docs/systems/blog.rst

   1 .. index::
   2    single: Systems; Blog
   3
   4 ====
   5 Blog
   6 ====
   7
   8 Purpose
   9 =======
  10
  11 This system hosts the blog, blog.cacert.org. The blog meets the needs of public
  12 relations and the CAcert community to publish CAcert's activities.
  13
  14 Application Links
  15 -----------------
  16
  17 Blog URL
  18    https://blog.cacert.org/
  19
  20 Adding a category
  21    https://blog.cacert.org/wp-admin/categories.php
  22
  23 Administration
  24 ==============
  25
  26 System Administration
  27 ---------------------
  28
  29 * Primary: :ref:`people_dirk`
  30 * Secondary: None
  31
  32 .. todo:: find an additional admin
  33
  34 Application Administration
  35 --------------------------
  36
  37 +-----------------------+-------------------------------------------------+
  38 | Role                  | Users                                           |
  39 +=======================+=================================================+
  40 | Wordpress Admin       | :ref:`people_dirk`,                             |
  41 |                       | :ref:`people_mario`,                            |
  42 +-----------------------+-------------------------------------------------+
  43 | Wordpress Editor      | PR Team,                                        |
  44 |                       | `Support`_                                      |
  45 +-----------------------+-------------------------------------------------+
  46 | Wordpress Author      | Anyone with a certificate                       |
  47 +-----------------------+-------------------------------------------------+
  48 | Wordpress Contributor | Anyone with contributor privileges              |
  49 +-----------------------+-------------------------------------------------+
  50 | Wordpress Subscriber  | Any Spammer or person who has not posted or has |
  51 |                       | not logged in                                   |
  52 +-----------------------+-------------------------------------------------+
  53
  54 .. _Support: support@cacert.org
  55
  56 Contact
  57 -------
  58
  59 * blog-admin@cacert.org
  60
  61 Additional People
  62 -----------------
  63
  64 :ref:`Jan Dittberner <people_jandd>` and :ref:`Mario Lipinski <people_mario>`
  65 have :program:`sudo` access on that machine too.
  66
  67 Basics
  68 ======
  69
  70 Physical Location
  71 -----------------
  72
  73 This system is located in an :term:`LXC` container on physical machine
  74 :doc:`infra02`.
  75
  76 Logical Location
  77 ----------------
  78
  79 :IP Internet: :ip:v4:`213.154.225.234`
  80 :IP Intranet: :ip:v4:`172.16.2.13`
  81 :IP Internal: :ip:v4:`10.0.0.13`
  82 :MAC address: :mac:`00:ff:fa:af:b2:9b` (eth0)
  83
  84 .. seealso::
  85
  86    See :doc:`../network`
  87
  88 Monitoring
  89 ----------
  90
  91 :internal checks: :monitor:`blog.infra.cacert.org`
  92
  93 DNS
  94 ---
  95
  96 .. index::
  97    single: DNS records; Blog
  98
  99 ====================== ======== ====================================================================
 100 Name                   Type     Content
 101 ====================== ======== ====================================================================
 102 blog.cacert.org.       IN A     213.154.225.234
 103 blog.cacert.org.       IN SSHFP 1 1 32CA6E4BA3275AAB0D65F0F46969B11A4C4B36E8
 104 blog.cacert.org.       IN SSHFP 1 2 3afb452ac3690cf7cd9a3332813bf7b13dbd288c7a4efbd9ab9dd4b4649ff2b6
 105 blog.cacert.org.       IN SSHFP 2 1 AAFBA94EBE5C5C45CDF5EF10D0BC31BEA4D9ECEC
 106 blog.cacert.org.       IN SSHFP 2 2 4d4384ebd1906125ae26d2fa976596af914b4b3587f2204a0e01368a3640f680
 107 blog.cacert.org.       IN SSHFP 3 1 8fa85a31215f10ea78fd0126d1c705c9a3662c86
 108 blog.cacert.org.       IN SSHFP 3 2 86d330b900db9bf0a8bc9ec34b126aa8261fec9e02b123ab61c2aee0b56ae047
 109 blog.cacert.org.       IN SSHFP 4 1 90903e8f4b35457bf41235f070adf592d7f724dd
 110 blog.cacert.org.       IN SSHFP 4 2 f24b770c16dcb91afc9461e62e6fe63a63d413efa4794751c039ed6d5213127b
 111 blog.intra.cacert.org. IN A     172.16.2.13
 112 ====================== ======== ====================================================================
 113
 114 .. seealso::
 115
 116    See :wiki:`SystemAdministration/Procedures/DNSChanges`
 117
 118 Operating System
 119 ----------------
 120
 121 .. index::
