Add web and webstatic to Puppet
[cacert-infradocs.git] / docs / systems / web.rst
1 .. index::
2 single: Systems; Web
3
4 ===
5 Web
6 ===
7
8 Purpose
9 =======
10
11 Reverse proxy for different websites that handles http to https redirection and
12 TLS handshakes. The following services are currently proxied by this system:
13
14 * Jenkins on :doc:`jenkins`
15 * funding.cacert.org and infradocs.cacert.org on :doc:`webstatic`
16
17 The proxy should be used for all web applications that do not need access to the
18 TLS parameters (client certificates, other peer information). Applications that
19 need to perform TLS handshakes themselves can be proxied through :doc:`proxyin`.
20
21 Administration
22 ==============
23
24 System Administration
25 ---------------------
26
27 * Primary: :ref:`people_jandd`
28 * Secondary: None
29
30 Application Administration
31 --------------------------
32
33 +---------------+---------------------+
34 | Application | Administrator(s) |
35 +===============+=====================+
36 | Apache httpd | :ref:`people_jandd` |
37 +---------------+---------------------+
38
39 Contact
40 -------
41
42 * web-admin@cacert.org
43
44 Additional People
45 -----------------
46
47 :ref:`people_mario` has :program:`sudo` access on that machine too.
48
49 Basics
50 ======
51
52 Physical Location
53 -----------------
54
55 This system is located in an :term:`LXC` container on physical machine
56 :doc:`infra02`.
57
58 Logical Location
59 ----------------
60
61 :IP Internet: :ip:v4:`213.154.225.242`
62 :IP Intranet: :ip:v4:`172.16.2.26`
63 :IP Internal: :ip:v4:`10.0.0.26`
64 :MAC address: :mac:`00:ff:c7:e5:66:ae` (eth0)
65
66 .. seealso::
67
68 See :doc:`../network`
69
70 DNS
71 ---
72
73 .. index::
74 single: DNS records; Web
75
76 ===================== ======== ====================================================================
77 Name Type Content
78 ===================== ======== ====================================================================
79 web.cacert.org. IN A 213.154.225.242
80 web.cacert.org. IN SSHFP 1 1 85F5338D90930200CBBFCE1AAB56988B4C8F0F22
81 web.cacert.org. IN SSHFP 1 2 D39CBD51588F322F7B4384274CF0166F25B10F54A6CD153ED7251FF30B5B516E
82 web.cacert.org. IN SSHFP 2 1 906F0C17BB0E233B0F52CE33CFE64038D45AC4F2
83 web.cacert.org. IN SSHFP 2 2 DBF6221A8A403B4C9F537B676305FDAE07FF45A1C18D88B1141031402AF0250F
84 web.cacert.org. IN SSHFP 3 1 7B62D8D1E093C28CDA0F3D2444846128B41C10DE
85 web.cacert.org. IN SSHFP 3 2 0917DA677C9E6CAF1818C1151EC2A813623A2B2955A1A850F260D64EF041400B
86 web.intra.cacert.org. IN A 172.16.2.26
87 ===================== ======== ====================================================================
88
89 .. seealso::
90
91 See :wiki:`SystemAdministration/Procedures/DNSChanges`
92
93 Operating System
94 ----------------
95
96 .. index::
97 single: Debian GNU/Linux; Stretch
98 single: Debian GNU/Linux; 9.4
99
100 * Debian GNU/Linux 9.4
101
102 Applicable Documentation
103 ------------------------
104
105 This is it :-)
106
107 Services
108 ========
109
110 Listening services
111 ------------------
112
113 +----------+-----------+-----------+-----------------------------------------+
114 | Port | Service | Origin | Purpose |
115 +==========+===========+===========+=========================================+
116 | 22/tcp | ssh | ANY | admin console access |
117 +----------+-----------+-----------+-----------------------------------------+
118 | 25/tcp | smtp | local | mail delivery to local MTA |
119 +----------+-----------+-----------+-----------------------------------------+
120 | 80/tcp | http | ANY | redirects to https |
121 +----------+-----------+-----------+-----------------------------------------+
122 | 443/tcp | https | ANY | https termination and reverse proxy |
123 +----------+-----------+-----------+-----------------------------------------+
124 | 5666/tcp | nrpe | monitor | remote monitoring service |
