Fix wrong IP address for proxyout
[cacert-infradocs.git] / docs / systems / proxyout.rst
1 .. index::
2 single: Systems; Proxyout
3
4 ========
5 Proxyout
6 ========
7
8 Purpose
9 =======
10
11 This system acts as outgoing HTTP and HTTPS proxy for access to APT
12 repositories.
13
14 Application Links
15 -----------------
16
17 This system has no publicly visible URLs.
18
19
20 Administration
21 ==============
22
23 System Administration
24 ---------------------
25
26 * Primary: :ref:`people_jandd`
27 * Secondary: None
28
29 .. todo:: find an additional admin
30 .. people_<name> are defined in people.rst
31
32 Application Administration
33 --------------------------
34
35 +-------------+---------------------+
36 | Application | Administrator(s) |
37 +=============+=====================+
38 | Squid | :ref:`people_jandd` |
39 +-------------+---------------------+
40
41 Contact
42 -------
43
44 * proxyout-admin@cacert.org
45
46 Additional People
47 -----------------
48
49 * None
50
51 Basics
52 ======
53
54 Physical Location
55 -----------------
56
57 This system is located in an :term:`LXC` container on physical machine
58 :doc:`infra02`.
59
60 Logical Location
61 ----------------
62
63 :IP Internet: None
64 :IP Intranet: None
65 :IP Internal: :ip:v4:`10.0.0.201`
66 :MAC address: :mac:`00:16:3e:15:b8:8c` (eth0)
67
68 .. seealso::
69
70 See :doc:`../network`
71
72 DNS
73 ---
74
75 .. index::
76 single: DNS records; Proxyout
77
78 .. todo:: setup DNS records (in infra.cacert.org zone)
79
80 .. seealso::
81
82 See :wiki:`SystemAdministration/Procedures/DNSChanges`
83
84 Operating System
85 ----------------
86
87 .. index::
88 single: Debian GNU/Linux; Stretch
89 single: Debian GNU/Linux; 9.1
90
91 * Debian GNU/Linux 9.1
92
93 Applicable Documentation
94 ------------------------
95
96 The system is managed by :doc:`puppet`. The puppet repository is browsable at
97 https://git.cacert.org/gitweb/?p=cacert-puppet.git;a=summary.
98
99 Services
100 ========
101
102 Listening services
103 ------------------
104
105 +----------+-----------+-----------+-----------------------------------------+
106 | Port | Service | Origin | Purpose |
107 +==========+===========+===========+=========================================+
108 | 22/tcp | ssh | ANY | admin console access |
109 +----------+-----------+-----------+-----------------------------------------+
110 | 25/tcp | smtp | local | mail delivery to local MTA |
111 +----------+-----------+-----------+-----------------------------------------+
112 | 3128/tcp | http | internal | squid http/https proxy |
113 +----------+-----------+-----------+-----------------------------------------+
114
115 Running services
116 ----------------
117
118 .. index::
119 single: puppet agent
120 single: cron
121 single: exim4
122 single: squid
123 single: openssh
124
125 +----------------+--------------------+--------------------------------------+
126 | Service | Usage | Start mechanism |
127 +================+====================+======================================+
128 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
129 | | remote | |
130 | | administration | |
131 +----------------+--------------------+--------------------------------------+
132 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
133 +----------------+--------------------+--------------------------------------+
134 | Exim | SMTP server for | init script |
135 | | local mail | :file:`/etc/init.d/exim4` |
136 | | submission | |
137 +----------------+--------------------+--------------------------------------+
138 | Puppet agent | local Puppet agent | init script |
139 | | | :file:`/etc/init.d/puppet` |
140 +----------------+--------------------+--------------------------------------+
141 | Squid | Caching and | init script |
142 | | filtering http/ | :file:`/etc/init.d/squid` |
143 | | https proxy for | |
144 | | internal machines | |
145 +----------------+--------------------+--------------------------------------+
146
147 Connected Systems
148 -----------------
149
150 * :doc:`motion`
151 * :doc:`proxyin`
152 * :doc:`puppet`
153 * :doc:`svn`
154
155 Outbound network connections
156 ----------------------------
157
158 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
159 * :doc:`emailout` as SMTP relay
160 * :doc:`puppet` (tcp/8140) as Puppet master
161 * .debian.org Debian mirrors
162 * apt.puppetlabs.com as Debian repository for puppet packages
163
164 Security
165 ========
166
167 .. sshkeys::
168 :ECDSA: 74:70:63:b9:3e:6b:9f:a2:34:0e:9a:92:77:dd:93:73
169 :ED25519: 43:0d:1e:ec:1b:5f:c3:84:38:c7:75:b7:be:3c:1b:d4
170 :RSA: 1e:8e:1d:06:a5:fa:d6:08:95:e9:68:fb:ae:16:24:8f
171
172 Risk assessments on critical packages
173 -------------------------------------
174
175 Squid is a proven http and https proxy installed from distribution packages
176 with low risk.
177
178 Critical Configuration items
179 ============================
180
181 All configuration is managed in Puppet. There are no certificates or private
182 keys used on this machine.
183
184 Tasks
185 =====
186
187 Planned
188 -------
189
190 Change all infrastructure hosts to use this machine as APT proxy to avoid flaky
191 firewall configurations on :doc:`infra02`.
192
193 Additional documentation
194 ========================
195
196 .. seealso::
197
198 * :wiki:`Exim4Configuration`
199
200 References
201 ----------
202
203 * http://www.squid-cache.org/