a73d900aba399ec7e8f74946bd8426ba86c321af
[cacert-infradocs.git] / docs / systems / webstatic.rst
1 .. index::
2 single: Systems; Webstatic
3
4 =========
5 Webstatic
6 =========
7
8 Purpose
9 =======
10
11 This system provides a web server for serving static content. HTTP requests
12 for this system are proxied through :doc:`web` which also handles TLS
13 termination and redirects from http scheme URLs to https.
14
15 Application Links
16 -----------------
17
18 Funding
19 https://funding.cacert.org/
20
21 Infrastructure Documentation
22 https://infradocs.cacert.org/
23
24 Administration
25 ==============
26
27 System Administration
28 ---------------------
29
30 * Primary: :ref:`people_jandd`
31 * Secondary: None
32
33 .. todo:: find an additional admin
34
35 Application Administration
36 --------------------------
37
38 +---------------+---------------------+
39 | Application | Administrator(s) |
40 +===============+=====================+
41 | Apache httpd | :ref:`people_jandd` |
42 +---------------+---------------------+
43 | Gitolite | :ref:`people_jandd` |
44 +---------------+---------------------+
45
46 Contact
47 -------
48
49 * webstatic-admin@cacert.org
50
51 Additional People
52 -----------------
53
54 No additional people have access to this machine.
55
56 Basics
57 ======
58
59 Physical Location
60 -----------------
61
62 This system is located in an :term:`LXC` container on physical machine
63 :doc:`infra02`.
64
65 Logical Location
66 ----------------
67
68 :IP Internet: reverse proxied from :doc:`web`
69 :IP Intranet: :ip:v4:`172.16.2.116`
70 :IP Internal: :ip:v4:`10.0.0.116`
71 :MAC address: :mac:`00:ff:67:39:23:f2` (eth0)
72
73 .. seealso::
74
75 See :doc:`../network`
76
77 DNS
78 ---
79
80 .. index::
81 single: DNS records; Webstatic
82
83 =========================== ======== ====================================================================
84 Name Type Content
85 =========================== ======== ====================================================================
86 funding.cacert.org. IN CNAME webstatic.cacert.org.
87 infradocs.cacert.org. IN CNAME webstatic.cacert.org.
88 webstatic.cacert.org. IN A 213.154.225.242
89 webstatic.cacert.org. IN SSHFP 1 1 30897A7A984D8350495946D54C6374E9331237EF
90 webstatic.cacert.org. IN SSHFP 1 2 32BB10C5CF48532D077066E012230058DDF3CCE731C561F228E310EB7A546E3F
91 webstatic.cacert.org. IN SSHFP 2 1 868361A51EC60607BFD964D0F8F3E4EE5E803FC6
92 webstatic.cacert.org. IN SSHFP 2 2 A173BB85EC19F63ECB273BCA130EF63501FE1B89FD55B62997195E6816CAB547
93 webstatic.cacert.org. IN SSHFP 3 1 7FC847CEC20B9D65296D4A0EDAFBA22A14EE9DC4
94 webstatic.cacert.org. IN SSHFP 3 2 68879264E0ED5D0914797BF2292436FB32CCA24683DCF5D927A53589C1BFB6D7
95 webstatic.intra.cacert.org. IN A 172.16.2.116
96 =========================== ======== ====================================================================
97
98 .. seealso::
99
100 See :wiki:`SystemAdministration/Procedures/DNSChanges`
101
102 Operating System
103 ----------------
104
105 .. index::
106 single: Debian GNU/Linux; Stretch
107 single: Debian GNU/Linux; 9.3
108
109 * Debian GNU/Linux 9.3
110
111 Applicable Documentation
112 ------------------------
113
114 This is it :-)
115
116 Services
117 ========
118
119 Listening services
120 ------------------
121
122 +----------+-----------+-----------+-----------------------------------------+
123 | Port | Service | Origin | Purpose |
124 +==========+===========+===========+=========================================+
125 | 22/tcp | ssh | ANY | admin console and gitolite access |
126 +----------+-----------+-----------+-----------------------------------------+
127 | 25/tcp | smtp | local | mail delivery to local MTA |
128 +----------+-----------+-----------+-----------------------------------------+
129 | 80/tcp | http | ANY | application |
130 +----------+-----------+-----------+-----------------------------------------+
131 | 5666/tcp | nrpe | monitor | remote monitoring service |
132 +----------+-----------+-----------+-----------------------------------------+
133
134 Running services
135 ----------------
136
137 .. index::
138 single: Apache
139 single: Exim
140 single: cron
141 single: nginx
142 single: nrpe
143 single: openssh
144 single: rsyslog
145
146 +--------------------+----------------------+----------------------------------------+
147 | Service | Usage | Start mechanism |
148 +====================+======================+========================================+
149 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
150 | | remote | |
151 | | administration | |
152 | | and git access | |
