11 This system hosts the `Subversion`_ repository that is used for some CAcert
12 documents and code that has not been moved to :doc:`git` yet, for example:
18 .. _Subversion: http://subversion.apache.org/
23 The subversion repository
24 https://svn.cacert.org/CAcert/
26 Anonymous read-only HTTP access
27 http://svn.cacert.org/CAcert/
29 Username/password authenticated HTTPS access
30 https://nocert.svn.cacert.org/CAcert/
39 * Primary: :ref:`people_jandd`
42 .. todo:: find an additional admin
44 Application Administration
45 --------------------------
47 +---------------+---------------------+
48 | Application | Administrator(s) |
49 +===============+=====================+
50 | Subversion | :ref:`people_jandd` |
51 +---------------+---------------------+
56 * svn-admin@cacert.org
61 :ref:`Mario Lipinski <people_mario>` has :program:`sudo` access on that machine
70 This system is located in an :term:`LXC` container on physical machine
76 :IP Internet: :ip:v4:`213.154.225.238`
77 :IP Intranet: :ip:v4:`172.16.2.15`
78 :IP Internal: :ip:v4:`10.0.0.20`
79 :IPv6: :ip:v6:`2001:7b8:616:162:2::15`
80 :MAC address: :mac:`00:16:3e:13:87:bb` (eth0)
90 single: DNS records; Svn
92 ========================== ======== ============================================
94 ========================== ======== ============================================
95 svn.cacert.org. IN SSHFP 1 1 1128972FB54F927477A781718E2F9C114E9CA383
96 svn.cacert.org. IN SSHFP 2 1 3A36E5DF06304C481F01FC723FD88A086E82D986
97 svn.cacert.org. IN A 213.154.225.238
98 cert.svn.cacert.org. IN CNAME svn.cacert.org.
99 nocert.svn.cacert.org IN CNAME svn.cacert.org
100 ========================== ======== ============================================
102 .. todo:: add AAAA record for IPv6 address
106 See :wiki:`SystemAdministration/Procedures/DNSChanges`
112 single: Debian GNU/Linux; Jessie
113 single: Debian GNU/Linux; 8.7
115 * Debian GNU/Linux 8.7
117 Applicable Documentation
118 ------------------------
120 Access to specific paths in the repository is granted on request if approved by
121 team leaders/officers.
129 +----------+-----------+-----------+-----------------------------------------+
130 | Port | Service | Origin | Purpose |
131 +==========+===========+===========+=========================================+
132 | 22/tcp | ssh | ANY | admin console access |
133 +----------+-----------+-----------+-----------------------------------------+
134 | 25/tcp | smtp | local | mail delivery to local MTA |
135 +----------+-----------+-----------+-----------------------------------------+
136 | 80/tcp | http | ANY | application |
137 +----------+-----------+-----------+-----------------------------------------+
138 | 443/tcp | https | ANY | application |
139 +----------+-----------+-----------+-----------------------------------------+
140 | 5666/tcp | nrpe | monitor | remote monitoring service |
141 +----------+-----------+-----------+-----------------------------------------+
154 +--------------------+--------------------+----------------------------------------+
155 | Service | Usage | Start mechanism |
156 +====================+====================+========================================+
157 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
159 | | administration | |
160 +--------------------+--------------------+----------------------------------------+
161 | Apache httpd | Webserver for | init script |
162 | | Subversion | :file:`/etc/init.d/apache2` |
163 +--------------------+--------------------+----------------------------------------+
164 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
165 +--------------------+--------------------+----------------------------------------+
166 | Exim | SMTP server for | init script |
167 | | local mail | :file:`/etc/init.d/exim4` |
169 +--------------------+--------------------+----------------------------------------+
170 | Nagios NRPE server | remote monitoring | init script |
171 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
172 | | :doc:`monitor` | |
173 +--------------------+--------------------+----------------------------------------+
174 | Puppet agent | configuration | init script |
175 | | management agent | :file:`/etc/init.d/puppet` |
176 +--------------------+--------------------+----------------------------------------+
181 * Connection from :doc:`blog` because blog uses some resources served from svn
182 * Connection from https://www.cacert.org/ because blog posts are embedded there
