94303d639b4434b4dab9e854018c28cee18c0ad0
[cacert-infradocs.git] / docs / systems / blog.rst
1 .. index::
2 single: Systems; Blog
3
4 ====
5 Blog
6 ====
7
8 Purpose
9 =======
10
11 This system hosts the blog, blog.cacert.org. The blog meets the needs of public
12 relations and the CAcert community to publish CAcert's activities.
13
14 Application Links
15 -----------------
16
17 Blog URL
18 https://blog.cacert.org/
19
20 Adding a category
21 https://blog.cacert.org/wp-admin/categories.php
22
23 Administration
24 ==============
25
26 System Administration
27 ---------------------
28
29 * Primary: :ref:`people_dirk`
30 * Secondary: None
31
32 .. todo:: find an additional admin
33
34 Application Administration
35 --------------------------
36
37 +-----------------------+-------------------------------------------------+
38 | Role | Users |
39 +=======================+=================================================+
40 | Wordpress Admin | :ref:`people_dirk`, |
41 | | :ref:`people_mario`, |
42 +-----------------------+-------------------------------------------------+
43 | Wordpress Editor | PR Team, |
44 | | `Support`_ |
45 +-----------------------+-------------------------------------------------+
46 | Wordpress Author | Anyone with a certificate |
47 +-----------------------+-------------------------------------------------+
48 | Wordpress Contributor | Anyone with contributor privileges |
49 +-----------------------+-------------------------------------------------+
50 | Wordpress Subscriber | Any Spammer or person who has not posted or has |
51 | | not logged in |
52 +-----------------------+-------------------------------------------------+
53
54 .. _Support: support@cacert.org
55
56 Contact
57 -------
58
59 * blog-admin@cacert.org
60
61 Additional People
62 -----------------
63
64 :ref:`Jan Dittberner <people_jandd>` and :ref:`Mario Lipinski <people_mario>`
65 have :program:`sudo` access on that machine too.
66
67 Basics
68 ======
69
70 Physical Location
71 -----------------
72
73 This system is located in an :term:`LXC` container on physical machine
74 :doc:`infra02`.
75
76 Logical Location
77 ----------------
78
79 :IP Internet: :ip:v4:`213.154.225.234`
80 :IP Intranet: :ip:v4:`172.16.2.13`
81 :IP Internal: :ip:v4:`10.0.0.13`
82 :MAC address: :mac:`00:ff:fa:af:b2:9b` (eth0)
83
84 .. seealso::
85
86 See :doc:`../network`
87
88 Monitoring
89 ----------
90
91 :internal checks: :monitor:`blog.infra.cacert.org`
92
93 DNS
94 ---
95
96 .. index::
97 single: DNS records; Blog
98
99 ====================== ======== ====================================================================
100 Name Type Content
101 ====================== ======== ====================================================================
102 blog.cacert.org. IN A 213.154.225.234
103 blog.cacert.org. IN SSHFP 1 1 32CA6E4BA3275AAB0D65F0F46969B11A4C4B36E8
104 blog.cacert.org. IN SSHFP 1 2 3afb452ac3690cf7cd9a3332813bf7b13dbd288c7a4efbd9ab9dd4b4649ff2b6
105 blog.cacert.org. IN SSHFP 2 1 AAFBA94EBE5C5C45CDF5EF10D0BC31BEA4D9ECEC
106 blog.cacert.org. IN SSHFP 2 2 4d4384ebd1906125ae26d2fa976596af914b4b3587f2204a0e01368a3640f680
107 blog.cacert.org. IN SSHFP 3 1 8fa85a31215f10ea78fd0126d1c705c9a3662c86
108 blog.cacert.org. IN SSHFP 3 2 86d330b900db9bf0a8bc9ec34b126aa8261fec9e02b123ab61c2aee0b56ae047
109 blog.cacert.org. IN SSHFP 4 1 90903e8f4b35457bf41235f070adf592d7f724dd
110 blog.cacert.org. IN SSHFP 4 2 f24b770c16dcb91afc9461e62e6fe63a63d413efa4794751c039ed6d5213127b
111 blog.intra.cacert.org. IN A 172.16.2.13
112 ====================== ======== ====================================================================
113
114 .. seealso::
115
116 See :wiki:`SystemAdministration/Procedures/DNSChanges`
117
118 Operating System
119 ----------------
120
121 .. index::
