Improve system documentation
[cacert-infradocs.git] / docs / systems / proxyout.rst
1 .. index::
2 single: Systems; Proxyout
3
4 ========
5 Proxyout
6 ========
7
8 Purpose
9 =======
10
11 This system provides an outgoing http/https proxy for controlled access to
12 external resources like APT repositories and code repositories. The decision
13 to setup this system has been made due to often changing IP addresses of
14 external repositories that lead to update problems on several other machines.
15
16 Application Links
17 -----------------
18
19 This machine has no externaly exposed URLs.
20
21 Administration
22 ==============
23
24 System Administration
25 ---------------------
26
27 * Primary: :ref:`people_jandd`
28 * Secondary: None
29
30 .. todo:: find an additional admin
31
32 Application Administration
33 --------------------------
34
35 +-------------+---------------------+
36 | Application | Administrator(s) |
37 +=============+=====================+
38 | Squid | :ref:`people_jandd` |
39 +-------------+---------------------+
40
41 Contact
42 -------
43
44 * proxyout-admin@cacert.org
45
46 Additional People
47 -----------------
48
49 * None
50
51 Basics
52 ======
53
54 Physical Location
55 -----------------
56
57 This system is located in an :term:`LXC` container on physical machine
58 :doc:`infra02`.
59
60 Logical Location
61 ----------------
62
63 :IP Internet: None
64 :IP Intranet: None
65 :IP Internal: :ip:v4:`10.0.0.201`
66 :IPv6: :ip:v6:`2001:7b8:616:162:2::201`
67 :MAC address: :mac:`00:16:3e:15:b8:8c` (eth0)
68
69 .. seealso::
70
71 See :doc:`../network`
72
73 .. index::
74 single: Monitoring; Proxyout
75
76 Monitoring
77 ----------
78
79 :internal checks: :monitor:`proxyout.infra.cacert.org`
80
81 DNS
82 ---
83
84 .. index::
85 single: DNS records; Proxyout
86
87 .. todo:: setup DNS records (in infra.cacert.org zone)
88
89 .. seealso::
90
91 See :wiki:`SystemAdministration/Procedures/DNSChanges`
92
93 Operating System
94 ----------------
95
96 .. index::
97 single: Debian GNU/Linux; Stretch
98 single: Debian GNU/Linux; 9.4
99
100 * Debian GNU/Linux 9.4
101
102 Applicable Documentation
103 ------------------------
104
105 The system is managed by :doc:`puppet`. The puppet repository is browsable at
106 https://git.cacert.org/gitweb/?p=cacert-puppet.git;a=summary.
107
108 Services
109 ========
110
111 Listening services
112 ------------------
113
114 +----------+-----------+-----------+-----------------------------------------+
115 | Port | Service | Origin | Purpose |
116 +==========+===========+===========+=========================================+
117 | 22/tcp | ssh | ANY | admin console access |
118 +----------+-----------+-----------+-----------------------------------------+
119 | 25/tcp | smtp | local | mail delivery to local MTA |
120 +----------+-----------+-----------+-----------------------------------------+
121 | 3128/tcp | http | internal | squid http/https proxy |
122 +----------+-----------+-----------+-----------------------------------------+
123
124 Running services
125 ----------------
126
127 .. index::
128 single: cron
129 single: exim
130 single: openssh
131 single: puppet agent
132 single: rsyslog
133 single: squid
134
135 +----------------+--------------------+--------------------------------------+
136 | Service | Usage | Start mechanism |
137 +================+====================+======================================+
138 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
139 +----------------+--------------------+--------------------------------------+
140 | Exim | SMTP server for | init script |
141 | | local mail | :file:`/etc/init.d/exim4` |
142 | | submission | |
143 +----------------+--------------------+--------------------------------------+
144 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
145 | | remote | |
146 | | administration | |
147 +----------------+--------------------+--------------------------------------+
148 | Puppet agent | local Puppet agent | init script |
149 | | | :file:`/etc/init.d/puppet` |
150 +----------------+--------------------+--------------------------------------+
151 | rsyslog | syslog daemon | init script |
152 | | | :file:`/etc/init.d/syslog` |
153 +----------------+--------------------+--------------------------------------+
154 | Squid | Caching and | init script |
155 | | filtering http/ | :file:`/etc/init.d/squid` |
156 | | https proxy for | |
157 | | internal machines | |
158 +----------------+--------------------+--------------------------------------+
159
160 Connected Systems
161 -----------------
162
163 * :doc:`blog`
164 * :doc:`board`
165 * :doc:`bugs`
166 * :doc:`cats`
167 * :doc:`email`
168 * :doc:`emailout`
169 * :doc:`git`
170 * :doc:`ircserver`
171 * :doc:`jenkins`
172 * :doc:`lists`
173 * :doc:`monitor`
174 * :doc:`motion`
175 * :doc:`proxyin`
176 * :doc:`puppet`
177 * :doc:`svn`
178 * :doc:`test`
179 * :doc:`translations`
180 * :doc:`web`
181 * :doc:`webstatic`
182
183 Outbound network connections
184 ----------------------------
185
186 * :doc:`infra02` as resolving nameserver
187 * :doc:`emailout` as SMTP relay
188 * :doc:`puppet` (tcp/8140) as Puppet master
189 * .debian.org Debian mirrors
190 * apt.puppetlabs.com as Debian repository for puppet packages
191 * HTTP and HTTPS servers specified in the squid configuration
192
193 Security
194 ========
195
196 .. sshkeys::
197 :RSA: SHA256:TfsDuQ2tuWnTlpLnFILxlZa+IOpC97QmxDAlGgCa0/I MD5:1e:8e:1d:06:a5:fa:d6:08:95:e9:68:fb:ae:16:24:8f
198 :ECDSA: SHA256:d79XAVk0pspIVoI7i4ffohM7PjaBMJdh1J4yv+4Z5ms MD5:74:70:63:b9:3e:6b:9f:a2:34:0e:9a:92:77:dd:93:73
199 :ED25519: SHA256:26yiJUT3NfqpFDLgAgXSsRL7ppMiIpNqKmfDiMxpAqc MD5:43:0d:1e:ec:1b:5f:c3:84:38:c7:75:b7:be:3c:1b:d4
200
201 Non-distribution packages and modifications
202 -------------------------------------------
203
204 The Puppet agent package and a few dependencies are installed from the official
205 Puppet APT repository because the versions in Debian are too old to use modern
206 Puppet features.
207
208 Risk assessments on critical packages
209 -------------------------------------
210
211 Squid is a proven http and https proxy installed from distribution packages
212 with low risk.
213
214 The system uses third party packages with a good security track record and
215 regular updates. The attack surface is small due to the tightly restricted
216 access to the system. The puppet agent is not exposed for access from outside
217 the system.
218
219 Critical Configuration items
220 ============================
221
222 The system configuration is managed via Puppet profiles. There should be no
223 configuration items outside of the Puppet repository.
224
225 Tasks
226 =====
227
228 .. todo:: add a section describing how to add ACLs to Squid
229
230 Changes
231 =======
232
233 Planned
234 -------
235
236 .. todo:: Change all infrastructure hosts to use this machine as APT proxy to
237 avoid flaky firewall configurations on :doc:`infra02`.
238
239 .. todo:: Add more APT repositories and ACLs if needed
240
241 System Future
242 -------------
243
244 * No plans
245
246 Additional documentation
247 ========================
248
249 .. seealso::
250
251 * :wiki:`Exim4Configuration`
252
253 References
254 ----------
255
256 * http://www.squid-cache.org/