Improve system documentation
[cacert-infradocs.git] / docs / systems / web.rst
1 .. index::
2 single: Systems; Web
3
4 ===
5 Web
6 ===
7
8 Purpose
9 =======
10
11 Reverse proxy for different websites that handles http to https redirection and
12 TLS handshakes. The following services are currently proxied by this system:
13
14 * Jenkins on :doc:`jenkins`
15 * codedocs.cacert.org, funding.cacert.org and infradocs.cacert.org on
16 :doc:`webstatic`
17
18 The proxy should be used for all web applications that do not need access to the
19 TLS parameters (client certificates, other peer information). Applications that
20 need to perform TLS handshakes themselves can be proxied through :doc:`proxyin`.
21
22 Administration
23 ==============
24
25 System Administration
26 ---------------------
27
28 * Primary: :ref:`people_jandd`
29 * Secondary: None
30
31 Application Administration
32 --------------------------
33
34 +---------------+---------------------+
35 | Application | Administrator(s) |
36 +===============+=====================+
37 | Apache httpd | :ref:`people_jandd` |
38 +---------------+---------------------+
39
40 Contact
41 -------
42
43 * web-admin@cacert.org
44
45 Additional People
46 -----------------
47
48 :ref:`people_mario` has :program:`sudo` access on that machine too.
49
50 Basics
51 ======
52
53 Physical Location
54 -----------------
55
56 This system is located in an :term:`LXC` container on physical machine
57 :doc:`infra02`.
58
59 Logical Location
60 ----------------
61
62 :IP Internet: :ip:v4:`213.154.225.242`
63 :IP Intranet: :ip:v4:`172.16.2.26`
64 :IP Internal: :ip:v4:`10.0.0.26`
65 :MAC address: :mac:`00:ff:c7:e5:66:ae` (eth0)
66
67 .. seealso::
68
69 See :doc:`../network`
70
71 .. index::
72 single: Monitoring; Web
73
74 Monitoring
75 ----------
76
77 :internal checks: :monitor:`web.infra.cacert.org`
78
79 DNS
80 ---
81
82 .. index::
83 single: DNS records; Web
84
85 ===================== ======== ====================================================================
86 Name Type Content
87 ===================== ======== ====================================================================
88 web.cacert.org. IN A 213.154.225.242
89 web.cacert.org. IN SSHFP 1 1 85F5338D90930200CBBFCE1AAB56988B4C8F0F22
90 web.cacert.org. IN SSHFP 1 2 D39CBD51588F322F7B4384274CF0166F25B10F54A6CD153ED7251FF30B5B516E
91 web.cacert.org. IN SSHFP 2 1 906F0C17BB0E233B0F52CE33CFE64038D45AC4F2
92 web.cacert.org. IN SSHFP 2 2 DBF6221A8A403B4C9F537B676305FDAE07FF45A1C18D88B1141031402AF0250F
93 web.cacert.org. IN SSHFP 3 1 7B62D8D1E093C28CDA0F3D2444846128B41C10DE
94 web.cacert.org. IN SSHFP 3 2 0917DA677C9E6CAF1818C1151EC2A813623A2B2955A1A850F260D64EF041400B
95 web.intra.cacert.org. IN A 172.16.2.26
96 ===================== ======== ====================================================================
97
98 .. seealso::
99
100 See :wiki:`SystemAdministration/Procedures/DNSChanges`
101
102 Operating System
103 ----------------
104
105 .. index::
106 single: Debian GNU/Linux; Stretch
107 single: Debian GNU/Linux; 9.4
108
109 * Debian GNU/Linux 9.4
110
111 Applicable Documentation
112 ------------------------
113
114 This is it :-)
115
116 Services
117 ========
118
119 Listening services
120 ------------------
121
122 +----------+-----------+-----------+-----------------------------------------+
123 | Port | Service | Origin | Purpose |
124 +==========+===========+===========+=========================================+
125 | 22/tcp | ssh | ANY | admin console access |
126 +----------+-----------+-----------+-----------------------------------------+
127 | 25/tcp | smtp | local | mail delivery to local MTA |
128 +----------+-----------+-----------+-----------------------------------------+
129 | 80/tcp | http | ANY | redirects to https |
130 +----------+-----------+-----------+-----------------------------------------+
131 | 443/tcp | https | ANY | https termination and reverse proxy |
132 +----------+-----------+-----------+-----------------------------------------+