 122    single: Debian GNU/Linux; Jessie
 123    single: Debian GNU/Linux; 8.11
 124
 125 * Debian GNU/Linux 8.11
 126
 127 Applicable Documentation
 128 ------------------------
 129
 130 A small (work in progress) guide can be found in the :wiki:`BlogDoc`.
 131
 132 Services
 133 ========
 134
 135 Listening services
 136 ------------------
 137
 138 +----------+---------+---------+----------------------------+
 139 | Port     | Service | Origin  | Purpose                    |
 140 +==========+=========+=========+============================+
 141 | 22/tcp   | ssh     | ANY     | admin console access       |
 142 +----------+---------+---------+----------------------------+
 143 | 25/tcp   | smtp    | local   | mail delivery to local MTA |
 144 +----------+---------+---------+----------------------------+
 145 | 80/tcp   | http    | ANY     | application                |
 146 +----------+---------+---------+----------------------------+
 147 | 443/tcp  | https   | ANY     | application                |
 148 +----------+---------+---------+----------------------------+
 149 | 5666/tcp | nrpe    | monitor | remote monitoring service  |
 150 +----------+---------+---------+----------------------------+
 151 | 3306/tcp | mysql   | local   | MySQL database for blog    |
 152 +----------+---------+---------+----------------------------+
 153 | 9000/tcp | php-fpm | local   | PHP FPM executor           |
 154 +----------+---------+---------+----------------------------+
 155
 156 Running services
 157 ----------------
 158
 159 .. index::
 160    single: apache httpd
 161    single: cron
 162    single: dbus
 163    single: mysql
 164    single: nrpe
 165    single: openssh
 166    single: postfix
 167
 168 +--------------------+--------------------+-------------------------------------------------+
 169 | Service            | Usage              | Start mechanism                                 |
 170 +====================+====================+=================================================+
 171 | Apache httpd       | Webserver for blog | systemd unit ``apache2.service``                |
 172 +--------------------+--------------------+-------------------------------------------------+
 173 | cron               | job scheduler      | systemd unit ``cron.service``                   |
 174 +--------------------+--------------------+-------------------------------------------------+
 175 | dbus-daemon        | System message bus | systemd unit ``dbus.service``                   |
 176 |                    | daemon             |                                                 |
 177 +--------------------+--------------------+-------------------------------------------------+
 178 | MySQL              | MySQL database     | systemd unit ``mysql.service``                  |
 179 |                    | server for blog    |                                                 |
 180 +--------------------+--------------------+-------------------------------------------------+
 181 | openssh server     | ssh daemon for     | systemd unit ``ssh.service``                    |
 182 |                    | remote             |                                                 |
 183 |                    | administration     |                                                 |
 184 +--------------------+--------------------+-------------------------------------------------+
 185 | Postfix            | SMTP server for    | systemd unit ``postfix.service``                |
 186 |                    | local mail         |                                                 |
 187 |                    | submission         |                                                 |
 188 +--------------------+--------------------+-------------------------------------------------+
 189 | Nagios NRPE server | remote monitoring  | systemd unit ``/etc/init.d/nagios-nrpe-server`` |
 190 |                    | service queried by |                                                 |
 191 |                    | :doc:`monitor`     |                                                 |
 192 +--------------------+--------------------+-------------------------------------------------+
 193
 194 Databases
 195 ---------
 196
 197 +-------+------------+------------------------------+
 198 | RDBMS | Name       | Used for                     |
 199 +=======+============+==============================+
 200 | MySQL | blog       | Wordpress blog               |
 201 +-------+------------+------------------------------+
 202 | MySQL | phpmyadmin | PHPMyAdmin settings database |
 203 +-------+------------+------------------------------+
 204
 205 Connected Systems
 206 -----------------
 207
 208 * :doc:`monitor`
 209
 210 Outbound network connections
 211 ----------------------------
 212
 213 * HTTP (80/tcp) and HTTPS (443/tcp) `Ping-o-matic`_ blog update service [#f1]_
 214 * HTTP (80/tcp) and HTTPS (443/tcp) to Akismet anti spam service [#f2]_
 215 * HTTP (80/tcp) and HTTPS (443/tcp) to wordpress.org
 216 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
 217 * :doc:`emailout` as SMTP relay
 218 * :doc:`proxyout` as HTTP proxy for APT
 219 * crl.cacert.org (rsync) for getting CRLs
 220
 221 .. _Ping-o-matic: http://rpc.pingomatic.com/
 222 .. [#f1] http://blog.cacert.org/wp-admin/options-writing.php
