Maintenance on web
[cacert-infradocs.git] / docs / systems / web.rst
1 .. index::
2 single: Systems; Web
3
4 ===
5 Web
6 ===
7
8 Purpose
9 =======
10
11 Reverse proxy for different websites that handles http to https redirection and
12 TLS handshakes. The following services are currently proxied by this system:
13
14 * Jenkins on :doc:`jenkins`
15 * funding.cacert.org and infradocs.cacert.org on :doc:`webstatic`
16
17 The proxy should be used for all web applications that do not need access to the
18 TLS parameters (client certificates, other peer information). Applications that
19 need to perform TLS handshakes themselves can be proxied through :doc:`proxyin`.
20
21 Administration
22 ==============
23
24 System Administration
25 ---------------------
26
27 * Primary: :ref:`people_jandd`
28 * Secondary: None
29
30 Application Administration
31 --------------------------
32
33 +---------------+---------------------+
34 | Application | Administrator(s) |
35 +===============+=====================+
36 | Apache httpd | :ref:`people_jandd` |
37 +---------------+---------------------+
38
39 Contact
40 -------
41
42 * web-admin@cacert.org
43
44 Additional People
45 -----------------
46
47 :ref:`people_mario` has :program:`sudo` access on that machine too.
48
49 Basics
50 ======
51
52 Physical Location
53 -----------------
54
55 This system is located in an :term:`LXC` container on physical machine
56 :doc:`infra02`.
57
58 Logical Location
59 ----------------
60
61 :IP Internet: :ip:v4:`213.154.225.242`
62 :IP Intranet: :ip:v4:`172.16.2.26`
63 :IP Internal: :ip:v4:`10.0.0.26`
64 :MAC address: :mac:`00:ff:c7:e5:66:ae` (eth0)
65
66 .. seealso::
67
68 See :doc:`../network`
69
70 DNS
71 ---
72
73 .. index::
74 single: DNS records; <machine>
75
76 ===================== ======== ====================================================================
77 Name Type Content
78 ===================== ======== ====================================================================
79 web.cacert.org. IN A 213.154.225.242
80 web.cacert.org. IN SSHFP 1 1 85F5338D90930200CBBFCE1AAB56988B4C8F0F22
81 web.cacert.org. IN SSHFP 1 2 D39CBD51588F322F7B4384274CF0166F25B10F54A6CD153ED7251FF30B5B516E
82 web.cacert.org. IN SSHFP 2 1 906F0C17BB0E233B0F52CE33CFE64038D45AC4F2
83 web.cacert.org. IN SSHFP 2 2 DBF6221A8A403B4C9F537B676305FDAE07FF45A1C18D88B1141031402AF0250F
84 web.cacert.org. IN SSHFP 3 1 7B62D8D1E093C28CDA0F3D2444846128B41C10DE
85 web.cacert.org. IN SSHFP 3 2 0917DA677C9E6CAF1818C1151EC2A813623A2B2955A1A850F260D64EF041400B
86 web.intra.cacert.org. IN A 172.16.2.26
87 ===================== ======== ====================================================================
88
89 .. seealso::
90
91 See :wiki:`SystemAdministration/Procedures/DNSChanges`
92
93 Operating System
94 ----------------
95
96 .. index::
97 single: Debian GNU/Linux; Stretch
98 single: Debian GNU/Linux; 9.3
99
100 * Debian GNU/Linux 9.3
101
102 Applicable Documentation
103 ------------------------
104
105 This is it :-)
106
107 Services
108 ========
109
110 Listening services
111 ------------------
112
113 +----------+-----------+-----------+-----------------------------------------+
114 | Port | Service | Origin | Purpose |
115 +==========+===========+===========+=========================================+
116 | 22/tcp | ssh | ANY | admin console access |
117 +----------+-----------+-----------+-----------------------------------------+
