16e32b220dcfb6d11f4d5e664c95d5fbfec17558
[cacert-infradocs.git] / docs / systems / web.rst
1 .. index::
2 single: Systems; Web
3
4 ===
5 Web
6 ===
7
8 Purpose
9 =======
10
11 Reverse proxy for different websites that handles http to https redirection and
12 TLS handshakes. The following services are currently proxied by this system:
13
14 * Jenkins on :doc:`jenkins`
15 * codedocs.cacert.org, funding.cacert.org and infradocs.cacert.org on
16 :doc:`webstatic`
17
18 The proxy should be used for all web applications that do not need access to the
19 TLS parameters (client certificates, other peer information). Applications that
20 need to perform TLS handshakes themselves can be proxied through :doc:`proxyin`.
21
22 Administration
23 ==============
24
25 System Administration
26 ---------------------
27
28 * Primary: :ref:`people_jandd`
29 * Secondary: None
30
31 Application Administration
32 --------------------------
33
34 +---------------+---------------------+
35 | Application | Administrator(s) |
36 +===============+=====================+
37 | Apache httpd | :ref:`people_jandd` |
38 +---------------+---------------------+
39
40 Contact
41 -------
42
43 * web-admin@cacert.org
44
45 Additional People
46 -----------------
47
48 :ref:`people_mario` has :program:`sudo` access on that machine too.
49
50 Basics
51 ======
52
53 Physical Location
54 -----------------
55
56 This system is located in an :term:`LXC` container on physical machine
57 :doc:`infra02`.
58
59 Logical Location
60 ----------------
61
62 :IP Internet: :ip:v4:`213.154.225.242`
63 :IP Intranet: :ip:v4:`172.16.2.26`
64 :IP Internal: :ip:v4:`10.0.0.26`
65 :MAC address: :mac:`00:ff:c7:e5:66:ae` (eth0)
66
67 .. seealso::
68
69 See :doc:`../network`
70
71 DNS
72 ---
73
74 .. index::
75 single: DNS records; Web
76
77 ===================== ======== ====================================================================
78 Name Type Content
79 ===================== ======== ====================================================================
80 web.cacert.org. IN A 213.154.225.242
81 web.cacert.org. IN SSHFP 1 1 85F5338D90930200CBBFCE1AAB56988B4C8F0F22
82 web.cacert.org. IN SSHFP 1 2 D39CBD51588F322F7B4384274CF0166F25B10F54A6CD153ED7251FF30B5B516E
83 web.cacert.org. IN SSHFP 2 1 906F0C17BB0E233B0F52CE33CFE64038D45AC4F2
84 web.cacert.org. IN SSHFP 2 2 DBF6221A8A403B4C9F537B676305FDAE07FF45A1C18D88B1141031402AF0250F
85 web.cacert.org. IN SSHFP 3 1 7B62D8D1E093C28CDA0F3D2444846128B41C10DE
86 web.cacert.org. IN SSHFP 3 2 0917DA677C9E6CAF1818C1151EC2A813623A2B2955A1A850F260D64EF041400B
87 web.intra.cacert.org. IN A 172.16.2.26
88 ===================== ======== ====================================================================
89
90 .. seealso::
91
92 See :wiki:`SystemAdministration/Procedures/DNSChanges`
93
94 Operating System
95 ----------------
96
97 .. index::
98 single: Debian GNU/Linux; Stretch
99 single: Debian GNU/Linux; 9.4
100
101 * Debian GNU/Linux 9.4
102
103 Applicable Documentation
104 ------------------------
105
106 This is it :-)
107
108 Services
109 ========
110
111 Listening services
112 ------------------
113
114 +----------+-----------+-----------+-----------------------------------------+
115 | Port | Service | Origin | Purpose |
116 +==========+===========+===========+=========================================+
117 | 22/tcp | ssh | ANY | admin console access |
118 +----------+-----------+-----------+-----------------------------------------+
119 | 25/tcp | smtp | local | mail delivery to local MTA |
120 +----------+-----------+-----------+-----------------------------------------+
121 | 80/tcp | http | ANY | redirects to https |
122 +----------+-----------+-----------+-----------------------------------------+
123 | 443/tcp | https | ANY | https termination and reverse proxy |
124 +----------+-----------+-----------+-----------------------------------------+
125 | 5666/tcp | nrpe | monitor | remote monitoring service |
