Add web and webstatic to Puppet
[cacert-infradocs.git] / docs / systems / webstatic.rst
1 .. index::
2 single: Systems; Webstatic
3
4 =========
5 Webstatic
6 =========
7
8 Purpose
9 =======
10
11 This system provides a web server for serving static content. HTTP requests
12 for this system are proxied through :doc:`web` which also handles TLS
13 termination and redirects from http scheme URLs to https.
14
15 Application Links
16 -----------------
17
18 Funding
19 https://funding.cacert.org/
20
21 Infrastructure Documentation
22 https://infradocs.cacert.org/
23
24 Administration
25 ==============
26
27 System Administration
28 ---------------------
29
30 * Primary: :ref:`people_jandd`
31 * Secondary: None
32
33 .. todo:: find an additional admin
34
35 Application Administration
36 --------------------------
37
38 +---------------+---------------------+
39 | Application | Administrator(s) |
40 +===============+=====================+
41 | Apache httpd | :ref:`people_jandd` |
42 +---------------+---------------------+
43 | Gitolite | :ref:`people_jandd` |
44 +---------------+---------------------+
45
46 Contact
47 -------
48
49 * webstatic-admin@cacert.org
50
51 Additional People
52 -----------------
53
54 No additional people have access to this machine.
55
56 Basics
57 ======
58
59 Physical Location
60 -----------------
61
62 This system is located in an :term:`LXC` container on physical machine
63 :doc:`infra02`.
64
65 Logical Location
66 ----------------
67
68 :IP Internet: reverse proxied from :doc:`web`
69 :IP Intranet: :ip:v4:`172.16.2.116`
70 :IP Internal: :ip:v4:`10.0.0.116`
71 :MAC address: :mac:`00:ff:67:39:23:f2` (eth0)
72
73 .. seealso::
74
75 See :doc:`../network`
76
77 DNS
78 ---
79
80 .. index::
81 single: DNS records; Webstatic
82
83 =========================== ======== ====================================================================
84 Name Type Content
85 =========================== ======== ====================================================================
86 funding.cacert.org. IN CNAME webstatic.cacert.org.
87 infradocs.cacert.org. IN CNAME webstatic.cacert.org.
88 webstatic.cacert.org. IN A 213.154.225.242
89 webstatic.cacert.org. IN SSHFP 1 1 30897A7A984D8350495946D54C6374E9331237EF
90 webstatic.cacert.org. IN SSHFP 1 2 32BB10C5CF48532D077066E012230058DDF3CCE731C561F228E310EB7A546E3F
91 webstatic.cacert.org. IN SSHFP 2 1 868361A51EC60607BFD964D0F8F3E4EE5E803FC6
92 webstatic.cacert.org. IN SSHFP 2 2 A173BB85EC19F63ECB273BCA130EF63501FE1B89FD55B62997195E6816CAB547
93 webstatic.cacert.org. IN SSHFP 3 1 7FC847CEC20B9D65296D4A0EDAFBA22A14EE9DC4
94 webstatic.cacert.org. IN SSHFP 3 2 68879264E0ED5D0914797BF2292436FB32CCA24683DCF5D927A53589C1BFB6D7
95 webstatic.intra.cacert.org. IN A 172.16.2.116
96 =========================== ======== ====================================================================
97
98 .. seealso::
99
100 See :wiki:`SystemAdministration/Procedures/DNSChanges`
101
102 Operating System
103 ----------------
104
105 .. index::
106 single: Debian GNU/Linux; Stretch
107 single: Debian GNU/Linux; 9.4
108
109 * Debian GNU/Linux 9.4
110
111 Applicable Documentation
112 ------------------------
113
114 This is it :-)
115
116 Services
117 ========
118
119 Listening services
120 ------------------
121
122 +----------+-----------+-----------+-----------------------------------------+
123 | Port | Service | Origin | Purpose |
124 +==========+===========+===========+=========================================+
125 | 22/tcp | ssh | ANY | admin console and gitolite access |
126 +----------+-----------+-----------+-----------------------------------------+
127 | 25/tcp | smtp | local | mail delivery to local MTA |
128 +----------+-----------+-----------+-----------------------------------------+
129 | 80/tcp | http | ANY | application |
130 +----------+-----------+-----------+-----------------------------------------+
131 | 5666/tcp | nrpe | monitor | remote monitoring service |
132 +----------+-----------+-----------+-----------------------------------------+
133
134 Running services
135 ----------------
136
137 .. index::
138 single: apache httpd
139 single: cron
140 single: exim
141 single: nrpe
142 single: openssh
143 single: puppet agent
144 single: rsyslog
145
146 +--------------------+----------------------+----------------------------------------+
147 | Service | Usage | Start mechanism |
148 +====================+======================+========================================+
149 | Apache httpd | Webserver for static | init script |
150 | | content | :file:`/etc/init.d/apache2` |
151 +--------------------+----------------------+----------------------------------------+
152 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
153 +--------------------+----------------------+----------------------------------------+
154 | Exim | SMTP server for | init script |
155 | | local mail | :file:`/etc/init.d/exim4` |
156 | | submission | |
157 +--------------------+----------------------+----------------------------------------+
158 | Nagios NRPE server | remote monitoring | init script |
159 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
