Update list of systems using proxyout for APT
[cacert-infradocs.git] / docs / systems / proxyout.rst
1 .. index::
2 single: Systems; Proxyout
3
4 ========
5 Proxyout
6 ========
7
8 Purpose
9 =======
10
11 This system provides an outgoing http/https proxy for controlled access to
12 external resources like APT repositories and code repositories. The decision
13 to setup this system has been made due to often changing IP addresses of
14 external repositories that lead to update problems on several other machines.
15
16 Application Links
17 -----------------
18
19 This machine has no externaly exposed URLs.
20
21 Administration
22 ==============
23
24 System Administration
25 ---------------------
26
27 * Primary: :ref:`people_jandd`
28 * Secondary: None
29
30 .. todo:: find an additional admin
31
32 Application Administration
33 --------------------------
34
35 +-------------+---------------------+
36 | Application | Administrator(s) |
37 +=============+=====================+
38 | Squid | :ref:`people_jandd` |
39 +-------------+---------------------+
40
41 Contact
42 -------
43
44 * proxyout-admin@cacert.org
45
46 Additional People
47 -----------------
48
49 * None
50
51 Basics
52 ======
53
54 Physical Location
55 -----------------
56
57 This system is located in an :term:`LXC` container on physical machine
58 :doc:`infra02`.
59
60 Logical Location
61 ----------------
62
63 :IP Internet: None
64 :IP Intranet: None
65 :IP Internal: :ip:v4:`10.0.0.201`
66 :IPv6: :ip:v6:`2001:7b8:616:162:2::201`
67 :MAC address: :mac:`00:16:3e:15:b8:8c` (eth0)
68
69 .. seealso::
70
71 See :doc:`../network`
72
73 DNS
74 ---
75
76 .. index::
77 single: DNS records; Proxyout
78
79 .. todo:: setup DNS records (in infra.cacert.org zone)
80
81 .. seealso::
82
83 See :wiki:`SystemAdministration/Procedures/DNSChanges`
84
85 Operating System
86 ----------------
87
88 .. index::
89 single: Debian GNU/Linux; Stretch
90 single: Debian GNU/Linux; 9.1
91
92 * Debian GNU/Linux 9.1
93
94 Applicable Documentation
95 ------------------------
96
97 The system is managed by :doc:`puppet`. The puppet repository is browsable at
98 https://git.cacert.org/gitweb/?p=cacert-puppet.git;a=summary.
99
100 Services
101 ========
102
103 Listening services
104 ------------------
105
106 +----------+-----------+-----------+-----------------------------------------+
107 | Port | Service | Origin | Purpose |
108 +==========+===========+===========+=========================================+
109 | 22/tcp | ssh | ANY | admin console access |
110 +----------+-----------+-----------+-----------------------------------------+
111 | 25/tcp | smtp | local | mail delivery to local MTA |
112 +----------+-----------+-----------+-----------------------------------------+
113 | 3128/tcp | http | internal | squid http/https proxy |
114 +----------+-----------+-----------+-----------------------------------------+
115
116 Running services
117 ----------------
118
119 .. index::
120 single: puppet agent
121 single: cron
122 single: exim4
123 single: squid
124 single: openssh
125
126 +----------------+--------------------+--------------------------------------+
127 | Service | Usage | Start mechanism |
128 +================+====================+======================================+
129 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
130 | | remote | |
131 | | administration | |
132 +----------------+--------------------+--------------------------------------+
133 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
134 +----------------+--------------------+--------------------------------------+
135 | Exim | SMTP server for | init script |
136 | | local mail | :file:`/etc/init.d/exim4` |
137 | | submission | |
138 +----------------+--------------------+--------------------------------------+
139 | Puppet agent | local Puppet agent | init script |
140 | | | :file:`/etc/init.d/puppet` |
141 +----------------+--------------------+--------------------------------------+
142 | Squid | Caching and | init script |
143 | | filtering http/ | :file:`/etc/init.d/squid` |
144 | | https proxy for | |
145 | | internal machines | |
146 +----------------+--------------------+--------------------------------------+
147
148 Connected Systems
149 -----------------
150
151 * :doc:`blog`
152 * :doc:`board`
153 * :doc:`bugs`
154 * :doc:`cats`
155 * :doc:`email`
156 * :doc:`emailout`
157 * :doc:`git`
158 * :doc:`irc`
159 * :doc:`ircserver`
160 * :doc:`jenkins`
161 * :doc:`lists`
162 * :doc:`monitor`
163 * :doc:`motion`
164 * :doc:`proxyin`
165 * :doc:`puppet`
166 * :doc:`svn`
167 * :doc:`web`
168 * :doc:`webstatic`
169
170 Outbound network connections
171 ----------------------------
172
173 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
174 * :doc:`emailout` as SMTP relay
175 * :doc:`puppet` (tcp/8140) as Puppet master
176 * .debian.org Debian mirrors
177 * apt.puppetlabs.com as Debian repository for puppet packages
178 * HTTP and HTTPS servers specified in the squid configuration
179
180 Security
181 ========
182
183 .. sshkeys::
184 :ECDSA: 74:70:63:b9:3e:6b:9f:a2:34:0e:9a:92:77:dd:93:73
185 :ED25519: 43:0d:1e:ec:1b:5f:c3:84:38:c7:75:b7:be:3c:1b:d4
186 :RSA: 1e:8e:1d:06:a5:fa:d6:08:95:e9:68:fb:ae:16:24:8f
187
188 Non-distribution packages and modifications
189 -------------------------------------------
190
191 The Puppet agent package and a few dependencies are installed from the official
192 Puppet APT repository because the versions in Debian are too old to use modern
193 Puppet features.
194
195 Risk assessments on critical packages
196 -------------------------------------
197
198 Squid is a proven http and https proxy installed from distribution packages
199 with low risk.
200
201 Critical Configuration items
202 ============================
203
204 The system configuration is managed via Puppet profiles. There should be no
205 configuration items outside of the Puppet repository.
206
207 Tasks
208 =====
209
210 Planned
211 -------
212
213 .. todo:: Change all infrastructure hosts to use this machine as APT proxy to
214 avoid flaky firewall configurations on :doc:`infra02`.
215
216 .. todo:: Add more APT repositories and ACLs if needed
217
218 Additional documentation
219 ========================
220
221 .. seealso::
222
223 * :wiki:`Exim4Configuration`
224
225 References
226 ----------
227
228 * http://www.squid-cache.org/