133 | 5666/tcp | nrpe | monitor | remote monitoring service |
134 +----------+-----------+-----------+-----------------------------------------+
135
136 Running services
137 ----------------
138
139 .. index::
140 single: apache httpd
141 single: cron
142 single: nrpe
143 single: openssh
144 single: postfix
145 single: puppet agent
146 single: rsyslog
147
148 +--------------------+---------------------+----------------------------------------+
149 | Service | Usage | Start mechanism |
150 +====================+=====================+========================================+
151 | Apache httpd | http redirector, | init script |
152 | | https reverse proxy | :file:`/etc/init.d/apache2` |
153 +--------------------+---------------------+----------------------------------------+
154 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
155 +--------------------+---------------------+----------------------------------------+
156 | Nagios NRPE server | remote monitoring | init script |
157 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
158 | | :doc:`monitor` | |
159 +--------------------+---------------------+----------------------------------------+
160 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
161 | | remote | |
162 | | administration | |
163 +--------------------+---------------------+----------------------------------------+
164 | Postfix | SMTP server for | init script |
165 | | local mail | :file:`/etc/init.d/postfix` |
166 | | submission | |
167 +--------------------+---------------------+----------------------------------------+
168 | Puppet agent | configuration | init script |
169 | | management agent | :file:`/etc/init.d/puppet` |
170 +--------------------+---------------------+----------------------------------------+
171 | rsyslog | syslog daemon | init script |
172 | | | :file:`/etc/init.d/syslog` |
173 +--------------------+---------------------+----------------------------------------+
174
175 Connected Systems
176 -----------------
177
178 * :doc:`monitor`
179
180 Outbound network connections
181 ----------------------------
182
183 * :doc:`infra02` as resolving nameserver
184 * :doc:`emailout` as SMTP relay
185 * :doc:`puppet` (tcp/8140) as Puppet master
186 * :doc:`proxyout` as HTTP proxy for APT
187 * :doc:`jenkins` as backend for the jenkins.cacert.org VirtualHost
188 * :doc:`webstatic` as backend for the codedocs.cacert.org, funding.cacert.org
189 and infradocs.cacert.org VirtualHosts
190
191 Security
192 ========
193
194 .. sshkeys::
195 :RSA: SHA256:05y9UViPMi97Q4QnTPAWbyWxD1SmzRU+1yUf8wtbUW4 MD5:6d:e5:7e:1d:72:d5:5e:f8:43:80:94:a8:b1:0d:9b:81
196 :DSA: SHA256:2/YiGopAO0yfU3tnYwX9rgf/RaHBjYixFBAxQCrwJQ8 MD5:00:27:11:fe:58:9d:d8:e5:c5:35:34:27:bb:79:86:16
197 :ECDSA: SHA256:CRfaZ3yebK8YGMEVHsKoE2I6KylVoahQ8mDWTvBBQAs MD5:7f:91:92:80:f2:b5:2f:5d:8e:11:3f:9b:62:48:e7:18
198 :ED25519: SHA256:IHm9Gjf0u753ADO+WDYLFuHwPK3ReAe101xG/NeCwYk MD5:82:ab:13:33:ee:69:cf:09:18:20:d0:9c:b9:a0:0e:61
199
200 Non-distribution packages and modifications
201 -------------------------------------------
202
203 The Puppet agent package and a few dependencies are installed from the official
204 Puppet APT repository because the versions in Debian are too old to use modern
205 Puppet features.
206
207 Risk assessments on critical packages
208 -------------------------------------
209
210 Apache httpd is configured with a minimum of enabled modules to allow proxying
211 and TLS handling only to reduce potential security risks.
212
213 The system uses third party packages with a good security track record and
214 regular updates. The attack surface is small due to the tightly restricted
215 access to the system. The puppet agent is not exposed for access from outside
216 the system.
217
218 Critical Configuration items
219 ============================
220
221 The system configuration is managed via Puppet profiles. There should be no
222 configuration items outside of the Puppet repository.
