7b96d44a36f8b1380895110efc7cb2ac488a1a88
[cacert-infradocs.git] / docs / systems / webstatic.rst
1 .. index::
2 single: Systems; Webstatic
3
4 =========
5 Webstatic
6 =========
7
8 Purpose
9 =======
10
11 This system provides a web server for serving static content. HTTP requests
12 for this system are proxied through :doc:`web` which also handles TLS
13 termination and redirects from http scheme URLs to https.
14
15 Application Links
16 -----------------
17
18 Funding
19 https://funding.cacert.org/
20
21 Infrastructure Documentation
22 https://infradocs.cacert.org/
23
24 Administration
25 ==============
26
27 System Administration
28 ---------------------
29
30 * Primary: :ref:`people_jandd`
31 * Secondary: None
32
33 .. todo:: find an additional admin
34
35 Application Administration
36 --------------------------
37
38 +---------------+---------------------+
39 | Application | Administrator(s) |
40 +===============+=====================+
41 | Apache httpd | :ref:`people_jandd` |
42 +---------------+---------------------+
43 | Gitolite | :ref:`people_jandd` |
44 +---------------+---------------------+
45
46 Contact
47 -------
48
49 * webstatic-admin@cacert.org
50
51 Additional People
52 -----------------
53
54 No additional people have access to this machine.
55
56 Basics
57 ======
58
59 Physical Location
60 -----------------
61
62 This system is located in an :term:`LXC` container on physical machine
63 :doc:`infra02`.
64
65 Logical Location
66 ----------------
67
68 :IP Internet: reverse proxied from :doc:`web`
69 :IP Intranet: :ip:v4:`172.16.2.116`
70 :IP Internal: :ip:v4:`10.0.0.116`
71 :MAC address: :mac:`00:ff:67:39:23:f2` (eth0)
72
73 .. seealso::
74
75 See :doc:`../network`
76
77 DNS
78 ---
79
80 .. index::
81 single: DNS records; Webstatic
82
83 =========================== ======== ====================================================================
84 Name Type Content
85 =========================== ======== ====================================================================
86 funding.cacert.org. IN CNAME webstatic.cacert.org.
87 infradocs.cacert.org. IN CNAME webstatic.cacert.org.
88 webstatic.cacert.org. IN A 213.154.225.242
89 webstatic.cacert.org. IN SSHFP 1 1 30897A7A984D8350495946D54C6374E9331237EF
90 webstatic.cacert.org. IN SSHFP 1 2 32BB10C5CF48532D077066E012230058DDF3CCE731C561F228E310EB7A546E3F
91 webstatic.cacert.org. IN SSHFP 2 1 868361A51EC60607BFD964D0F8F3E4EE5E803FC6
92 webstatic.cacert.org. IN SSHFP 2 2 A173BB85EC19F63ECB273BCA130EF63501FE1B89FD55B62997195E6816CAB547
93 webstatic.cacert.org. IN SSHFP 3 1 7FC847CEC20B9D65296D4A0EDAFBA22A14EE9DC4
94 webstatic.cacert.org. IN SSHFP 3 2 68879264E0ED5D0914797BF2292436FB32CCA24683DCF5D927A53589C1BFB6D7
95 webstatic.intra.cacert.org. IN A 172.16.2.116
96 =========================== ======== ====================================================================
97
98 .. seealso::
99
100 See :wiki:`SystemAdministration/Procedures/DNSChanges`
101
102 Operating System
103 ----------------
104
105 .. index::
106 single: Debian GNU/Linux; Stretch
107 single: Debian GNU/Linux; 9.4
108
109 * Debian GNU/Linux 9.4
110
111 Applicable Documentation
112 ------------------------
113
114 This is it :-)
115
116 Services
117 ========
118
119 Listening services
120 ------------------
121
122 +----------+-----------+-----------+-----------------------------------------+
123 | Port | Service | Origin | Purpose |
124 +==========+===========+===========+=========================================+
125 | 22/tcp | ssh | ANY | admin console and gitolite access |
126 +----------+-----------+-----------+-----------------------------------------+
127 | 25/tcp | smtp | local | mail delivery to local MTA |
128 +----------+-----------+-----------+-----------------------------------------+
129 | 80/tcp | http | ANY | application |
130 +----------+-----------+-----------+-----------------------------------------+
131 | 5666/tcp | nrpe | monitor | remote monitoring service |
132 +----------+-----------+-----------+-----------------------------------------+
133
134 Running services
135 ----------------
136
137 .. index::
138 single: Apache
139 single: Exim
140 single: cron
141 single: nginx
142 single: nrpe
143 single: openssh
144 single: rsyslog
145
146 +--------------------+----------------------+----------------------------------------+
147 | Service | Usage | Start mechanism |
148 +====================+======================+========================================+
149 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
150 | | remote | |
151 | | administration | |
152 | | and git access | |
153 +--------------------+----------------------+----------------------------------------+
