projects / cacert-infradocs.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Document webstatic
[cacert-infradocs.git] / docs / systems / webstatic.rst
1 .. index::
2 single: Systems; Webstatic
3
4 =========
5 Webstatic
6 =========
7
8 Purpose
9 =======
10
11 This system provides a web server for serving static content. HTTP requests
12 for this system are proxied through :doc:`web` which also handles TLS
13 termination and redirects from http scheme URLs to https.
14
15 Application Links
16 -----------------
17
18 Funding
19 https://funding.cacert.org/
20
21 Infrastructure Documentation
22 https://infradocs.cacert.org/
23
24 Administration
25 ==============
26
27 System Administration
28 ---------------------
29
30 * Primary: :ref:`people_jandd`
31 * Secondary: None
32
33 .. todo:: find an additional admin
34
35 Application Administration
36 --------------------------
37
38 +---------------+---------------------+
39 | Application | Administrator(s) |
40 +===============+=====================+
41 | Apache httpd | :ref:`people_jandd` |
42 +---------------+---------------------+
43 | Gitolite | :ref:`people_jandd` |
44 +---------------+---------------------+
45
46 Contact
47 -------
48
49 * webstatic-admin@cacert.org
50
51 Additional People
52 -----------------
53
54 No additional people have access to this machine.
55
56 Basics
57 ======
58
59 Physical Location
60 -----------------
61
62 This system is located in an :term:`LXC` container on physical machine
63 :doc:`infra02`.
64
65 Logical Location
66 ----------------
67
68 :IP Internet: reverse proxied from :doc:`web`
69 :IP Intranet: :ip:v4:`172.16.2.116`
70 :IP Internal: :ip:v4:`10.0.0.116`
71 :MAC address: :mac:`00:ff:67:39:23:f2` (eth0)
72
73 .. seealso::
74
75 See :doc:`../network`
76
77 DNS
78 ---
79
80 .. index::
81 single: DNS records; <machine>
82
83 =========================== ======== ====================================================================
84 Name Type Content
85 =========================== ======== ====================================================================
86 funding.cacert.org. IN CNAME webstatic.cacert.org.
87 infradocs.cacert.org. IN CNAME webstatic.cacert.org.
88 webstatic.cacert.org. IN A 213.154.225.242
89 webstatic.cacert.org. IN SSHFP 1 1 30897A7A984D8350495946D54C6374E9331237EF
90 webstatic.cacert.org. IN SSHFP 1 2 32BB10C5CF48532D077066E012230058DDF3CCE731C561F228E310EB7A546E3F
91 webstatic.cacert.org. IN SSHFP 2 1 868361A51EC60607BFD964D0F8F3E4EE5E803FC6
92 webstatic.cacert.org. IN SSHFP 2 2 A173BB85EC19F63ECB273BCA130EF63501FE1B89FD55B62997195E6816CAB547
93 webstatic.cacert.org. IN SSHFP 3 1 7FC847CEC20B9D65296D4A0EDAFBA22A14EE9DC4
94 webstatic.cacert.org. IN SSHFP 3 2 68879264E0ED5D0914797BF2292436FB32CCA24683DCF5D927A53589C1BFB6D7
95 webstatic.intra.cacert.org. IN A 172.16.2.116
96 =========================== ======== ====================================================================
97
98 .. seealso::
99
100 See :wiki:`SystemAdministration/Procedures/DNSChanges`
101
102 Operating System
103 ----------------
104
105 .. index::
106 single: Debian GNU/Linux; Stretch
107 single: Debian GNU/Linux; 9.3
108
109 * Debian GNU/Linux 9.3
110
111 Applicable Documentation
112 ------------------------
113
114 This is it :-)
115
116 Services
117 ========
118
119 Listening services
120 ------------------
121
122 +----------+-----------+-----------+-----------------------------------------+
123 | Port | Service | Origin | Purpose |
124 +==========+===========+===========+=========================================+
125 | 22/tcp | ssh | ANY | admin console and gitolite access |
126 +----------+-----------+-----------+-----------------------------------------+
127 | 25/tcp | smtp | local | mail delivery to local MTA |
128 +----------+-----------+-----------+-----------------------------------------+
129 | 80/tcp | http | ANY | application |
130 +----------+-----------+-----------+-----------------------------------------+
131 | 5666/tcp | nrpe | monitor | remote monitoring service |
132 +----------+-----------+-----------+-----------------------------------------+
133
134 Running services
135 ----------------
136
137 .. index::
138 single: Apache
139 single: Exim
140 single: cron
141 single: nginx
142 single: nrpe
143 single: openssh
144
145 +--------------------+----------------------+----------------------------------------+
146 | Service | Usage | Start mechanism |
147 +====================+======================+========================================+
148 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
149 | | remote | |
150 | | administration | |
151 | | and git access | |