122 single: Debian GNU/Linux; Jessie
123 single: Debian GNU/Linux; 8.11
124
125 * Debian GNU/Linux 8.11
126
127 Applicable Documentation
128 ------------------------
129
130 A small (work in progress) guide can be found in the :wiki:`BlogDoc`.
131
132 Services
133 ========
134
135 Listening services
136 ------------------
137
138 +----------+---------+---------+----------------------------+
139 | Port | Service | Origin | Purpose |
140 +==========+=========+=========+============================+
141 | 22/tcp | ssh | ANY | admin console access |
142 +----------+---------+---------+----------------------------+
143 | 25/tcp | smtp | local | mail delivery to local MTA |
144 +----------+---------+---------+----------------------------+
145 | 80/tcp | http | ANY | application |
146 +----------+---------+---------+----------------------------+
147 | 443/tcp | https | ANY | application |
148 +----------+---------+---------+----------------------------+
149 | 5666/tcp | nrpe | monitor | remote monitoring service |
150 +----------+---------+---------+----------------------------+
151 | 3306/tcp | mysql | local | MySQL database for blog |
152 +----------+---------+---------+----------------------------+
153 | 9000/tcp | php-fpm | local | PHP FPM executor |
154 +----------+---------+---------+----------------------------+
155
156 Running services
157 ----------------
158
159 .. index::
160 single: apache httpd
161 single: cron
162 single: dbus
163 single: mysql
164 single: nrpe
165 single: openssh
166 single: postfix
167
168 +--------------------+--------------------+-------------------------------------------------+
169 | Service | Usage | Start mechanism |
170 +====================+====================+=================================================+
171 | Apache httpd | Webserver for blog | systemd unit ``apache2.service`` |
172 +--------------------+--------------------+-------------------------------------------------+
173 | cron | job scheduler | systemd unit ``cron.service`` |
174 +--------------------+--------------------+-------------------------------------------------+
175 | dbus-daemon | System message bus | systemd unit ``dbus.service`` |
176 | | daemon | |
177 +--------------------+--------------------+-------------------------------------------------+
178 | MySQL | MySQL database | systemd unit ``mysql.service`` |
179 | | server for blog | |
180 +--------------------+--------------------+-------------------------------------------------+
181 | openssh server | ssh daemon for | systemd unit ``ssh.service`` |
182 | | remote | |
183 | | administration | |
184 +--------------------+--------------------+-------------------------------------------------+
185 | Postfix | SMTP server for | systemd unit ``postfix.service`` |
186 | | local mail | |
187 | | submission | |
188 +--------------------+--------------------+-------------------------------------------------+
189 | Nagios NRPE server | remote monitoring | systemd unit ``/etc/init.d/nagios-nrpe-server`` |
190 | | service queried by | |
191 | | :doc:`monitor` | |
192 +--------------------+--------------------+-------------------------------------------------+
193
194 Databases
195 ---------
196
197 +-------+------------+------------------------------+
198 | RDBMS | Name | Used for |
199 +=======+============+==============================+
200 | MySQL | blog | Wordpress blog |
201 +-------+------------+------------------------------+
202 | MySQL | phpmyadmin | PHPMyAdmin settings database |
203 +-------+------------+------------------------------+
204
205 Connected Systems
206 -----------------
207
208 * :doc:`monitor`
209
210 Outbound network connections
211 ----------------------------
212
213 * HTTP (80/tcp) and HTTPS (443/tcp) `Ping-o-matic`_ blog update service [#f1]_
214 * HTTP (80/tcp) and HTTPS (443/tcp) to Akismet anti spam service [#f2]_
215 * HTTP (80/tcp) and HTTPS (443/tcp) to wordpress.org
216 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
217 * :doc:`emailout` as SMTP relay
218 * :doc:`proxyout` as HTTP proxy for APT
219 * crl.cacert.org (rsync) for getting CRLs
220
221 .. _Ping-o-matic: http://rpc.pingomatic.com/
222 .. [#f1] http://blog.cacert.org/wp-admin/options-writing.php
223 .. [#f2] http://blog.cacert.org/wp-admin/plugins.php?page=akismet-key-config
224
225 .. - check network status
226
227 Security
228 ========
229
230 .. sshkeys::
231 :RSA: SHA256:OvtFKsNpDPfNmjMygTv3sT29KIx6TvvZq53UtGSf8rY MD5:ec:cb:b5:13:7c:17:c4:c3:23:3d:ee:01:58:75:b5:8d
232 :DSA: SHA256:TUOE69GQYSWuJtL6l2WWr5FLSzWH8iBKDgE2ijZA9oA MD5:c6:a7:52:f6:63:ce:73:95:41:35:90:45:9e:e0:06:a5
