77c175b166a65b45f23217bfad577e0224ef4f34
[cacert-infradocs.git] / docs / systems / webstatic.rst
1 .. index::
2 single: Systems; Webstatic
3
4 =========
5 Webstatic
6 =========
7
8 Purpose
9 =======
10
11 This system provides a web server for serving static content. HTTP requests
12 for this system are proxied through :doc:`web` which also handles TLS
13 termination and redirects from http scheme URLs to https.
14
15 Application Links
16 -----------------
17
18 Code Documentation
19 https://codedocs.cacert.org/
20
21 Funding
22 https://funding.cacert.org/
23
24 Infrastructure Documentation
25 https://infradocs.cacert.org/
26
27 Administration
28 ==============
29
30 System Administration
31 ---------------------
32
33 * Primary: :ref:`people_jandd`
34 * Secondary: None
35
36 .. todo:: find an additional admin
37
38 Application Administration
39 --------------------------
40
41 +---------------+---------------------+
42 | Application | Administrator(s) |
43 +===============+=====================+
44 | Apache httpd | :ref:`people_jandd` |
45 +---------------+---------------------+
46 | Gitolite | :ref:`people_jandd` |
47 +---------------+---------------------+
48
49 Contact
50 -------
51
52 * webstatic-admin@cacert.org
53
54 Additional People
55 -----------------
56
57 No additional people have access to this machine.
58
59 Basics
60 ======
61
62 Physical Location
63 -----------------
64
65 This system is located in an :term:`LXC` container on physical machine
66 :doc:`infra02`.
67
68 Logical Location
69 ----------------
70
71 :IP Internet: reverse proxied from :doc:`web`
72 :IP Intranet: :ip:v4:`172.16.2.116`
73 :IP Internal: :ip:v4:`10.0.0.116`
74 :MAC address: :mac:`00:ff:67:39:23:f2` (eth0)
75
76 .. seealso::
77
78 See :doc:`../network`
79
80 DNS
81 ---
82
83 .. index::
84 single: DNS records; Webstatic
85
86 =========================== ======== ====================================================================
87 Name Type Content
88 =========================== ======== ====================================================================
89 codedocs.cacert.org. IN CNAME web.cacert.org.
90 funding.cacert.org. IN CNAME web.cacert.org.
91 infradocs.cacert.org. IN CNAME web.cacert.org.
92 webstatic.cacert.org. IN A 213.154.225.242
93 webstatic.cacert.org. IN SSHFP 1 1 30897A7A984D8350495946D54C6374E9331237EF
94 webstatic.cacert.org. IN SSHFP 1 2 32BB10C5CF48532D077066E012230058DDF3CCE731C561F228E310EB7A546E3F
95 webstatic.cacert.org. IN SSHFP 2 1 868361A51EC60607BFD964D0F8F3E4EE5E803FC6
96 webstatic.cacert.org. IN SSHFP 2 2 A173BB85EC19F63ECB273BCA130EF63501FE1B89FD55B62997195E6816CAB547
97 webstatic.cacert.org. IN SSHFP 3 1 7FC847CEC20B9D65296D4A0EDAFBA22A14EE9DC4
98 webstatic.cacert.org. IN SSHFP 3 2 68879264E0ED5D0914797BF2292436FB32CCA24683DCF5D927A53589C1BFB6D7
99 webstatic.intra.cacert.org. IN A 172.16.2.116
100 =========================== ======== ====================================================================
101
102 .. seealso::
103
104 See :wiki:`SystemAdministration/Procedures/DNSChanges`
105
106 Operating System
107 ----------------
108
109 .. index::
110 single: Debian GNU/Linux; Stretch
111 single: Debian GNU/Linux; 9.4
112
113 * Debian GNU/Linux 9.4
114
115 Applicable Documentation
116 ------------------------
117
118 This is it :-)
119
120 Services
121 ========
122
123 Listening services
124 ------------------
125
126 +----------+-----------+-----------+----------------------------+
127 | Port | Service | Origin | Purpose |
128 +==========+===========+===========+============================+
129 | 22/tcp | ssh | ANY | admin console access |
130 +----------+-----------+-----------+----------------------------+
131 | 25/tcp | smtp | local | mail delivery to local MTA |
132 +----------+-----------+-----------+----------------------------+
133 | 80/tcp | http | ANY | application |
134 +----------+-----------+-----------+----------------------------+
135 | 5666/tcp | nrpe | monitor | remote monitoring service |
136 +----------+-----------+-----------+----------------------------+
137
138 Running services
139 ----------------
140
141 .. index::
142 single: apache httpd
143 single: cron
144 single: exim
145 single: nrpe
146 single: openssh
147 single: puppet agent
148 single: rsyslog
149
150 +--------------------+----------------------+----------------------------------------+
151 | Service | Usage | Start mechanism |
152 +====================+======================+========================================+
153 | Apache httpd | Webserver for static | init script |
154 | | content | :file:`/etc/init.d/apache2` |
155 +--------------------+----------------------+----------------------------------------+
156 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
157 +--------------------+----------------------+----------------------------------------+
158 | Exim | SMTP server for | init script |
159 | | local mail | :file:`/etc/init.d/exim4` |
160 | | submission | |