126 +----------+-----------+-----------+-----------------------------------------+
127
128 Running services
129 ----------------
130
131 .. index::
132 single: apache httpd
133 single: cron
134 single: nrpe
135 single: openssh
136 single: postfix
137 single: puppet agent
138 single: rsyslog
139
140 +--------------------+---------------------+----------------------------------------+
141 | Service | Usage | Start mechanism |
142 +====================+=====================+========================================+
143 | Apache httpd | http redirector, | init script |
144 | | https reverse proxy | :file:`/etc/init.d/apache2` |
145 +--------------------+---------------------+----------------------------------------+
146 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
147 +--------------------+---------------------+----------------------------------------+
148 | Nagios NRPE server | remote monitoring | init script |
149 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
150 | | :doc:`monitor` | |
151 +--------------------+---------------------+----------------------------------------+
152 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
153 | | remote | |
154 | | administration | |
155 +--------------------+---------------------+----------------------------------------+
156 | Postfix | SMTP server for | init script |
157 | | local mail | :file:`/etc/init.d/postfix` |
158 | | submission | |
159 +--------------------+---------------------+----------------------------------------+
160 | Puppet agent | configuration | init script |
161 | | management agent | :file:`/etc/init.d/puppet` |
162 +--------------------+---------------------+----------------------------------------+
163 | rsyslog | syslog daemon | init script |
164 | | | :file:`/etc/init.d/syslog` |
165 +--------------------+---------------------+----------------------------------------+
166
167 Connected Systems
168 -----------------
169
170 * :doc:`monitor`
171
172 Outbound network connections
173 ----------------------------
174
175 * :doc:`infra02` as resolving nameserver
176 * :doc:`emailout` as SMTP relay
177 * :doc:`puppet` (tcp/8140) as Puppet master
178 * :doc:`proxyout` as HTTP proxy for APT
179 * :doc:`jenkins` as backend for the jenkins.cacert.org VirtualHost
180 * :doc:`webstatic` as backend for the codedocs.cacert.org, funding.cacert.org
181 and infradocs.cacert.org VirtualHosts
182
183 Security
184 ========
185
186 .. sshkeys::
187 :RSA: SHA256:05y9UViPMi97Q4QnTPAWbyWxD1SmzRU+1yUf8wtbUW4 MD5:6d:e5:7e:1d:72:d5:5e:f8:43:80:94:a8:b1:0d:9b:81
188 :DSA: SHA256:2/YiGopAO0yfU3tnYwX9rgf/RaHBjYixFBAxQCrwJQ8 MD5:00:27:11:fe:58:9d:d8:e5:c5:35:34:27:bb:79:86:16
189 :ECDSA: SHA256:CRfaZ3yebK8YGMEVHsKoE2I6KylVoahQ8mDWTvBBQAs MD5:7f:91:92:80:f2:b5:2f:5d:8e:11:3f:9b:62:48:e7:18
190 :ED25519: SHA256:IHm9Gjf0u753ADO+WDYLFuHwPK3ReAe101xG/NeCwYk MD5:82:ab:13:33:ee:69:cf:09:18:20:d0:9c:b9:a0:0e:61
191
192 Non-distribution packages and modifications
193 -------------------------------------------
194
195 The Puppet agent package and a few dependencies are installed from the official
196 Puppet APT repository because the versions in Debian are too old to use modern
197 Puppet features.
198
199 Risk assessments on critical packages
200 -------------------------------------
201
202 Apache httpd is configured with a minimum of enabled modules to allow proxying
203 and TLS handling only to reduce potential security risks.
204
205 The system uses third party packages with a good security track record and
206 regular updates. The attack surface is small due to the tightly restricted
207 access to the system. The puppet agent is not exposed for access from outside
208 the system.
209
210 Critical Configuration items
211 ============================
212
213 The system configuration is managed via Puppet profiles. There should be no
214 configuration items outside of the Puppet repository.