153 +--------------------+----------------------+----------------------------------------+
154 | Apache httpd | Webserver for static | init script |
155 | | content | :file:`/etc/init.d/apache2` |
156 +--------------------+----------------------+----------------------------------------+
157 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
158 +--------------------+----------------------+----------------------------------------+
159 | rsyslog | syslog daemon | init script |
160 | | | :file:`/etc/init.d/syslog` |
161 +--------------------+----------------------+----------------------------------------+
162 | Exim | SMTP server for | init script |
163 | | local mail | :file:`/etc/init.d/exim4` |
164 | | submission | |
165 +--------------------+----------------------+----------------------------------------+
166 | Nagios NRPE server | remote monitoring | init script |
167 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
168 | | :doc:`monitor` | |
169 +--------------------+----------------------+----------------------------------------+
170
171 Connected Systems
172 -----------------
173
174 * :doc:`jenkins` for publishing infrastructure documentation to
175 infradocs.cacert.org
176 * :doc:`monitor`
177
178 Outbound network connections
179 ----------------------------
180
181 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
182 * :doc:`emailout` as SMTP relay
183 * :doc:`proxyout` as HTTP proxy for APT
184
185 Security
186 ========
187
188 .. sshkeys::
189 :RSA: SHA256:MrsQxc9IUy0HcGbgEiMAWN3zzOcxxWHyKOMQ63pUbj8 MD5:da:e7:16:f9:98:b0:77:4f:38:a6:49:35:a5:5a:2a:c2
190 :DSA: SHA256:oXO7hewZ9j7LJzvKEw72NQH+G4n9VbYplxleaBbKtUc MD5:12:a5:87:27:6b:2f:e3:cd:d6:e5:fb:f2:43:2f:7c:be
191 :ECDSA: SHA256:aIeSZODtXQkUeXvyKSQ2+zLMokaD3PXZJ6U1icG/ttc MD5:5e:94:ad:e8:84:3b:e2:b0:0b:7f:44:ec:a9:99:95:b2
192 :ED25519: SHA256:NC34l1qSufrBdjxjJk75oOnmhrQW1VkLILsOhJle77A MD5:da:58:d0:89:23:6f:ca:f7:b2:5f:a3:51:2f:6b:95:0d
193
194 Dedicated user roles
195 --------------------
196
197 +-------------------+---------------------------------------------------+
198 | Group | Purpose |
199 +===================+===================================================+
200 | git | User for :program:`gitolite` |
201 +-------------------+---------------------------------------------------+
202 | jenkins-infradocs | Used by :doc:`jenkins` to upload documentation to |
203 | | :file:`/var/www/infradocs.cacert.org/html/` |
204 +-------------------+---------------------------------------------------+
205
206 Non-distribution packages and modifications
207 -------------------------------------------
208
209 The used :program:`gitolite` version is from Debian Jessie and should either
210 be replaced by :program:`gitolite3` from Debian Stretch or a combination of
211 git repositories on :doc:`git` and web hooks for triggering updates.
212
213 .. todo:: replace :program:`gitolite` with a maintained service
214
215 Risk assessments on critical packages
216 -------------------------------------
217
218 Apache httpd is configured with a minimum of enabled modules to allow serving
219 static content and nothing else to reduce potential security risks.
220
221 Access to :program:`gitolite` and the jenkins-infradocs user is gated by a
222 defined set of ssh keys.
223
224 .. todo:: check access on gitolite repositories
225
226 Critical Configuration items
227 ============================
228
229 Keys and X.509 certificates
230 ---------------------------
231
232 The host does not provide TLS services and therefore has no certificates.
233
234 .. todo::
235 move the TLS configuration for the served VirtualHosts to :doc:`webstatic`
236
237 Apache httpd configuration
238 --------------------------
239
240 The main configuration files for Apache httpd are:
241
242 * :file:`/etc/apache2/sites-available/000-default.conf`
243
244 Defines the default VirtualHost for requests reaching this host with no
245 specifically handled host name.
246
247 * :file:`/etc/apache2/sites-available/funding.cacert.org.conf`
248
249 Defines the VirtualHost for https://funding.cacert.org/
250
251 * :file:`/etc/apache2/sites-available/infradocs.cacert.org.conf`
252
253 Defines the VirtualHost for https://infradocs.cacert.org/
254
255
256 Tasks
257 =====
258
259 Planned
260 -------
261
262 .. todo:: manage the webstatic system using Puppet
263
264 Changes
265 =======
266
267 System Future
268 -------------
269
270 * No plans
271
272 Additional documentation
273 ========================
274
275 .. seealso::
276
277 * :wiki:`Exim4Configuration`
278
279 References
280 ----------
281
282 * http://httpd.apache.org/docs/2.4/
283 * http://gitolite.com/gitolite/migr/