125 +----------+-----------+-----------+-----------------------------------------+
126
127 Running services
128 ----------------
129
130 .. index::
131 single: apache httpd
132 single: cron
133 single: nrpe
134 single: openssh
135 single: postfix
136 single: puppet agent
137 single: rsyslog
138
139 +--------------------+---------------------+----------------------------------------+
140 | Service | Usage | Start mechanism |
141 +====================+=====================+========================================+
142 | Apache httpd | http redirector, | init script |
143 | | https reverse proxy | :file:`/etc/init.d/apache2` |
144 +--------------------+---------------------+----------------------------------------+
145 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
146 +--------------------+---------------------+----------------------------------------+
147 | Nagios NRPE server | remote monitoring | init script |
148 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
149 | | :doc:`monitor` | |
150 +--------------------+---------------------+----------------------------------------+
151 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
152 | | remote | |
153 | | administration | |
154 +--------------------+---------------------+----------------------------------------+
155 | Postfix | SMTP server for | init script |
156 | | local mail | :file:`/etc/init.d/postfix` |
157 | | submission | |
158 +--------------------+---------------------+----------------------------------------+
159 | Puppet agent | configuration | init script |
160 | | management agent | :file:`/etc/init.d/puppet` |
161 +--------------------+---------------------+----------------------------------------+
162 | rsyslog | syslog daemon | init script |
163 | | | :file:`/etc/init.d/syslog` |
164 +--------------------+---------------------+----------------------------------------+
165
166 Connected Systems
167 -----------------
168
169 * :doc:`monitor`
170
171 Outbound network connections
172 ----------------------------
173
174 * :doc:`infra02` as resolving nameserver
175 * :doc:`emailout` as SMTP relay
176 * :doc:`puppet` (tcp/8140) as Puppet master
177 * :doc:`proxyout` as HTTP proxy for APT
178 * :doc:`jenkins` as backend for the jenkins.cacert.org VirtualHost
179 * :doc:`webstatic` as backend for the funding.cacert.org and
180 infradocs.cacert.org VirtualHosts
181
182 Security
183 ========
184
185 .. sshkeys::
186 :RSA: SHA256:05y9UViPMi97Q4QnTPAWbyWxD1SmzRU+1yUf8wtbUW4 MD5:6d:e5:7e:1d:72:d5:5e:f8:43:80:94:a8:b1:0d:9b:81
187 :DSA: SHA256:2/YiGopAO0yfU3tnYwX9rgf/RaHBjYixFBAxQCrwJQ8 MD5:00:27:11:fe:58:9d:d8:e5:c5:35:34:27:bb:79:86:16
188 :ECDSA: SHA256:CRfaZ3yebK8YGMEVHsKoE2I6KylVoahQ8mDWTvBBQAs MD5:7f:91:92:80:f2:b5:2f:5d:8e:11:3f:9b:62:48:e7:18
189 :ED25519: SHA256:IHm9Gjf0u753ADO+WDYLFuHwPK3ReAe101xG/NeCwYk MD5:82:ab:13:33:ee:69:cf:09:18:20:d0:9c:b9:a0:0e:61
190
191 Non-distribution packages and modifications
192 -------------------------------------------
193
194 The Puppet agent package and a few dependencies are installed from the official
195 Puppet APT repository because the versions in Debian are too old to use modern
196 Puppet features.
197
198 Risk assessments on critical packages
199 -------------------------------------
200
201 Apache httpd is configured with a minimum of enabled modules to allow proxying
202 and TLS handling only to reduce potential security risks.
203
204 The system uses third party packages with a good security track record and
205 regular updates. The attack surface is small due to the tightly restricted
206 access to the system. The puppet agent is not exposed for access from outside
207 the system.
208
209 Critical Configuration items
210 ============================
211
212 The system configuration is managed via Puppet profiles. There should be no
213 configuration items outside of the Puppet repository.
