Upgrade proxyout to Debian 10.0 Buster
[cacert-infradocs.git] / docs / systems / proxyout.rst
1 .. index::
2 single: Systems; Proxyout
3
4 ========
5 Proxyout
6 ========
7
8 Purpose
9 =======
10
11 This system provides an outgoing http/https proxy for controlled access to
12 external resources like APT repositories and code repositories. The decision
13 to setup this system has been made due to often changing IP addresses of
14 external repositories that lead to update problems on several other machines.
15
16 Application Links
17 -----------------
18
19 This machine has no externaly exposed URLs.
20
21 Administration
22 ==============
23
24 System Administration
25 ---------------------
26
27 * Primary: :ref:`people_jandd`
28 * Secondary: None
29
30 .. todo:: find an additional admin
31
32 Application Administration
33 --------------------------
34
35 +-------------+---------------------+
36 | Application | Administrator(s) |
37 +=============+=====================+
38 | Squid | :ref:`people_jandd` |
39 +-------------+---------------------+
40
41 Contact
42 -------
43
44 * proxyout-admin@cacert.org
45
46 Additional People
47 -----------------
48
49 * None
50
51 Basics
52 ======
53
54 Physical Location
55 -----------------
56
57 This system is located in an :term:`LXC` container on physical machine
58 :doc:`infra02`.
59
60 Logical Location
61 ----------------
62
63 :IP Internet: None
64 :IP Intranet: None
65 :IP Internal: :ip:v4:`10.0.0.201`
66 :IPv6: :ip:v6:`2001:7b8:616:162:2::201`
67 :MAC address: :mac:`00:16:3e:15:b8:8c` (eth0)
68
69 .. seealso::
70
71 See :doc:`../network`
72
73 .. index::
74 single: Monitoring; Proxyout
75
76 Monitoring
77 ----------
78
79 :internal checks: :monitor:`proxyout.infra.cacert.org`
80
81 DNS
82 ---
83
84 .. index::
85 single: DNS records; Proxyout
86
87 .. todo:: setup DNS records (in infra.cacert.org zone)
88
89 .. seealso::
90
91 See :wiki:`SystemAdministration/Procedures/DNSChanges`
92
93 Operating System
94 ----------------
95
96 .. index::
97 single: Debian GNU/Linux; Buster
98 single: Debian GNU/Linux; 10.0
99
100 * Debian GNU/Linux 10.0
101
102 Applicable Documentation
103 ------------------------
104
105 The system is managed by :doc:`puppet`. The puppet repository is browsable at
106 https://git.cacert.org/gitweb/?p=cacert-puppet.git;a=summary.
107
108 Services
109 ========
110
111 Listening services
112 ------------------
113
114 +----------+---------+----------+----------------------------+
115 | Port | Service | Origin | Purpose |
116 +==========+=========+==========+============================+
117 | 22/tcp | ssh | ANY | admin console access |
118 +----------+---------+----------+----------------------------+
119 | 25/tcp | smtp | local | mail delivery to local MTA |
120 +----------+---------+----------+----------------------------+
121 | 3128/tcp | http | internal | squid http/https proxy |
122 +----------+---------+----------+----------------------------+
123 | 5665/tcp | icinga2 | monitor | remote monitoring service |
124 +----------+---------+----------+----------------------------+
125
126 Running services
127 ----------------
128
129 .. index::
130 single: cron
131 single: dbus
132 single: exim
133 single: icinga2
134 single: openssh
135 single: puppet
136 single: rsyslog
137 single: squid
138
139 +----------------+--------------------------+----------------------------------+
140 | Service | Usage | Start mechanism |
141 +================+==========================+==================================+
142 | cron | job scheduler | systemd unit ``cron.service`` |
143 +----------------+--------------------------+----------------------------------+
144 | dbus-daemon | System message bus | systemd unit ``dbus.service`` |
145 | | daemon | |
146 +----------------+--------------------------+----------------------------------+
