Documented test.cacert.org
[cacert-infradocs.git] / docs / systems / proxyout.rst
1 .. index::
2 single: Systems; Proxyout
3
4 ========
5 Proxyout
6 ========
7
8 Purpose
9 =======
10
11 This system provides an outgoing http/https proxy for controlled access to
12 external resources like APT repositories and code repositories. The decision
13 to setup this system has been made due to often changing IP addresses of
14 external repositories that lead to update problems on several other machines.
15
16 Application Links
17 -----------------
18
19 This machine has no externaly exposed URLs.
20
21 Administration
22 ==============
23
24 System Administration
25 ---------------------
26
27 * Primary: :ref:`people_jandd`
28 * Secondary: None
29
30 .. todo:: find an additional admin
31
32 Application Administration
33 --------------------------
34
35 +-------------+---------------------+
36 | Application | Administrator(s) |
37 +=============+=====================+
38 | Squid | :ref:`people_jandd` |
39 +-------------+---------------------+
40
41 Contact
42 -------
43
44 * proxyout-admin@cacert.org
45
46 Additional People
47 -----------------
48
49 * None
50
51 Basics
52 ======
53
54 Physical Location
55 -----------------
56
57 This system is located in an :term:`LXC` container on physical machine
58 :doc:`infra02`.
59
60 Logical Location
61 ----------------
62
63 :IP Internet: None
64 :IP Intranet: None
65 :IP Internal: :ip:v4:`10.0.0.201`
66 :IPv6: :ip:v6:`2001:7b8:616:162:2::201`
67 :MAC address: :mac:`00:16:3e:15:b8:8c` (eth0)
68
69 .. seealso::
70
71 See :doc:`../network`
72
73 DNS
74 ---
75
76 .. index::
77 single: DNS records; Proxyout
78
79 .. todo:: setup DNS records (in infra.cacert.org zone)
80
81 .. seealso::
82
83 See :wiki:`SystemAdministration/Procedures/DNSChanges`
84
85 Operating System
86 ----------------
87
88 .. index::
89 single: Debian GNU/Linux; Stretch
90 single: Debian GNU/Linux; 9.4
91
92 * Debian GNU/Linux 9.4
93
94 Applicable Documentation
95 ------------------------
96
97 The system is managed by :doc:`puppet`. The puppet repository is browsable at
98 https://git.cacert.org/gitweb/?p=cacert-puppet.git;a=summary.
99
100 Services
101 ========
102
103 Listening services
104 ------------------
105
106 +----------+-----------+-----------+-----------------------------------------+
107 | Port | Service | Origin | Purpose |
108 +==========+===========+===========+=========================================+
109 | 22/tcp | ssh | ANY | admin console access |
110 +----------+-----------+-----------+-----------------------------------------+
111 | 25/tcp | smtp | local | mail delivery to local MTA |
112 +----------+-----------+-----------+-----------------------------------------+
113 | 3128/tcp | http | internal | squid http/https proxy |
114 +----------+-----------+-----------+-----------------------------------------+
115
116 Running services
117 ----------------
118
119 .. index::
120 single: cron
121 single: exim
122 single: openssh
123 single: puppet agent
124 single: rsyslog
125 single: squid
126
127 +----------------+--------------------+--------------------------------------+
128 | Service | Usage | Start mechanism |
129 +================+====================+======================================+
130 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
131 +----------------+--------------------+--------------------------------------+
132 | Exim | SMTP server for | init script |
133 | | local mail | :file:`/etc/init.d/exim4` |
134 | | submission | |
135 +----------------+--------------------+--------------------------------------+
136 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
137 | | remote | |
138 | | administration | |
139 +----------------+--------------------+--------------------------------------+
140 | Puppet agent | local Puppet agent | init script |
141 | | | :file:`/etc/init.d/puppet` |
142 +----------------+--------------------+--------------------------------------+
143 | rsyslog | syslog daemon | init script |
144 | | | :file:`/etc/init.d/syslog` |
145 +----------------+--------------------+--------------------------------------+
146 | Squid | Caching and | init script |
147 | | filtering http/ | :file:`/etc/init.d/squid` |
148 | | https proxy for | |
149 | | internal machines | |
150 +----------------+--------------------+--------------------------------------+
151
152 Connected Systems
153 -----------------
154
155 * :doc:`blog`
156 * :doc:`board`
157 * :doc:`bugs`
158 * :doc:`cats`
159 * :doc:`email`
160 * :doc:`emailout`
161 * :doc:`git`
162 * :doc:`ircserver`
163 * :doc:`jenkins`
164 * :doc:`lists`
165 * :doc:`monitor`
166 * :doc:`motion`
167 * :doc:`proxyin`
168 * :doc:`puppet`
169 * :doc:`svn`
170 * :doc:`test`
171 * :doc:`translations`
172 * :doc:`web`
173 * :doc:`webstatic`
174
175 Outbound network connections
176 ----------------------------
177
178 * :doc:`infra02` as resolving nameserver
179 * :doc:`emailout` as SMTP relay
180 * :doc:`puppet` (tcp/8140) as Puppet master
181 * .debian.org Debian mirrors
182 * apt.puppetlabs.com as Debian repository for puppet packages
183 * HTTP and HTTPS servers specified in the squid configuration
184
185 Security
186 ========
187
188 .. sshkeys::
189 :RSA: SHA256:TfsDuQ2tuWnTlpLnFILxlZa+IOpC97QmxDAlGgCa0/I MD5:1e:8e:1d:06:a5:fa:d6:08:95:e9:68:fb:ae:16:24:8f
190 :ECDSA: SHA256:d79XAVk0pspIVoI7i4ffohM7PjaBMJdh1J4yv+4Z5ms MD5:74:70:63:b9:3e:6b:9f:a2:34:0e:9a:92:77:dd:93:73
191 :ED25519: SHA256:26yiJUT3NfqpFDLgAgXSsRL7ppMiIpNqKmfDiMxpAqc MD5:43:0d:1e:ec:1b:5f:c3:84:38:c7:75:b7:be:3c:1b:d4
192
193 Non-distribution packages and modifications
194 -------------------------------------------
195
196 The Puppet agent package and a few dependencies are installed from the official
197 Puppet APT repository because the versions in Debian are too old to use modern
198 Puppet features.
199
200 Risk assessments on critical packages
201 -------------------------------------
202
203 Squid is a proven http and https proxy installed from distribution packages
204 with low risk.
205
206 The system uses third party packages with a good security track record and
207 regular updates. The attack surface is small due to the tightly restricted
208 access to the system. The puppet agent is not exposed for access from outside
209 the system.
210
211 Critical Configuration items
212 ============================
213
214 The system configuration is managed via Puppet profiles. There should be no
215 configuration items outside of the Puppet repository.
216
217 Tasks
218 =====
219
220 Planned
221 -------
222
223 .. todo:: Change all infrastructure hosts to use this machine as APT proxy to
224 avoid flaky firewall configurations on :doc:`infra02`.
225
226 .. todo:: Add more APT repositories and ACLs if needed
227
228 Additional documentation
229 ========================
230
231 .. seealso::
232
233 * :wiki:`Exim4Configuration`
234
235 References
236 ----------
237
238 * http://www.squid-cache.org/