233 :ECDSA: SHA256:htMwuQDbm/CovJ7DSxJqqCYf7J4CsSOrYcKu4LVq4Ec MD5:00:d7:4b:3c:da:1b:24:76:74:1c:dd:2c:64:50:5f:81
234 :ED25519: SHA256:8kt3DBbcuRr8lGHmLm/mOmPUE++keUdRwDntbVITEns MD5:0c:fe:c7:a1:bd:e6:43:e6:70:5a:be:5a:15:4d:08:9d
235
236 Dedicated user roles
237 --------------------
238
239 +-------+--------------------------------------------------------------------+
240 | Group | Purpose |
241 +=======+====================================================================+
242 | blog | group owning the blog file content and temporary files. This group |
243 | | is used to execute the Wordpress PHP code. |
244 +-------+--------------------------------------------------------------------+
245
246 Non-distribution packages and modifications
247 -------------------------------------------
248
249 * **Wordpress Plugins**
250
251 * `client-certificate-authentication
252 <http://wordpress.org/plugins/client-certificate-authentication/>`_
253 * akismet
254
255 Risk assessments on critical packages
256 -------------------------------------
257
258 +-------------+-------------+---------------------------------------------+
259 | Software | Risk rating | Mitigation |
260 +=============+=============+=============================================+
261 | *Wordpress* | high | Regular updates, avoid unnecessary plugins, |
262 | | | Consider `Wordpress hardening`_ |
263 +-------------+-------------+---------------------------------------------+
264
265 .. todo:: `Wordpress hardening`_
266
267 .. _Wordpress hardening: http://codex.wordpress.org/Hardening_WordPress
268
269 Critical Configuration items
270 ============================
271
272 Keys and X.509 certificates
273 ---------------------------
274
275 .. sslcert:: blog.cacert.org
276 :altnames: DNS:blog.cacert.org
277 :certfile: /etc/ssl/public/blog.cacert.org.crt
278 :keyfile: /etc/ssl/private/blog.cacert.org.key
279 :serial: 1381E6
280 :expiration: Mar 16 09:17:48 2020 GMT
281 :sha1fp: E9:92:97:26:01:C1:00:3C:D7:BC:A2:2D:F4:F7:24:1C:47:C0:01:51
282 :issuer: CA Cert Signing Authority
283
284 * :file:`/etc/ssl/certs/cacert.org/` directory containing CAcert.org Class 1
285 and Class 3 certificates (allowed CA certificates for client certificates)
286 and symlinks with hashed names as expected by OpenSSL
287 * :file:`/etc/ssl/certs/cacert.org.pem` CAcert.org Class 1 certificate
288 (certificate chain for server certificate)
289
290 .. seealso::
291
292 * :wiki:`SystemAdministration/CertificateList`
293
294 .. index::
295 pair: Apache httpd; configuration
296
297 Apache httpd configuration
298 --------------------------
299
300 * :file:`/etc/apache2/cacert/blog.inc.conf`
301
302 Defines settings that are shared by the HTTP and the HTTPS VirtualHost
303 definitions. This file takes care of the PHP FCGI setup.
304
305 * :file:`/etc/apache2/cacert/headers.inc.conf`
306
307 Defines HTTP headers that are shared by the HTTP and the HTTPS VirtualHost
308 definitions. The file is included by
309 :file:`/etc/apache2/cacert/blog.inc.conf`.
310
311 * :file:`/etc/apache2/sites-available/blog-ssl.conf`
312
313 This file contains the HTTPS VirtualHost definition and defines client
314 certificate authentication for ``/wp-admin`` and ``/wp-login.php``.
315
316 * :file:`/etc/apache2/sites-available/blog-nossl.conf`
317
318 This file defines the HTTP VirtualHost definition and takes care of
319 redirecting ``/wp-admin`` and ``/wp-login.php`` to the HTTPS VirtualHost.
320
321 The following RewriteRule is used to redirect old blog URLs::
322
323 RewriteRule ^/[0-9]{4}/[0-9]{2}/([0-9]+)\.html$ ?p=$1 [R=302,L]
324
325 .. index::
326 pair: Wordpress; configuration
327
328 Wordpress configuration
329 -----------------------
330
331 * :file:`/srv/www/blog/wp-config.php` contains the Wordpress database
332 configuration. The rest of the Wordpress configuration is stored in the
333 database (assumption).
334
335 Tasks
336 =====
337
338 .. todo:: switch to Puppet management
339 .. todo:: replace nrpe with icinga2 agent
340 .. todo:: update wordpress to 5.x
341
342 Planned
343 -------
344
345 .. todo:: setup IPv6
346
347 .. todo::
348 setup CRL checks (can be borrowed from :doc:`svn`) for client certificates
349
350 Changes
351 =======
352
353 System Future
354 -------------
355
356 .. todo:: system should be upgraded to Debian 9 or 10
357
358 Additional documentation
359 ========================
360
361 .. seealso::
362
363 * :wiki:`PostfixConfiguration`
364
365 References
366 ----------
367
368 Wordpress website
369 https://wordpress.org/