147 | Exim | SMTP server for | systemd unit ``exim4.service`` |
148 | | local mail submission | |
149 +----------------+--------------------------+----------------------------------+
150 | icinga2 | Icinga2 monitoring agent | systemd unit ``icinga2.service`` |
151 +----------------+--------------------------+----------------------------------+
152 | openssh server | ssh daemon for | systemd unit ``ssh.service`` |
153 | | remote administration | |
154 +----------------+--------------------------+----------------------------------+
155 | Puppet agent | configuration management | systemd unit ``puppet.service`` |
156 | | agent | |
157 +----------------+--------------------------+----------------------------------+
158 | rsyslog | syslog daemon | systemd unit ``rsyslog.service`` |
159 +----------------+--------------------------+----------------------------------+
160 | Squid | Caching and filtering | systemd unit ``squid.service`` |
161 | | http/https proxy for | |
162 | | internal machines | |
163 +----------------+--------------------------+----------------------------------+
164
165 Connected Systems
166 -----------------
167
168 * :doc:`blog`
169 * :doc:`board`
170 * :doc:`bugs`
171 * :doc:`cats`
172 * :doc:`email`
173 * :doc:`emailout`
174 * :doc:`git`
175 * :doc:`ircserver`
176 * :doc:`jenkins`
177 * :doc:`lists`
178 * :doc:`monitor`
179 * :doc:`motion`
180 * :doc:`proxyin`
181 * :doc:`puppet`
182 * :doc:`svn`
183 * :doc:`test`
184 * :doc:`translations`
185 * :doc:`web`
186 * :doc:`webstatic`
187
188 Outbound network connections
189 ----------------------------
190
191 * :doc:`infra02` as resolving nameserver
192 * :doc:`emailout` as SMTP relay
193 * :doc:`puppet` (tcp/8140) as Puppet master
194 * .debian.org Debian mirrors
195 * apt.puppetlabs.com as Debian repository for puppet packages
196 * HTTP and HTTPS servers specified in the squid configuration
197
198 Security
199 ========
200
201 .. sshkeys::
202 :RSA: SHA256:TfsDuQ2tuWnTlpLnFILxlZa+IOpC97QmxDAlGgCa0/I MD5:1e:8e:1d:06:a5:fa:d6:08:95:e9:68:fb:ae:16:24:8f
203 :ECDSA: SHA256:d79XAVk0pspIVoI7i4ffohM7PjaBMJdh1J4yv+4Z5ms MD5:74:70:63:b9:3e:6b:9f:a2:34:0e:9a:92:77:dd:93:73
204 :ED25519: SHA256:26yiJUT3NfqpFDLgAgXSsRL7ppMiIpNqKmfDiMxpAqc MD5:43:0d:1e:ec:1b:5f:c3:84:38:c7:75:b7:be:3c:1b:d4
205
206 Non-distribution packages and modifications
207 -------------------------------------------
208
209 The Puppet agent package and a few dependencies are installed from the official
210 Puppet APT repository because the versions in Debian are too old to use modern
211 Puppet features.
212
213 Risk assessments on critical packages
214 -------------------------------------
215
216 Squid is a proven http and https proxy installed from distribution packages
217 with low risk.
218
219 The system uses third party packages with a good security track record and
220 regular updates. The attack surface is small due to the tightly restricted
221 access to the system. The puppet agent is not exposed for access from outside
222 the system.
223
224 Critical Configuration items
225 ============================
226
227 The system configuration is managed via Puppet profiles. There should be no
228 configuration items outside of the Puppet repository.
229
230 Tasks
231 =====
232
233 Adding ACLs to Squid
234 --------------------
235
236 Add required lines to the ``profiles::squid::acls`` item in Hiera data for node
237 proxyout.
238
239 Changes
240 =======
241
242 Planned
243 -------
244
245 .. todo:: Change all infrastructure hosts to use this machine as APT proxy to
246 avoid flaky firewall configurations on :doc:`infra02`.
247
248 System Future
249 -------------
250
251 * No plans
252
253 Additional documentation
254 ========================
255
256 .. seealso::
257
258 * :wiki:`Exim4Configuration`
259
260 References
261 ----------
262
263 * http://www.squid-cache.org/