Improve system documentation
[cacert-infradocs.git] / docs / systems / webstatic.rst
1 .. index::
2 single: Systems; Webstatic
3
4 =========
5 Webstatic
6 =========
7
8 Purpose
9 =======
10
11 This system provides a web server for serving static content. HTTP requests
12 for this system are proxied through :doc:`web` which also handles TLS
13 termination and redirects from http scheme URLs to https.
14
15 Application Links
16 -----------------
17
18 Code Documentation
19 https://codedocs.cacert.org/
20
21 Funding
22 https://funding.cacert.org/
23
24 Infrastructure Documentation
25 https://infradocs.cacert.org/
26
27 Administration
28 ==============
29
30 System Administration
31 ---------------------
32
33 * Primary: :ref:`people_jandd`
34 * Secondary: None
35
36 .. todo:: find an additional admin
37
38 Application Administration
39 --------------------------
40
41 +---------------+---------------------+
42 | Application | Administrator(s) |
43 +===============+=====================+
44 | Apache httpd | :ref:`people_jandd` |
45 +---------------+---------------------+
46 | Gitolite | :ref:`people_jandd` |
47 +---------------+---------------------+
48
49 Contact
50 -------
51
52 * webstatic-admin@cacert.org
53
54 Additional People
55 -----------------
56
57 No additional people have access to this machine.
58
59 Basics
60 ======
61
62 Physical Location
63 -----------------
64
65 This system is located in an :term:`LXC` container on physical machine
66 :doc:`infra02`.
67
68 Logical Location
69 ----------------
70
71 :IP Internet: reverse proxied from :doc:`web`
72 :IP Intranet: :ip:v4:`172.16.2.116`
73 :IP Internal: :ip:v4:`10.0.0.116`
74 :MAC address: :mac:`00:ff:67:39:23:f2` (eth0)
75
76 .. seealso::
77
78 See :doc:`../network`
79
80 .. index::
81 single: Monitoring; Webstatic
82
83 Monitoring
84 ----------
85
86 :internal checks: :monitor:`webstatic.infra.cacert.org`
87
88 DNS
89 ---
90
91 .. index::
92 single: DNS records; Webstatic
93
94 =========================== ======== ====================================================================
95 Name Type Content
96 =========================== ======== ====================================================================
97 codedocs.cacert.org. IN CNAME web.cacert.org.
98 funding.cacert.org. IN CNAME web.cacert.org.
99 infradocs.cacert.org. IN CNAME web.cacert.org.
100 webstatic.cacert.org. IN A 213.154.225.242
101 webstatic.cacert.org. IN SSHFP 1 1 30897A7A984D8350495946D54C6374E9331237EF
102 webstatic.cacert.org. IN SSHFP 1 2 32BB10C5CF48532D077066E012230058DDF3CCE731C561F228E310EB7A546E3F
103 webstatic.cacert.org. IN SSHFP 2 1 868361A51EC60607BFD964D0F8F3E4EE5E803FC6
104 webstatic.cacert.org. IN SSHFP 2 2 A173BB85EC19F63ECB273BCA130EF63501FE1B89FD55B62997195E6816CAB547
105 webstatic.cacert.org. IN SSHFP 3 1 7FC847CEC20B9D65296D4A0EDAFBA22A14EE9DC4
106 webstatic.cacert.org. IN SSHFP 3 2 68879264E0ED5D0914797BF2292436FB32CCA24683DCF5D927A53589C1BFB6D7
107 webstatic.intra.cacert.org. IN A 172.16.2.116
108 =========================== ======== ====================================================================
109
110 .. seealso::
111
112 See :wiki:`SystemAdministration/Procedures/DNSChanges`
113
114 Operating System
115 ----------------
116
117 .. index::
118 single: Debian GNU/Linux; Stretch
119 single: Debian GNU/Linux; 9.4
120
121 * Debian GNU/Linux 9.4
122
123 Applicable Documentation
124 ------------------------
125
126 This is it :-)
127
128 Services
129 ========
130
131 Listening services
132 ------------------
133
134 +----------+-----------+-----------+----------------------------+
135 | Port | Service | Origin | Purpose |
136 +==========+===========+===========+============================+
137 | 22/tcp | ssh | ANY | admin console access |
138 +----------+-----------+-----------+----------------------------+
139 | 25/tcp | smtp | local | mail delivery to local MTA |
140 +----------+-----------+-----------+----------------------------+
141 | 80/tcp | http | ANY | application |
142 +----------+-----------+-----------+----------------------------+
143 | 5666/tcp | nrpe | monitor | remote monitoring service |
144 +----------+-----------+-----------+----------------------------+
145
146 Running services
147 ----------------
148
149 .. index::
150 single: apache httpd
151 single: cron
152 single: exim
153 single: nrpe
154 single: openssh
155 single: puppet agent
156 single: rsyslog
157
158 +--------------------+----------------------+----------------------------------------+
159 | Service | Usage | Start mechanism |
160 +====================+======================+========================================+
161 | Apache httpd | Webserver for static | init script |
162 | | content | :file:`/etc/init.d/apache2` |
163 +--------------------+----------------------+----------------------------------------+
164 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
165 +--------------------+----------------------+----------------------------------------+
166 | Exim | SMTP server for | init script |