223
224 .. todo:: move configuration of :doc:`web` to Puppet code
225
226 Keys and X.509 certificates
227 ---------------------------
228
229 .. sslcert:: codedocs.cacert.org
230 :altnames: DNS:codedocs.cacert.org
231 :certfile: /etc/ssl/certs/codedocs.cacert.org.crt
232 :keyfile: /etc/ssl/private/codedocs.cacert.org.key
233 :serial: 02CB3D
234 :expiration: Oct 25 22:35:23 2020 GMT
235 :sha1fp: 49:FA:0B:01:C0:9F:74:EF:12:15:8F:CA:8E:D3:2C:FA:0C:7E:3C:F7
236 :issuer: CAcert Class 3 Root
237
238 .. sslcert:: funding.cacert.org
239 :altnames: DNS:funding.cacert.org
240 :certfile: /etc/ssl/certs/funding.cacert.org.crt
241 :keyfile: /etc/ssl/private/funding.cacert.org.key
242 :serial: 02D059
243 :expiration: Jan 31 16:29:20 2021 GMT
244 :sha1fp: FD:0D:2A:33:70:64:0E:2A:D6:F6:72:0F:D0:47:D9:C7:BD:E3:F4:DF
245 :issuer: CAcert Class 3 Root
246
247 .. sslcert:: infradocs.cacert.org
248 :altnames: DNS:infradocs.cacert.org
249 :certfile: /etc/ssl/certs/infradocs.cacert.org.crt
250 :keyfile: /etc/ssl/private/infradocs.cacert.org.key
251 :serial: 02C448
252 :expiration: May 18 08:21:31 2020 GMT
253 :sha1fp: 87:E7:21:19:24:61:D9:82:60:DB:65:41:7C:6C:0A:4E:63:0E:27:F7
254 :issuer: CAcert Class 3 Root
255
256 .. sslcert:: jenkins.cacert.org
257 :altnames: DNS:jenkins.cacert.org
258 :certfile: /etc/ssl/certs/jenkins.cacert.org.crt
259 :keyfile: /etc/ssl/private/jenkins.cacert.org.key
260 :serial: 02D058
261 :expiration: Jan 31 16:27:54 2021 GMT
262 :sha1fp: 00:5B:9C:4D:2E:D2:E4:69:2D:32:61:DC:25:98:F0:89:C9:E1:50:F1
263 :issuer: CAcert Class 3 Root
264
265 .. sslcert:: web.cacert.org
266 :altnames: DNS:web.cacert.org
267 :certfile: /etc/ssl/certs/web.cacert.org.crt
268 :keyfile: /etc/ssl/private/web.cacert.org.key
269 :serial: 02BE3D
270 :expiration: Feb 19 11:44:47 2020 GMT
271 :sha1fp: D5:20:E8:4D:C1:FC:6E:DF:7E:D3:5D:03:03:3D:1B:CB:27:4B:3D:85
272 :issuer: CAcert Class 3 Root
273
274 * :file:`/usr/share/ca-certificates/CAcert/class3.crt` CAcert.org Class 3
275 certificate for server certificate chains. The Apache httpd configuration
276 files reference the symlinked version at :file:`/etc/ssl/certs/class3.pem`.
277
278 .. seealso::
279
280 * :wiki:`SystemAdministration/CertificateList`
281
282 Apache httpd configuration
283 --------------------------
284
285 * :file:`/etc/apache2/sites-available/000-default.conf`
286
287 Defines the default VirtualHost for requests reaching this host with no
288 specifically handled host name.
289
290 * :file:`/etc/apache2/sites-available/codedocs.cacert.org.conf`
291
292 Defines the VirtualHost http://codedocs.cacert.org/ that redirects to
293 https://codedocs.cacert.org/ and the VirtualHost
294 https://codedocs.cacert.org/ that provides reverse proxy functionality for
295 the same host name on :doc:`webstatic`.
296
297 * :file:`/etc/apache2/sites-available/funding.cacert.org.conf`
298
299 Defines the VirtualHost http://funding.cacert.org/ that redirects to
300 https://funding.cacert.org/ and the VirtualHost https://funding.cacert.org/
301 that provides reverse proxy functionality for the same host name on
302 :doc:`webstatic`.
303
304 * :file:`/etc/apache2/sites-available/infradocs.cacert.org.conf`
305
306 Defines the VirtualHost http://infradocs.cacert.org/ that redirects to
307 https://infradocs.cacert.org/ and the VirtualHost
308 https://infradocs.cacert.org/ that provides reverse proxy functionality for
309 the same host name on :doc:`webstatic`.
310
311 * :file:`/etc/apache2/sites-available/jenkins.cacert.org.conf`
312
313 Defines the VirtualHost http://jenkins.cacert.org/ that redirects to
314 https://jenkins.cacert.org/ and the VirtualHost https://jenkins.cacert.org/
315 that provides reverse proxy functionality for the Jenkins instance on
316 :doc:`jenkins`.
317
318 Tasks
319 =====
320
321 Changes
322 =======
323
324 Planned
325 -------
326
327 .. todo:: manage the web system using Puppet
328
329 System Future
330 -------------
331
332 * No plans
333
334 Additional documentation
335 ========================
336
337 .. note::
338 The system hosted the Drupal based community portal https://www.cacert.eu/
339 in the past. The DNS records for this portal have been changed to point to
340 the regular https://www.cacert.org/ site. All unreachable VirtualHosts have
341 been archived to the backup disk at :doc:`infra02`.
342
343 .. seealso::
344
345 * :wiki:`PostfixConfiguration`
346
347 References
348 ----------
349
350 * http://httpd.apache.org/docs/2.4/