 223 .. [#f2] http://blog.cacert.org/wp-admin/plugins.php?page=akismet-key-config
 224
 225 .. - check network status
 226
 227 Security
 228 ========
 229
 230 .. sshkeys::
 231    :RSA:     SHA256:OvtFKsNpDPfNmjMygTv3sT29KIx6TvvZq53UtGSf8rY MD5:ec:cb:b5:13:7c:17:c4:c3:23:3d:ee:01:58:75:b5:8d
 232    :DSA:     SHA256:TUOE69GQYSWuJtL6l2WWr5FLSzWH8iBKDgE2ijZA9oA MD5:c6:a7:52:f6:63:ce:73:95:41:35:90:45:9e:e0:06:a5
 233    :ECDSA:   SHA256:htMwuQDbm/CovJ7DSxJqqCYf7J4CsSOrYcKu4LVq4Ec MD5:00:d7:4b:3c:da:1b:24:76:74:1c:dd:2c:64:50:5f:81
 234    :ED25519: SHA256:8kt3DBbcuRr8lGHmLm/mOmPUE++keUdRwDntbVITEns MD5:0c:fe:c7:a1:bd:e6:43:e6:70:5a:be:5a:15:4d:08:9d
 235
 236 Dedicated user roles
 237 --------------------
 238
 239 +-------+--------------------------------------------------------------------+
 240 | Group | Purpose                                                            |
 241 +=======+====================================================================+
 242 | blog  | group owning the blog file content and temporary files. This group |
 243 |       | is used to execute the Wordpress PHP code.                         |
 244 +-------+--------------------------------------------------------------------+
 245
 246 Non-distribution packages and modifications
 247 -------------------------------------------
 248
 249 * **Wordpress Plugins**
 250
 251   * `client-certificate-authentication
 252     <http://wordpress.org/plugins/client-certificate-authentication/>`_
 253   * akismet
 254
 255 Risk assessments on critical packages
 256 -------------------------------------
 257
 258 +-------------+-------------+---------------------------------------------+
 259 | Software    | Risk rating | Mitigation                                  |
 260 +=============+=============+=============================================+
 261 | *Wordpress* | high        | Regular updates, avoid unnecessary plugins, |
 262 |             |             | Consider `Wordpress hardening`_             |
 263 +-------------+-------------+---------------------------------------------+
 264
 265 .. todo:: `Wordpress hardening`_
 266
 267 .. _Wordpress hardening: http://codex.wordpress.org/Hardening_WordPress
 268
 269 Critical Configuration items
 270 ============================
 271
 272 Keys and X.509 certificates
 273 ---------------------------
 274
 275 .. sslcert:: blog.cacert.org
 276    :altnames:   DNS:blog.cacert.org
 277    :certfile:   /etc/ssl/public/blog.cacert.org.crt
 278    :keyfile:    /etc/ssl/private/blog.cacert.org.key
 279    :serial:     1381E6
 280    :expiration: Mar 16 09:17:48 2020 GMT
 281    :sha1fp:     E9:92:97:26:01:C1:00:3C:D7:BC:A2:2D:F4:F7:24:1C:47:C0:01:51
 282    :issuer:     CA Cert Signing Authority
 283
 284 * :file:`/etc/ssl/certs/cacert.org/` directory containing CAcert.org Class 1
 285   and Class 3 certificates (allowed CA certificates for client certificates)
 286   and symlinks with hashed names as expected by OpenSSL
 287 * :file:`/etc/ssl/certs/cacert.org.pem` CAcert.org Class 1 certificate
 288   (certificate chain for server certificate)
 289
 290 .. seealso::
 291
 292    * :wiki:`SystemAdministration/CertificateList`
 293
 294 .. index::
 295    pair: Apache httpd; configuration
 296
 297 Apache httpd configuration
 298 --------------------------
 299
 300 * :file:`/etc/apache2/cacert/blog.inc.conf`
 301
 302   Defines settings that are shared by the HTTP and the HTTPS VirtualHost
 303   definitions. This file takes care of the PHP FCGI setup.
 304
 305 * :file:`/etc/apache2/cacert/headers.inc.conf`
 306
 307   Defines HTTP headers that are shared by the HTTP and the HTTPS VirtualHost
 308   definitions. The file is included by
 309   :file:`/etc/apache2/cacert/blog.inc.conf`.
 310
 311 * :file:`/etc/apache2/sites-available/blog-ssl.conf`
 312
 313   This file contains the HTTPS VirtualHost definition and defines client
 314   certificate authentication for ``/wp-admin`` and ``/wp-login.php``.
 315
 316 * :file:`/etc/apache2/sites-available/blog-nossl.conf`
 317
 318   This file defines the HTTP VirtualHost definition and takes care of
 319   redirecting ``/wp-admin`` and ``/wp-login.php`` to the HTTPS VirtualHost.
 320
 321 The following RewriteRule is used to redirect old blog URLs::
 322
 323   RewriteRule ^/[0-9]{4}/[0-9]{2}/([0-9]+)\.html$ ?p=$1 [R=302,L]
 324
 325 .. index::
 326    pair: Wordpress; configuration
 327
 328 Wordpress configuration
 329 -----------------------
 330
 331 * :file:`/srv/www/blog/wp-config.php` contains the Wordpress database
 332   configuration. The rest of the Wordpress configuration is stored in the
 333   database (assumption).
 334
 335 Tasks
 336 =====
 337
 338 .. todo:: switch to Puppet management
 339 .. todo:: replace nrpe with icinga2 agent
 340 .. todo:: update wordpress to 5.x
 341
 342 Planned
 343 -------
 344
 345 .. todo:: setup IPv6
 346
 347 .. todo::
 348    setup CRL checks (can be borrowed from :doc:`svn`) for client certificates
 349
 350 Changes
 351 =======
 352
 353 System Future
 354 -------------
 355
 356 .. todo:: system should be upgraded to Debian 9 or 10
 357
 358 Additional documentation
 359 ========================
 360
 361 .. seealso::
 362
 363    * :wiki:`PostfixConfiguration`
 364
 365 References
 366 ----------
 367
 368 Wordpress website
 369    https://wordpress.org/