118 | 25/tcp | smtp | local | mail delivery to local MTA |
119 +----------+-----------+-----------+-----------------------------------------+
120 | 80/tcp | http | ANY | redirects to https |
121 +----------+-----------+-----------+-----------------------------------------+
122 | 443/tcp | https | ANY | https termination and reverse proxy |
123 +----------+-----------+-----------+-----------------------------------------+
124 | 5666/tcp | nrpe | monitor | remote monitoring service |
125 +----------+-----------+-----------+-----------------------------------------+
126
127 Running services
128 ----------------
129
130 .. index::
131 single: Apache
132 single: Postfix
133 single: cron
134 single: nrpe
135 single: openssh
136 single: rsyslog
137
138 +--------------------+---------------------+----------------------------------------+
139 | Service | Usage | Start mechanism |
140 +====================+=====================+========================================+
141 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
142 | | remote | |
143 | | administration | |
144 +--------------------+---------------------+----------------------------------------+
145 | Apache httpd | http redirector, | init script |
146 | | https reverse proxy | :file:`/etc/init.d/apache2` |
147 +--------------------+---------------------+----------------------------------------+
148 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
149 +--------------------+---------------------+----------------------------------------+
150 | rsyslog | syslog daemon | init script |
151 | | | :file:`/etc/init.d/syslog` |
152 +--------------------+---------------------+----------------------------------------+
153 | Postfix | SMTP server for | init script |
154 | | local mail | :file:`/etc/init.d/postfix` |
155 | | submission | |
156 +--------------------+---------------------+----------------------------------------+
157 | Nagios NRPE server | remote monitoring | init script |
158 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
159 | | :doc:`monitor` | |
160 +--------------------+---------------------+----------------------------------------+
161
162 Connected Systems
163 -----------------
164
165 * :doc:`monitor`
166
167 Outbound network connections
168 ----------------------------
169
170 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
171 * :doc:`emailout` as SMTP relay
172 * :doc:`proxyout` as HTTP proxy for APT
173 * :doc:`jenkins` as backend for the jenkins.cacert.org VirtualHost
174 * :doc:`webstatic` as backend for the funding.cacert.org and
175 infradocs.cacert.org VirtualHosts
176
177 Security
178 ========
179
180 .. sshkeys::
181 :RSA: SHA256:05y9UViPMi97Q4QnTPAWbyWxD1SmzRU+1yUf8wtbUW4 MD5:6d:e5:7e:1d:72:d5:5e:f8:43:80:94:a8:b1:0d:9b:81
182 :DSA: SHA256:2/YiGopAO0yfU3tnYwX9rgf/RaHBjYixFBAxQCrwJQ8 MD5:00:27:11:fe:58:9d:d8:e5:c5:35:34:27:bb:79:86:16
183 :ECDSA: SHA256:CRfaZ3yebK8YGMEVHsKoE2I6KylVoahQ8mDWTvBBQAs MD5:7f:91:92:80:f2:b5:2f:5d:8e:11:3f:9b:62:48:e7:18
184 :ED25519: SHA256:IHm9Gjf0u753ADO+WDYLFuHwPK3ReAe101xG/NeCwYk MD5:82:ab:13:33:ee:69:cf:09:18:20:d0:9c:b9:a0:0e:61
185
186 Non-distribution packages and modifications
187 -------------------------------------------
188
189 * None
190
191 Risk assessments on critical packages
192 -------------------------------------
193
194 Apache httpd is configured with a minimum of enabled modules to allow proxying
195 and TLS handling only to reduce potential security risks.