154 | Apache httpd | Webserver for static | init script |
155 | | content | :file:`/etc/init.d/apache2` |
156 +--------------------+----------------------+----------------------------------------+
157 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
158 +--------------------+----------------------+----------------------------------------+
159 | rsyslog | syslog daemon | init script |
160 | | | :file:`/etc/init.d/syslog` |
161 +--------------------+----------------------+----------------------------------------+
162 | Exim | SMTP server for | init script |
163 | | local mail | :file:`/etc/init.d/exim4` |
164 | | submission | |
165 +--------------------+----------------------+----------------------------------------+
166 | Nagios NRPE server | remote monitoring | init script |
167 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
168 | | :doc:`monitor` | |
169 +--------------------+----------------------+----------------------------------------+
170
171 Connected Systems
172 -----------------
173
174 * :doc:`jenkins` for publishing infrastructure documentation to
175 infradocs.cacert.org
176 * :doc:`monitor`
177 * :doc:`web` as reverse proxy for hostnames funding.cacert.org and
178 infradocs.cacert.org
179
180 Outbound network connections
181 ----------------------------
182
183 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
184 * :doc:`emailout` as SMTP relay
185 * :doc:`proxyout` as HTTP proxy for APT
186
187 Security
188 ========
189
190 .. sshkeys::
191 :RSA: SHA256:MrsQxc9IUy0HcGbgEiMAWN3zzOcxxWHyKOMQ63pUbj8 MD5:da:e7:16:f9:98:b0:77:4f:38:a6:49:35:a5:5a:2a:c2
192 :DSA: SHA256:oXO7hewZ9j7LJzvKEw72NQH+G4n9VbYplxleaBbKtUc MD5:12:a5:87:27:6b:2f:e3:cd:d6:e5:fb:f2:43:2f:7c:be
193 :ECDSA: SHA256:aIeSZODtXQkUeXvyKSQ2+zLMokaD3PXZJ6U1icG/ttc MD5:5e:94:ad:e8:84:3b:e2:b0:0b:7f:44:ec:a9:99:95:b2
194 :ED25519: SHA256:NC34l1qSufrBdjxjJk75oOnmhrQW1VkLILsOhJle77A MD5:da:58:d0:89:23:6f:ca:f7:b2:5f:a3:51:2f:6b:95:0d
195
196 Dedicated user roles
197 --------------------
198
199 +-------------------+---------------------------------------------------+
200 | Group | Purpose |
201 +===================+===================================================+
202 | git | User for :program:`gitolite` |
203 +-------------------+---------------------------------------------------+
204 | jenkins-infradocs | Used by :doc:`jenkins` to upload documentation to |
205 | | :file:`/var/www/infradocs.cacert.org/html/` |
206 +-------------------+---------------------------------------------------+
207
208 Non-distribution packages and modifications
209 -------------------------------------------
210
211 The used :program:`gitolite` version is from Debian Jessie and should either
212 be replaced by :program:`gitolite3` from Debian Stretch or a combination of
213 git repositories on :doc:`git` and web hooks for triggering updates.
214
215 .. todo:: replace :program:`gitolite` with a maintained service
216
217 Risk assessments on critical packages
218 -------------------------------------
219
220 Apache httpd is configured with a minimum of enabled modules to allow serving
221 static content and nothing else to reduce potential security risks.
222
223 Access to :program:`gitolite` and the jenkins-infradocs user is gated by a
224 defined set of ssh keys.
225
226 .. todo:: check access on gitolite repositories
227
228 Critical Configuration items
229 ============================
230
231 Keys and X.509 certificates
232 ---------------------------
233
234 The host does not provide TLS services and therefore has no certificates.
235
236 .. todo::
237 move the TLS configuration for the served VirtualHosts to :doc:`webstatic`
238
239 Apache httpd configuration
240 --------------------------
241
242 The main configuration files for Apache httpd are:
243
244 * :file:`/etc/apache2/sites-available/000-default.conf`
245
246 Defines the default VirtualHost for requests reaching this host with no
247 specifically handled host name.
248
249 * :file:`/etc/apache2/sites-available/funding.cacert.org.conf`
250
251 Defines the VirtualHost for https://funding.cacert.org/
252
253 * :file:`/etc/apache2/sites-available/infradocs.cacert.org.conf`
254
255 Defines the VirtualHost for https://infradocs.cacert.org/
256
257
258 Tasks
259 =====
260
261 Planned
262 -------
263
264 .. todo:: manage the webstatic system using Puppet
265
266 Changes
267 =======
268
269 System Future
270 -------------
271
272 * No plans
273
274 Additional documentation
275 ========================
276
277 .. seealso::
278
279 * :wiki:`Exim4Configuration`
280
281 References
282 ----------
283
284 * http://httpd.apache.org/docs/2.4/
285 * http://gitolite.com/gitolite/migr/