167 | | local mail | :file:`/etc/init.d/exim4` |
168 | | submission | |
169 +--------------------+----------------------+----------------------------------------+
170 | Nagios NRPE server | remote monitoring | init script |
171 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
172 | | :doc:`monitor` | |
173 +--------------------+----------------------+----------------------------------------+
174 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
175 | | remote | |
176 | | administration | |
177 | | and git access | |
178 +--------------------+----------------------+----------------------------------------+
179 | Puppet agent | configuration | init script |
180 | | management agent | :file:`/etc/init.d/puppet` |
181 +--------------------+----------------------+----------------------------------------+
182 | rsyslog | syslog daemon | init script |
183 | | | :file:`/etc/init.d/syslog` |
184 +--------------------+----------------------+----------------------------------------+
185
186 Connected Systems
187 -----------------
188
189 * :doc:`jenkins` for publishing code documentation to codedocs.cacert.org and
190 infrastructure documentation to infradocs.cacert.org
191 * :doc:`monitor`
192 * :doc:`web` as reverse proxy for hostnames funding.cacert.org and
193 infradocs.cacert.org
194
195 Outbound network connections
196 ----------------------------
197
198 * :doc:`infra02` as resolving nameserver
199 * :doc:`emailout` as SMTP relay
200 * :doc:`puppet` (tcp/8140) as Puppet master
201 * :doc:`proxyout` as HTTP proxy for APT
202
203 Security
204 ========
205
206 .. sshkeys::
207 :RSA: SHA256:MrsQxc9IUy0HcGbgEiMAWN3zzOcxxWHyKOMQ63pUbj8 MD5:da:e7:16:f9:98:b0:77:4f:38:a6:49:35:a5:5a:2a:c2
208 :DSA: SHA256:oXO7hewZ9j7LJzvKEw72NQH+G4n9VbYplxleaBbKtUc MD5:12:a5:87:27:6b:2f:e3:cd:d6:e5:fb:f2:43:2f:7c:be
209 :ECDSA: SHA256:aIeSZODtXQkUeXvyKSQ2+zLMokaD3PXZJ6U1icG/ttc MD5:5e:94:ad:e8:84:3b:e2:b0:0b:7f:44:ec:a9:99:95:b2
210 :ED25519: SHA256:NC34l1qSufrBdjxjJk75oOnmhrQW1VkLILsOhJle77A MD5:da:58:d0:89:23:6f:ca:f7:b2:5f:a3:51:2f:6b:95:0d
211
212 Dedicated user roles
213 --------------------
214
215 +-------------------+---------------------------------------------------+
216 | Group | Purpose |
217 +===================+===================================================+
218 | jenkins-infradocs | Used by :doc:`jenkins` to upload documentation to |
219 | | :file:`/var/www/codedocs.cacert.org/html/` and |
220 | | :file:`/var/www/infradocs.cacert.org/html/` |
221 +-------------------+---------------------------------------------------+
222
223 Non-distribution packages and modifications
224 -------------------------------------------
225
226 The Puppet agent package and a few dependencies are installed from the official
227 Puppet APT repository because the versions in Debian are too old to use modern
228 Puppet features.
229
230 Risk assessments on critical packages
231 -------------------------------------
232
233 Apache httpd is configured with a minimum of enabled modules to allow serving
234 static content and nothing else to reduce potential security risks.
235
236 Access to the jenkins-infradocs user is gated by a defined ssh key.
237
238 The system uses third party packages with a good security track record and
239 regular updates. The attack surface is small due to the tightly restricted
240 access to the system. The puppet agent is not exposed for access from outside
241 the system.
242
243 Critical Configuration items
244 ============================
245
246 The system configuration is managed via Puppet profiles. There should be no
247 configuration items outside of the Puppet repository.
248
249 .. todo:: move configuration of :doc:`webstatic` to Puppet code
250
251 Keys and X.509 certificates
252 ---------------------------
253
254 The host does not provide TLS services and therefore has no certificates.
255
256 .. todo::
257 move the TLS configuration for the served VirtualHosts to :doc:`webstatic`
258
259 Apache httpd configuration
260 --------------------------
261
262 The main configuration files for Apache httpd are:
263
264 * :file:`/etc/apache2/sites-available/000-default.conf`
265
266 Defines the default VirtualHost for requests reaching this host with no
267 specifically handled host name.
268
269 * :file:`/etc/apache2/sites-available/codedocs.cacert.org.conf`
270
271 Defines the VirtualHost for https://codedocs.cacert.org/
272
273 * :file:`/etc/apache2/sites-available/funding.cacert.org.conf`
274
275 Defines the VirtualHost for https://funding.cacert.org/
276
277 * :file:`/etc/apache2/sites-available/infradocs.cacert.org.conf`
278
279 Defines the VirtualHost for https://infradocs.cacert.org/
280
281
282 Tasks
283 =====
284
285 Changes
286 =======
287
288 Planned
289 -------
290
291 .. todo:: manage the webstatic system using Puppet
292
293 System Future
294 -------------
295
296 * No plans
297
298 Additional documentation
299 ========================
300
301 .. seealso::
302
303 * :wiki:`Exim4Configuration`
304
305 References
306 ----------
307
308 * http://httpd.apache.org/docs/2.4/