196
197 Critical Configuration items
198 ============================
199
200 Keys and X.509 certificates
201 ---------------------------
202
203 .. sslcert:: funding.cacert.org
204 :altnames: DNS:funding.cacert.org
205 :certfile: /etc/ssl/certs/funding.cacert.org.crt
206 :keyfile: /etc/ssl/private/funding.cacert.org.key
207 :serial: 02A770
208 :expiration: Feb 16 12:07:35 19 GMT
209 :sha1fp: 36:E0:A1:86:7A:FA:C6:F4:86:9F:CC:9C:61:4D:B9:A4:7C:0F:9F:C9
210 :issuer: CAcert Class 3 Root
211
212 .. sslcert:: infradocs.cacert.org
213 :altnames: DNS:infradocs.cacert.org
214 :certfile: /etc/ssl/certs/infradocs.cacert.org.crt
215 :keyfile: /etc/ssl/private/infradocs.cacert.org.key
216 :serial: 029159
217 :expiration: May 06 07:46:25 18 GMT
218 :sha1fp: BA:79:60:5E:8C:21:F0:14:FF:64:6B:44:64:A0:23:F9:C3:A1:F0:C6
219 :issuer: CAcert Class 3 Root
220
221 .. sslcert:: jenkins.cacert.org
222 :altnames: DNS:jenkins.cacert.org
223 :certfile: /etc/ssl/certs/jenkins.cacert.org.crt
224 :keyfile: /etc/ssl/private/jenkins.cacert.org.key
225 :serial: 02A76F
226 :expiration: Feb 16 12:07:29 19 GMT
227 :sha1fp: D1:E3:5B:73:63:28:C6:31:0F:35:4A:2F:0D:12:B5:6C:3F:72:08:3D
228 :issuer: CAcert Class 3 Root
229
230 .. sslcert:: web.cacert.org
231 :altnames: DNS:web.cacert.org
232 :certfile: /etc/ssl/certs/web.cacert.org.crt
233 :keyfile: /etc/ssl/private/web.cacert.org.key
234 :serial: 02BE3D
235 :expiration: Feb 19 11:44:47 20 GMT
236 :sha1fp: D5:20:E8:4D:C1:FC:6E:DF:7E:D3:5D:03:03:3D:1B:CB:27:4B:3D:85
237 :issuer: CAcert Class 3 Root
238
239 * :file:`/usr/share/ca-certificates/CAcert/class3.crt` CAcert.org Class 3
240 certificate for server certificate chains. The Apache httpd configuration
241 files reference the symlinked version at :file:`/etc/ssl/certs/class3.pem`.
242
243 .. seealso::
244
245 * :wiki:`SystemAdministration/CertificateList`
246
247 Apache httpd configuration
248 --------------------------
249
250 * :file:`/etc/apache2/sites-available/000-default.conf`
251
252 Defines the default VirtualHost for requests reaching this host with no
253 specifically handled host name.
254
255 * :file:`/etc/apache2/sites-available/funding.cacert.org.conf`
256
257 Defines the VirtualHost http://funding.cacert.org/ that redirects to
258 https://funding.cacert.org/ and the VirtualHost https://funding.cacert.org/
259 that provides reverse proxy functionality for the same host name on
260 :doc:`webstatic`.
261
262 * :file:`/etc/apache2/sites-available/infradocs.cacert.org.conf`
263
264 Defines the VirtualHost http://infradocs.cacert.org/ that redirects to
265 https://infradocs.cacert.org/ and the VirtualHost
266 https://infradocs.cacert.org/ that provides reverse proxy functionality for
267 the same host name on :doc:`webstatic`.
268
269 * :file:`/etc/apache2/sites-available/jenkins.cacert.org.conf`
270
271 Defines the VirtualHost http://jenkins.cacert.org/ that redirects to
272 https://jenkins.cacert.org/ and the VirtualHost https://jenkins.cacert.org/
273 that provides reverse proxy functionality for the Jenkins instance on
274 :doc:`jenkins`.
275
276 Tasks
277 =====
278
279 Planned
280 -------
281
282 .. todo:: manage the web system using Puppet
283
284 Changes
285 =======
286
287 System Future
288 -------------
289
290 * No plans
291
292 Additional documentation
293 ========================
294
295 .. note::
296 The system hosted the Drupal based community portal https://www.cacert.eu/
297 in the past. The DNS records for this portal have been changed to point to
298 the regular https://www.cacert.org/ site. All unreachable VirtualHosts have
299 been archived to the backup disk at :doc:`infra02`.
300
301 .. seealso::
302
303 * :wiki:`PostfixConfiguration`
304
305 References
306 ----------
307
308 * http://httpd.apache.org/docs/2.4/