152 +--------------------+----------------------+----------------------------------------+
153 | Apache httpd | Webserver for static | init script |
154 | | content | :file:`/etc/init.d/apache2` |
155 +--------------------+----------------------+----------------------------------------+
156 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
157 +--------------------+----------------------+----------------------------------------+
158 | rsyslog | syslog daemon | init script |
159 | | | :file:`/etc/init.d/syslog` |
160 +--------------------+----------------------+----------------------------------------+
161 | Exim | SMTP server for | init script |
162 | | local mail | :file:`/etc/init.d/exim4` |
163 | | submission | |
164 +--------------------+----------------------+----------------------------------------+
165 | Nagios NRPE server | remote monitoring | init script |
166 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
167 | | :doc:`monitor` | |
168 +--------------------+----------------------+----------------------------------------+
169
170 Connected Systems
171 -----------------
172
173 * :doc:`jenkins` for publishing infrastructure documentation to
174 infradocs.cacert.org
175 * :doc:`monitor`
176
177 Outbound network connections
178 ----------------------------
179
180 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
181 * :doc:`emailout` as SMTP relay
182 * :doc:`proxyout` as HTTP proxy for APT
183
184 Security
185 ========
186
187 .. sshkeys::
188 :RSA: SHA256:MrsQxc9IUy0HcGbgEiMAWN3zzOcxxWHyKOMQ63pUbj8 MD5:da:e7:16:f9:98:b0:77:4f:38:a6:49:35:a5:5a:2a:c2
189 :DSA: SHA256:oXO7hewZ9j7LJzvKEw72NQH+G4n9VbYplxleaBbKtUc MD5:12:a5:87:27:6b:2f:e3:cd:d6:e5:fb:f2:43:2f:7c:be
190 :ECDSA: SHA256:aIeSZODtXQkUeXvyKSQ2+zLMokaD3PXZJ6U1icG/ttc MD5:5e:94:ad:e8:84:3b:e2:b0:0b:7f:44:ec:a9:99:95:b2
191 :ED25519: SHA256:NC34l1qSufrBdjxjJk75oOnmhrQW1VkLILsOhJle77A MD5:da:58:d0:89:23:6f:ca:f7:b2:5f:a3:51:2f:6b:95:0d
192
193 Dedicated user roles
194 --------------------
195
196 +-------------------+---------------------------------------------------+
197 | Group | Purpose |
198 +===================+===================================================+
199 | git | User for :program:`gitolite` |
200 +-------------------+---------------------------------------------------+
201 | jenkins-infradocs | Used by :doc:`jenkins` to upload documentation to |
202 | | :file:`/var/www/infradocs.cacert.org/html/` |
203 +-------------------+---------------------------------------------------+
204
205 Non-distribution packages and modifications
206 -------------------------------------------
207
208 The used :program:`gitolite` version is from Debian Jessie and should either
209 be replaced by :program:`gitolite3` from Debian Stretch or a combination of
210 git repositories on :doc:`git` and web hooks for triggering updates.
211
212 .. todo:: replace :program:`gitolite` with a maintained service
213
214 Risk assessments on critical packages
215 -------------------------------------
216
217 Apache httpd is configured with a minimum of enabled modules to allow serving
218 static content and nothing else to reduce potential security risks.
219
220 Access to :program:`gitolite` and the jenkins-infradocs user is gated by a
221 defined set of ssh keys.
222
223 .. todo:: check access on gitolite repositories
224
225 Critical Configuration items
226 ============================
227
228 Keys and X.509 certificates
229 ---------------------------
230
231 The host does not provide TLS services and therefore has no certificates.
232
233 .. todo::
234 move the TLS configuration for the served VirtualHosts to :doc:`webstatic`
235
236 Apache httpd configuration
237 --------------------------
238
239 The main configuration files for Apache httpd are:
240
241 * :file:`/etc/apache2/sites-available/000-default.conf`
242
243 Defines the default VirtualHost for requests reaching this host with no
244 specifically handled host name.
245
246 * :file:`/etc/apache2/sites-available/funding.cacert.org.conf`
247
248 Defines the VirtualHost for https://funding.cacert.org/
249
250 * :file:`/etc/apache2/sites-available/infradocs.cacert.org.conf`
251
252 Defines the VirtualHost for https://infradocs.cacert.org/
253
254
255 Tasks
256 =====
257
258 Planned
259 -------
260
261 * Manage the system using Puppet
262
263 Changes
264 =======
265
266 System Future
267 -------------
268
269 * No plans
270
271 Additional documentation
272 ========================
273
274 .. seealso::
275
276 * :wiki:`Exim4Configuration`
277
278 References
279 ----------
280
281 * http://httpd.apache.org/docs/2.4/
282 * http://gitolite.com/gitolite/migr/
Sphinx based infrastructure documentation