161 +--------------------+----------------------+----------------------------------------+
162 | Nagios NRPE server | remote monitoring | init script |
163 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
164 | | :doc:`monitor` | |
165 +--------------------+----------------------+----------------------------------------+
166 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
167 | | remote | |
168 | | administration | |
169 | | and git access | |
170 +--------------------+----------------------+----------------------------------------+
171 | Puppet agent | configuration | init script |
172 | | management agent | :file:`/etc/init.d/puppet` |
173 +--------------------+----------------------+----------------------------------------+
174 | rsyslog | syslog daemon | init script |
175 | | | :file:`/etc/init.d/syslog` |
176 +--------------------+----------------------+----------------------------------------+
177
178 Connected Systems
179 -----------------
180
181 * :doc:`jenkins` for publishing code documentation to codedocs.cacert.org and
182 infrastructure documentation to infradocs.cacert.org
183 * :doc:`monitor`
184 * :doc:`web` as reverse proxy for hostnames funding.cacert.org and
185 infradocs.cacert.org
186
187 Outbound network connections
188 ----------------------------
189
190 * :doc:`infra02` as resolving nameserver
191 * :doc:`emailout` as SMTP relay
192 * :doc:`puppet` (tcp/8140) as Puppet master
193 * :doc:`proxyout` as HTTP proxy for APT
194
195 Security
196 ========
197
198 .. sshkeys::
199 :RSA: SHA256:MrsQxc9IUy0HcGbgEiMAWN3zzOcxxWHyKOMQ63pUbj8 MD5:da:e7:16:f9:98:b0:77:4f:38:a6:49:35:a5:5a:2a:c2
200 :DSA: SHA256:oXO7hewZ9j7LJzvKEw72NQH+G4n9VbYplxleaBbKtUc MD5:12:a5:87:27:6b:2f:e3:cd:d6:e5:fb:f2:43:2f:7c:be
201 :ECDSA: SHA256:aIeSZODtXQkUeXvyKSQ2+zLMokaD3PXZJ6U1icG/ttc MD5:5e:94:ad:e8:84:3b:e2:b0:0b:7f:44:ec:a9:99:95:b2
202 :ED25519: SHA256:NC34l1qSufrBdjxjJk75oOnmhrQW1VkLILsOhJle77A MD5:da:58:d0:89:23:6f:ca:f7:b2:5f:a3:51:2f:6b:95:0d
203
204 Dedicated user roles
205 --------------------
206
207 +-------------------+---------------------------------------------------+
208 | Group | Purpose |
209 +===================+===================================================+
210 | jenkins-infradocs | Used by :doc:`jenkins` to upload documentation to |
211 | | :file:`/var/www/codedocs.cacert.org/html/` and |
212 | | :file:`/var/www/infradocs.cacert.org/html/` |
213 +-------------------+---------------------------------------------------+
214
215 Non-distribution packages and modifications
216 -------------------------------------------
217
218 The Puppet agent package and a few dependencies are installed from the official
219 Puppet APT repository because the versions in Debian are too old to use modern
220 Puppet features.
221
222 Risk assessments on critical packages
223 -------------------------------------
224
225 Apache httpd is configured with a minimum of enabled modules to allow serving
226 static content and nothing else to reduce potential security risks.
227
228 Access to the jenkins-infradocs user is gated by a defined ssh key.
229
230 The system uses third party packages with a good security track record and
231 regular updates. The attack surface is small due to the tightly restricted
232 access to the system. The puppet agent is not exposed for access from outside
233 the system.
234
235 Critical Configuration items
236 ============================
237
238 The system configuration is managed via Puppet profiles. There should be no
239 configuration items outside of the Puppet repository.
240
241 .. todo:: move configuration of :doc:`webstatic` to Puppet code
242
243 Keys and X.509 certificates
244 ---------------------------
245
246 The host does not provide TLS services and therefore has no certificates.
247
248 .. todo::
249 move the TLS configuration for the served VirtualHosts to :doc:`webstatic`
250
251 Apache httpd configuration
252 --------------------------
253
254 The main configuration files for Apache httpd are:
255
256 * :file:`/etc/apache2/sites-available/000-default.conf`
257
258 Defines the default VirtualHost for requests reaching this host with no
259 specifically handled host name.
260
261 * :file:`/etc/apache2/sites-available/codedocs.cacert.org.conf`
262
263 Defines the VirtualHost for https://codedocs.cacert.org/
264
265 * :file:`/etc/apache2/sites-available/funding.cacert.org.conf`
266
267 Defines the VirtualHost for https://funding.cacert.org/
268
269 * :file:`/etc/apache2/sites-available/infradocs.cacert.org.conf`
270
271 Defines the VirtualHost for https://infradocs.cacert.org/
272
273
274 Tasks
275 =====
276
277 Planned
278 -------
279
280 .. todo:: manage the webstatic system using Puppet
281
282 Changes
283 =======
284
285 System Future
286 -------------
287
288 * No plans
289
290 Additional documentation
291 ========================
292
293 .. seealso::
294
295 * :wiki:`Exim4Configuration`
296
297 References
298 ----------
299
300 * http://httpd.apache.org/docs/2.4/