214
215 .. todo:: move configuration of :doc:`web` to Puppet code
216
217 Keys and X.509 certificates
218 ---------------------------
219
220 .. sslcert:: funding.cacert.org
221 :altnames: DNS:funding.cacert.org
222 :certfile: /etc/ssl/certs/funding.cacert.org.crt
223 :keyfile: /etc/ssl/private/funding.cacert.org.key
224 :serial: 02A770
225 :expiration: Feb 16 12:07:35 19 GMT
226 :sha1fp: 36:E0:A1:86:7A:FA:C6:F4:86:9F:CC:9C:61:4D:B9:A4:7C:0F:9F:C9
227 :issuer: CAcert Class 3 Root
228
229 .. sslcert:: infradocs.cacert.org
230 :altnames: DNS:infradocs.cacert.org
231 :certfile: /etc/ssl/certs/infradocs.cacert.org.crt
232 :keyfile: /etc/ssl/private/infradocs.cacert.org.key
233 :serial: 029159
234 :expiration: May 06 07:46:25 18 GMT
235 :sha1fp: BA:79:60:5E:8C:21:F0:14:FF:64:6B:44:64:A0:23:F9:C3:A1:F0:C6
236 :issuer: CAcert Class 3 Root
237
238 .. sslcert:: jenkins.cacert.org
239 :altnames: DNS:jenkins.cacert.org
240 :certfile: /etc/ssl/certs/jenkins.cacert.org.crt
241 :keyfile: /etc/ssl/private/jenkins.cacert.org.key
242 :serial: 02A76F
243 :expiration: Feb 16 12:07:29 19 GMT
244 :sha1fp: D1:E3:5B:73:63:28:C6:31:0F:35:4A:2F:0D:12:B5:6C:3F:72:08:3D
245 :issuer: CAcert Class 3 Root
246
247 .. sslcert:: web.cacert.org
248 :altnames: DNS:web.cacert.org
249 :certfile: /etc/ssl/certs/web.cacert.org.crt
250 :keyfile: /etc/ssl/private/web.cacert.org.key
251 :serial: 02BE3D
252 :expiration: Feb 19 11:44:47 20 GMT
253 :sha1fp: D5:20:E8:4D:C1:FC:6E:DF:7E:D3:5D:03:03:3D:1B:CB:27:4B:3D:85
254 :issuer: CAcert Class 3 Root
255
256 * :file:`/usr/share/ca-certificates/CAcert/class3.crt` CAcert.org Class 3
257 certificate for server certificate chains. The Apache httpd configuration
258 files reference the symlinked version at :file:`/etc/ssl/certs/class3.pem`.
259
260 .. seealso::
261
262 * :wiki:`SystemAdministration/CertificateList`
263
264 Apache httpd configuration
265 --------------------------
266
267 * :file:`/etc/apache2/sites-available/000-default.conf`
268
269 Defines the default VirtualHost for requests reaching this host with no
270 specifically handled host name.
271
272 * :file:`/etc/apache2/sites-available/funding.cacert.org.conf`
273
274 Defines the VirtualHost http://funding.cacert.org/ that redirects to
275 https://funding.cacert.org/ and the VirtualHost https://funding.cacert.org/
276 that provides reverse proxy functionality for the same host name on
277 :doc:`webstatic`.
278
279 * :file:`/etc/apache2/sites-available/infradocs.cacert.org.conf`
280
281 Defines the VirtualHost http://infradocs.cacert.org/ that redirects to
282 https://infradocs.cacert.org/ and the VirtualHost
283 https://infradocs.cacert.org/ that provides reverse proxy functionality for
284 the same host name on :doc:`webstatic`.
285
286 * :file:`/etc/apache2/sites-available/jenkins.cacert.org.conf`
287
288 Defines the VirtualHost http://jenkins.cacert.org/ that redirects to
289 https://jenkins.cacert.org/ and the VirtualHost https://jenkins.cacert.org/
290 that provides reverse proxy functionality for the Jenkins instance on
291 :doc:`jenkins`.
292
293 Tasks
294 =====
295
296 Planned
297 -------
298
299 .. todo:: manage the web system using Puppet
300
301 Changes
302 =======
303
304 System Future
305 -------------
306
307 * No plans
308
309 Additional documentation
310 ========================
311
312 .. note::
313 The system hosted the Drupal based community portal https://www.cacert.eu/
314 in the past. The DNS records for this portal have been changed to point to
315 the regular https://www.cacert.org/ site. All unreachable VirtualHosts have
316 been archived to the backup disk at :doc:`infra02`.
317
318 .. seealso::
319
320 * :wiki:`PostfixConfiguration`
321
322 References
323 ----------
324
325 * http://httpd.apache.org/docs/2.4/