tcp | https | ANY | application |
144 +----------+---------+---------+----------------------------+
145 | 5666/tcp | nrpe | monitor | remote monitoring service |
146 +----------+---------+---------+----------------------------+
147 | 3306/tcp | mysql | local | MySQL database for blog |
148 +----------+---------+---------+----------------------------+
149 | 9000/tcp | php-fpm | local | PHP FPM executor |
150 +----------+---------+---------+----------------------------+
151
152 Running services
153 ----------------
154
155 .. index::
156 single: Apache
157 single: MySQL
158 single: PHP FPM
159 single: Postfix
160 single: cron
161 single: nrpe
162 single: openssh
163
164 +--------------------+--------------------+----------------------------------------+
165 | Service | Usage | Start mechanism |
166 +====================+====================+========================================+
167 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
168 | | remote | |
169 | | administration | |
170 +--------------------+--------------------+----------------------------------------+
171 | Apache httpd | Webserver for blog | init script |
172 | | | :file:`/etc/init.d/apache2` |
173 +--------------------+--------------------+----------------------------------------+
174 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
175 +--------------------+--------------------+----------------------------------------+
176 | MySQL | MySQL database | init script |
177 | | server for blog | :file:`/etc/init.d/mysql` |
178 +--------------------+--------------------+----------------------------------------+
179 | PHP FPM | PHP FPM executor | init script |
180 | | for blog | :file:`/etc/init.d/php5-fpm` |
181 +--------------------+--------------------+----------------------------------------+
182 | Postfix | SMTP server for | init script |
183 | | local mail | :file:`/etc/init.d/postfix` |
184 | | submission | |
185 +--------------------+--------------------+----------------------------------------+
186 | Nagios NRPE server | remote monitoring | init script |
187 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
188 | | :doc:`monitor` | |
189 +--------------------+--------------------+----------------------------------------+
190
191 Databases
192 ---------
193
194 +-------+------------+------------------------------+
195 | RDBMS | Name | Used for |
196 +=======+============+==============================+
197 | MySQL | blog | Wordpress blog |
198 +-------+------------+------------------------------+
199 | MySQL | phpmyadmin | PHPMyAdmin settings database |
200 +-------+------------+------------------------------+
201
202 Connected Systems
203 -----------------
204
205 * :doc:`monitor`
206
207 Outbound network connections
208 ----------------------------
209
210 * HTTP (80/tcp) and HTTPS (443/tcp) `Ping-o-matic`_ blog update service [#f1]_
211 * HTTP (80/tcp) and HTTPS (443/tcp) to Akismet anti spam service [#f2]_
212 * HTTP (80/tcp) and HTTPS (443/tcp) to wordpress.org
213 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
214 * :doc:`emailout` as SMTP relay
215 * :doc:`proxyout` as HTTP proxy for APT
216 * crl.cacert.org (rsync) for getting CRLs
217
218 .. _Ping-o-matic: http://rpc.pingomatic.com/
219 .. [#f1] http://blog.cacert.org/wp-admin/options-writing.php
220 .. [#f2] http://blog.cacert.org/wp-admin/plugins.php?page=akismet-key-config
221
222 .. - check network status
223
224 Security
225 ========
226
227 .. sshkeys::
228 :RSA: MD5:ec:cb:b5:13:7c:17:c4:c3:23:3d:ee:01:58:75:b5:8d
229 :DSA: MD5:c6:a7:52:f6:63:ce:73:95:41:35:90:45:9e:e0:06:a5
230 :ECDSA: MD5:00:d7:4b:3c:da:1b:24:76:74:1c:dd:2c:64:50:5f:81
231 :ED25519: MD5:0c:fe:c7:a1:bd:e6:43:e6:70:5a:be:5a:15:4d:08:9d
232
233 Dedicated user roles
234 --------------------
235
236 +-------+--------------------------------------------------------------------+
237 | Group | Purpose |