160 | | :doc:`monitor` | |
161 +--------------------+----------------------+----------------------------------------+
162 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
163 | | remote | |
164 | | administration | |
165 | | and git access | |
166 +--------------------+----------------------+----------------------------------------+
167 | Puppet agent | configuration | init script |
168 | | management agent | :file:`/etc/init.d/puppet` |
169 +--------------------+----------------------+----------------------------------------+
170 | rsyslog | syslog daemon | init script |
171 | | | :file:`/etc/init.d/syslog` |
172 +--------------------+----------------------+----------------------------------------+
173
174 Connected Systems
175 -----------------
176
177 * :doc:`jenkins` for publishing infrastructure documentation to
178 infradocs.cacert.org
179 * :doc:`monitor`
180 * :doc:`web` as reverse proxy for hostnames funding.cacert.org and
181 infradocs.cacert.org
182
183 Outbound network connections
184 ----------------------------
185
186 * :doc:`infra02` as resolving nameserver
187 * :doc:`emailout` as SMTP relay
188 * :doc:`puppet` (tcp/8140) as Puppet master
189 * :doc:`proxyout` as HTTP proxy for APT
190
191 Security
192 ========
193
194 .. sshkeys::
195 :RSA: SHA256:MrsQxc9IUy0HcGbgEiMAWN3zzOcxxWHyKOMQ63pUbj8 MD5:da:e7:16:f9:98:b0:77:4f:38:a6:49:35:a5:5a:2a:c2
196 :DSA: SHA256:oXO7hewZ9j7LJzvKEw72NQH+G4n9VbYplxleaBbKtUc MD5:12:a5:87:27:6b:2f:e3:cd:d6:e5:fb:f2:43:2f:7c:be
197 :ECDSA: SHA256:aIeSZODtXQkUeXvyKSQ2+zLMokaD3PXZJ6U1icG/ttc MD5:5e:94:ad:e8:84:3b:e2:b0:0b:7f:44:ec:a9:99:95:b2
198 :ED25519: SHA256:NC34l1qSufrBdjxjJk75oOnmhrQW1VkLILsOhJle77A MD5:da:58:d0:89:23:6f:ca:f7:b2:5f:a3:51:2f:6b:95:0d
199
200 Dedicated user roles
201 --------------------
202
203 +-------------------+---------------------------------------------------+
204 | Group | Purpose |
205 +===================+===================================================+
206 | git | User for :program:`gitolite` |
207 +-------------------+---------------------------------------------------+
208 | jenkins-infradocs | Used by :doc:`jenkins` to upload documentation to |
209 | | :file:`/var/www/infradocs.cacert.org/html/` |
210 +-------------------+---------------------------------------------------+
211
212 Non-distribution packages and modifications
213 -------------------------------------------
214
215 The Puppet agent package and a few dependencies are installed from the official
216 Puppet APT repository because the versions in Debian are too old to use modern
217 Puppet features.
218
219 The used :program:`gitolite` version is from Debian Jessie and should either
220 be replaced by :program:`gitolite3` from Debian Stretch or a combination of
221 git repositories on :doc:`git` and web hooks for triggering updates.
222
223 .. todo:: replace :program:`gitolite` with a maintained service
224
225 Risk assessments on critical packages
226 -------------------------------------
227
228 Apache httpd is configured with a minimum of enabled modules to allow serving
229 static content and nothing else to reduce potential security risks.
230
231 Access to :program:`gitolite` and the jenkins-infradocs user is gated by a
232 defined set of ssh keys.
233
234 .. todo:: check access on gitolite repositories
235
236 The system uses third party packages with a good security track record and
237 regular updates. The attack surface is small due to the tightly restricted
238 access to the system. The puppet agent is not exposed for access from outside
239 the system.
240
241 Critical Configuration items
242 ============================
243
244 The system configuration is managed via Puppet profiles. There should be no
245 configuration items outside of the Puppet repository.
246
247 .. todo:: move configuration of :doc:`webstatic` to Puppet code
248
249 Keys and X.509 certificates
250 ---------------------------
251
252 The host does not provide TLS services and therefore has no certificates.
253
254 .. todo::
255 move the TLS configuration for the served VirtualHosts to :doc:`webstatic`
256
257 Apache httpd configuration
258 --------------------------
259
260 The main configuration files for Apache httpd are:
261
262 * :file:`/etc/apache2/sites-available/000-default.conf`
263
264 Defines the default VirtualHost for requests reaching this host with no
265 specifically handled host name.
266
267 * :file:`/etc/apache2/sites-available/funding.cacert.org.conf`
268
269 Defines the VirtualHost for https://funding.cacert.org/
270
271 * :file:`/etc/apache2/sites-available/infradocs.cacert.org.conf`
272
273 Defines the VirtualHost for https://infradocs.cacert.org/
274
275
276 Tasks
277 =====
278
279 Planned
280 -------
281
282 .. todo:: manage the webstatic system using Puppet
283
284 Changes
285 =======
286
287 System Future
288 -------------
289
290 * No plans
291
292 Additional documentation
293 ========================
294
295 .. seealso::
296
297 * :wiki:`Exim4Configuration`
298
299 References
300 ----------
301
302 * http://httpd.apache.org/docs/2.4/
303 * http://gitolite.com/gitolite/migr/