215
216 .. todo:: move configuration of :doc:`web` to Puppet code
217
218 Keys and X.509 certificates
219 ---------------------------
220
221 .. sslcert:: codedocs.cacert.org
222 :altnames: DNS:codedocs.cacert.org
223 :certfile: /etc/ssl/certs/codedocs.cacert.org.crt
224 :keyfile: /etc/ssl/private/codedocs.cacert.org.key
225 :serial: 02CB3D
226 :expiration: Oct 25 22:35:23 2020 GMT
227 :sha1fp: 49:FA:0B:01:C0:9F:74:EF:12:15:8F:CA:8E:D3:2C:FA:0C:7E:3C:F7
228 :issuer: CAcert Class 3 Root
229
230 .. sslcert:: funding.cacert.org
231 :altnames: DNS:funding.cacert.org
232 :certfile: /etc/ssl/certs/funding.cacert.org.crt
233 :keyfile: /etc/ssl/private/funding.cacert.org.key
234 :serial: 02A770
235 :expiration: Feb 16 12:07:35 2019 GMT
236 :sha1fp: 36:E0:A1:86:7A:FA:C6:F4:86:9F:CC:9C:61:4D:B9:A4:7C:0F:9F:C9
237 :issuer: CAcert Class 3 Root
238
239 .. sslcert:: infradocs.cacert.org
240 :altnames: DNS:infradocs.cacert.org
241 :certfile: /etc/ssl/certs/infradocs.cacert.org.crt
242 :keyfile: /etc/ssl/private/infradocs.cacert.org.key
243 :serial: 02C448
244 :expiration: May 18 08:21:31 2020 GMT
245 :sha1fp: 87:E7:21:19:24:61:D9:82:60:DB:65:41:7C:6C:0A:4E:63:0E:27:F7
246 :issuer: CAcert Class 3 Root
247
248 .. sslcert:: jenkins.cacert.org
249 :altnames: DNS:jenkins.cacert.org
250 :certfile: /etc/ssl/certs/jenkins.cacert.org.crt
251 :keyfile: /etc/ssl/private/jenkins.cacert.org.key
252 :serial: 02A76F
253 :expiration: Feb 16 12:07:29 2019 GMT
254 :sha1fp: D1:E3:5B:73:63:28:C6:31:0F:35:4A:2F:0D:12:B5:6C:3F:72:08:3D
255 :issuer: CAcert Class 3 Root
256
257 .. sslcert:: web.cacert.org
258 :altnames: DNS:web.cacert.org
259 :certfile: /etc/ssl/certs/web.cacert.org.crt
260 :keyfile: /etc/ssl/private/web.cacert.org.key
261 :serial: 02BE3D
262 :expiration: Feb 19 11:44:47 2020 GMT
263 :sha1fp: D5:20:E8:4D:C1:FC:6E:DF:7E:D3:5D:03:03:3D:1B:CB:27:4B:3D:85
264 :issuer: CAcert Class 3 Root
265
266 * :file:`/usr/share/ca-certificates/CAcert/class3.crt` CAcert.org Class 3
267 certificate for server certificate chains. The Apache httpd configuration
268 files reference the symlinked version at :file:`/etc/ssl/certs/class3.pem`.
269
270 .. seealso::
271
272 * :wiki:`SystemAdministration/CertificateList`
273
274 Apache httpd configuration
275 --------------------------
276
277 * :file:`/etc/apache2/sites-available/000-default.conf`
278
279 Defines the default VirtualHost for requests reaching this host with no
280 specifically handled host name.
281
282 * :file:`/etc/apache2/sites-available/codedocs.cacert.org.conf`
283
284 Defines the VirtualHost http://codedocs.cacert.org/ that redirects to
285 https://codedocs.cacert.org/ and the VirtualHost
286 https://codedocs.cacert.org/ that provides reverse proxy functionality for
287 the same host name on :doc:`webstatic`.
288
289 * :file:`/etc/apache2/sites-available/funding.cacert.org.conf`
290
291 Defines the VirtualHost http://funding.cacert.org/ that redirects to
292 https://funding.cacert.org/ and the VirtualHost https://funding.cacert.org/
293 that provides reverse proxy functionality for the same host name on
294 :doc:`webstatic`.
295
296 * :file:`/etc/apache2/sites-available/infradocs.cacert.org.conf`
297
298 Defines the VirtualHost http://infradocs.cacert.org/ that redirects to
299 https://infradocs.cacert.org/ and the VirtualHost
300 https://infradocs.cacert.org/ that provides reverse proxy functionality for
301 the same host name on :doc:`webstatic`.
302
303 * :file:`/etc/apache2/sites-available/jenkins.cacert.org.conf`
304
305 Defines the VirtualHost http://jenkins.cacert.org/ that redirects to
306 https://jenkins.cacert.org/ and the VirtualHost https://jenkins.cacert.org/
307 that provides reverse proxy functionality for the Jenkins instance on
308 :doc:`jenkins`.
309
310 Tasks
311 =====
312
313 Planned
314 -------
315
316 .. todo:: manage the web system using Puppet
317
318 Changes
319 =======
320
321 System Future
322 -------------
323
324 * No plans
325
326 Additional documentation
327 ========================
328
329 .. note::
330 The system hosted the Drupal based community portal https://www.cacert.eu/
331 in the past. The DNS records for this portal have been changed to point to
332 the regular https://www.cacert.org/ site. All unreachable VirtualHosts have
333 been archived to the backup disk at :doc:`infra02`.
334
335 .. seealso::
336
337 * :wiki:`PostfixConfiguration`
338
339 References
340 ----------
341
342 * http://httpd.apache.org/docs/2.4/