238 +=======+====================================================================+
239 | blog | group owning the blog file content and temporary files. This group |
240 | | is used to execute the Wordpress PHP code. |
241 +-------+--------------------------------------------------------------------+
242
243 Non-distribution packages and modifications
244 -------------------------------------------
245
246 * **Wordpress Plugins**
247
248 * `client-certificate-authentication
249 <http://wordpress.org/plugins/client-certificate-authentication/>`_
250 * akismet
251
252 Risk assessments on critical packages
253 -------------------------------------
254
255 +-------------+-------------+---------------------------------------------+
256 | Software | Risk rating | Mitigation |
257 +=============+=============+=============================================+
258 | *Wordpress* | high | Regular updates, avoid unnecessary plugins, |
259 | | | Consider `Wordpress hardening`_ |
260 +-------------+-------------+---------------------------------------------+
261
262 .. todo:: `Wordpress hardening`_
263
264 .. _Wordpress hardening: http://codex.wordpress.org/Hardening_WordPress
265
266 Critical Configuration items
267 ============================
268
269 Keys and X.509 certificates
270 ---------------------------
271
272 .. sslcert:: blog.cacert.org
273 :certfile: /etc/ssl/public/blog.cacert.org.crt
274 :keyfile: /etc/ssl/private/blog.cacert.org.key
275 :serial: 11e837
276 :expiration: Mar 31 16:34:28 2018 GMT
277 :sha1fp: 69:A5:5F:3E:1B:D8:2E:CB:B3:AB:0B:E9:81:A6:CF:31:DF:C8:A4:5F
278 :issuer: CAcert.org Class 1 Root CA
279
280 * :file:`/etc/ssl/certs/cacert.org/` directory containing CAcert.org Class 1
281 and Class 3 certificates (allowed CA certificates for client certificates)
282 and symlinks with hashed names as expected by OpenSSL
283 * :file:`/etc/ssl/certs/cacert.org.pem` CAcert.org Class 1 certificate
284 (certificate chain for server certificate)
285
286 .. seealso::
287
288 * :wiki:`SystemAdministration/CertificateList`
289
290 .. index::
291 pair: Apache httpd; configuration
292
293 Apache httpd configuration
294 --------------------------
295
296 * :file:`/etc/apache2/cacert/blog.inc.conf`
297
298 Defines settings that are shared by the HTTP and the HTTPS VirtualHost
299 definitions. This file takes care of the PHP FCGI setup.
300
301 * :file:`/etc/apache2/cacert/headers.inc.conf`
302
303 Defines HTTP headers that are shared by the HTTP and the HTTPS VirtualHost
304 definitions. The file is included by
305 :file:`/etc/apache2/cacert/blog.inc.conf`.
306
307 * :file:`/etc/apache2/sites-available/blog-ssl.conf`
308
309 This file contains the HTTPS VirtualHost definition and defines client
310 certificate authentication for ``/wp-admin`` and ``/wp-login.php``.
311
312 * :file:`/etc/apache2/sites-available/blog-nossl.conf`
313
314 This file defines the HTTP VirtualHost definition and takes care of
315 redirecting ``/wp-admin`` and ``/wp-login.php`` to the HTTPS VirtualHost.
316
317 The following RewriteRule is used to redirect old blog URLs::
318
319 RewriteRule ^/[0-9]{4}/[0-9]{2}/([0-9]+)\.html$ ?p=$1 [R=302,L]
320
321 .. index::
322 pair: Wordpress; configuration
323
324 Wordpress configuration
325 -----------------------
326
327 * :file:`/srv/www/blog/wp-config.php` contains the Wordpress database
328 configuration. The rest of the Wordpress configuration is stored in the
329 database (assumption).
330
331 Tasks
332 =====
333
334 Planned
335 -------
336
337 .. todo:: setup IPv6
338
339 .. todo::
340 setup CRL checks (can be borrowed from :doc:`svn`) for client certificates
341
342 Changes
343 =======
344
345 System Future
346 -------------
347
348 .. todo:: system should be upgraded to Debian 9
349
350 Additional documentation
351 ========================
352
353 .. seealso::
354
355 * :wiki:`PostfixConfiguration`
356
357 References
358 ----------
359
360 Wordpress website
361 https://wordpress.org/