185 Outbound network connections
186 ----------------------------
188 * crl.cacert.org (rsync) for getting CRLs
189 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
190 * :doc:`emailout` as SMTP relay
191 * :doc:`puppet` (tcp/8140) as Puppet master
192 * ftp.nl.debian.org as Debian mirror
193 * security.debian.org for Debian security updates
194 * apt.puppetlabs.com as Debian repository for puppet packages
200 :RSA: df:98:f5:ea:05:c1:47:52:97:58:8f:42:55:d6:d9:b6
201 :DSA: 07:2b:10:b1:6d:79:35:0f:83:aa:fc:ba:d6:2f:51:dc
202 :ECDSA: f9:10:2c:bb:1d:2f:d4:c4:b3:74:b6:f9:26:4c:64:54
203 :ED25519: 56:88:68:0d:3a:32:13:6b:da:bd:ae:d7:cc:9b:b8:f5
206 Non-distribution packages and modifications
207 -------------------------------------------
209 The Puppet agent package and a few dependencies are installed from the official
210 Puppet APT repository because the versions in Debian are too old to use modern
213 Risk assessments on critical packages
214 -------------------------------------
216 Apache httpd is configured with a minimum of enabled modules to allow TLS and
217 Subversion but nothing else to reduce potential security risks.
219 The system uses third party packages with a good security track record and
220 regular updates. The attack surface is small due to the tightly restricted
221 access to the system. The puppet agent is not exposed for access from outside
224 Critical Configuration items
225 ============================
227 Keys and X.509 certificates
228 ---------------------------
230 .. sslcert:: svn.cacert.org
231 :altnames: DNS:cert.svn.cacert.org, DNS:nocert.svn.cacert.org, DNS:svn.cacert.org
232 :certfile: /etc/apache2/ssl/svn.cacert.org.crt.pem
233 :keyfile: /etc/apache2/ssl/svn.cacert.org.key.pem
235 :expiration: Mar 24 10:57:53 18 GMT
236 :sha1fp: E2:E2:26:B3:5D:8A:FA:96:C0:94:A2:E5:11:9D:89:C7:AC:C7:B3:2D
237 :issuer: CAcert Class 3 Root
239 * `/etc/apache2/ssl/cacert-certs.pem` CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates)
240 * `/etc/apache2/ssl/cacert-chain.pem` CAcert.org Class 1 certificate (certificate chain for server certificate)
244 * :wiki:`SystemAdministration/CertificateList`
247 pair: Apache httpd; configuration
249 Apache httpd configuration
250 --------------------------
252 The main configuration files for Apache httpd are:
254 * :file:`/etc/apache2/sites-available/cert.svn.cacert.org`
256 Defines the https VirtualHost for IPv4 and IPv6 on port 443 using client
257 certificate authentication. The SNI server names svn.cacert.org and
258 cert.svn.cacert.org are handled by the VirtualHost configuration in this
261 * :file:`/etc/apache2/sites-available/nocert.svn.cacert.org`
263 Defines the https VirtualHost for IPv4 and IPv6 on port 443 using
264 username/password authentication. The SNI server name nocert.svn.cacert.org
265 is handled by the VirtualHost configuration in this file.
267 * :file:`/etc/apache2/sites-available/000-default`
269 Defines the http read-only VirtualHost for IPv4 and IPv6 on port 80.
271 These files include the following files to configure Subversion and
272 authentication/authorization:
274 * :file:`/etc/apache2/sites-available/ssl_config.include`
276 contains VirtualHost specific TLS configuration
278 * :file:`/etc/apache2/sites-available/svn_anonymous_config.include`
280 configure anonymous SVN access without defining a password file and thus
281 restricting SVN paths that require authentication
283 * :file:`/etc/apache2/sites-available/svn_pwauth_config.include`
285 configure username/password authenticated access to SVN using the password
286 file :file:`/srv/dav_svn.passwd`.
288 * :file:`/etc/apache2/sites-available/svn_certauth_config.include`
290 configure TLS client certificate authenticated access to SVN using the first
291 email address in the client certificate's Subject Distinguished name as user
294 Subversion configuration
295 ------------------------
297 Subversion authorization (aliases, groups and ACLs) is configured in
298 :file:`/srv/dav_svn.authz` in the format specified in `path based authorization
299 <http://svnbook.red-bean.com/de/1.8/svn.serverconfig.pathbasedauthz.html>`_ in
302 The repository data is stored in :file:`/srv/svnrepo`.
307 CRLs are updated by :file:`/etc/cron.daily/fetchcrls`.
316 The configuration of this system will be migrated to a setup fully managed by
319 X.509 Auth for policy
320 ---------------------
322 * Documentation officer has endorsed
323 * Waiting on Org-assurer word as to org-assurer policy stuff
328 * commit hooks on policy to policy list?
338 Additional documentation
339 ========================
343 * :wiki:`Exim4Configuration`
344 * :wiki:`Technology/KnowledgeBase/ClientCerts#SVN`
345 * :wiki:`SystemAdministration/Systems/Svn/Setup`
350 * http://svnbook.red-bean.com/en/1.5/svn.reposadmin.html