Update OCSP responder certificates after renewal on August 25, 2019.
[cacert-infradocs.git] / docs / systems / webstatic.rst
1 .. index::
2 single: Systems; Webstatic
3
4 =========
5 Webstatic
6 =========
7
8 Purpose
9 =======
10
11 This system provides a web server for serving static content. HTTP requests
12 for this system are proxied through :doc:`web` which also handles TLS
13 termination and redirects from http scheme URLs to https.
14
15 Application Links
16 -----------------
17
18 Code Documentation
19 https://codedocs.cacert.org/
20
21 Funding
22 https://funding.cacert.org/
23
24 Infrastructure Documentation
25 https://infradocs.cacert.org/
26
27 CAcert internal Debian repository
28 https://webstatic.infra.cacert.org/
29
30 Administration
31 ==============
32
33 System Administration
34 ---------------------
35
36 * Primary: :ref:`people_jandd`
37 * Secondary: None
38
39 .. todo:: find an additional admin
40
41 Application Administration
42 --------------------------
43
44 +---------------+---------------------+
45 | Application | Administrator(s) |
46 +===============+=====================+
47 | Apache httpd | :ref:`people_jandd` |
48 +---------------+---------------------+
49 | Gitolite | :ref:`people_jandd` |
50 +---------------+---------------------+
51
52 Contact
53 -------
54
55 * webstatic-admin@cacert.org
56
57 Additional People
58 -----------------
59
60 No additional people have access to this machine.
61
62 Basics
63 ======
64
65 Physical Location
66 -----------------
67
68 This system is located in an :term:`LXC` container on physical machine
69 :doc:`infra02`.
70
71 Logical Location
72 ----------------
73
74 :IP Internet: reverse proxied from :doc:`web`
75 :IP Intranet: :ip:v4:`172.16.2.116`
76 :IP Internal: :ip:v4:`10.0.0.116`
77 :MAC address: :mac:`00:ff:67:39:23:f2` (eth0)
78
79 .. seealso::
80
81 See :doc:`../network`
82
83 .. index::
84 single: Monitoring; Webstatic
85
86 Monitoring
87 ----------
88
89 :internal checks: :monitor:`webstatic.infra.cacert.org`
90
91 DNS
92 ---
93
94 .. index::
95 single: DNS records; Webstatic
96
97 =========================== ======== ====================================================================
98 Name Type Content
99 =========================== ======== ====================================================================
100 codedocs.cacert.org. IN CNAME web.cacert.org.
101 funding.cacert.org. IN CNAME web.cacert.org.
102 infradocs.cacert.org. IN CNAME web.cacert.org.
103 webstatic.cacert.org. IN A 213.154.225.242
104 webstatic.cacert.org. IN SSHFP 1 1 30897A7A984D8350495946D54C6374E9331237EF
105 webstatic.cacert.org. IN SSHFP 1 2 32BB10C5CF48532D077066E012230058DDF3CCE731C561F228E310EB7A546E3F
106 webstatic.cacert.org. IN SSHFP 2 1 868361A51EC60607BFD964D0F8F3E4EE5E803FC6
107 webstatic.cacert.org. IN SSHFP 2 2 A173BB85EC19F63ECB273BCA130EF63501FE1B89FD55B62997195E6816CAB547
108 webstatic.cacert.org. IN SSHFP 3 1 7FC847CEC20B9D65296D4A0EDAFBA22A14EE9DC4
109 webstatic.cacert.org. IN SSHFP 3 2 68879264E0ED5D0914797BF2292436FB32CCA24683DCF5D927A53589C1BFB6D7
110 webstatic.intra.cacert.org. IN A 172.16.2.116
111 =========================== ======== ====================================================================
112
113 .. seealso::
114
115 See :wiki:`SystemAdministration/Procedures/DNSChanges`
116
117 Operating System
118 ----------------
119
120 .. index::
121 single: Debian GNU/Linux; Stretch
122 single: Debian GNU/Linux; 9.9
123
124 * Debian GNU/Linux 9.9
125
126 Services
127 ========
128
129 Listening services
130 ------------------
131
132 +----------+-----------+-----------+----------------------------+
133 | Port | Service | Origin | Purpose |
134 +==========+===========+===========+============================+
135 | 22/tcp | ssh | ANY | admin console access |
136 +----------+-----------+-----------+----------------------------+
137 | 25/tcp | smtp | local | mail delivery to local MTA |
138 +----------+-----------+-----------+----------------------------+
139 | 80/tcp | http | ANY | application |
140 +----------+-----------+-----------+----------------------------+
141 | 5666/tcp | nrpe | monitor | remote monitoring service |
142 +----------+-----------+-----------+----------------------------+
143
144 Running services
145 ----------------
146
147 .. index::
148 single: apache httpd
149 single: cron
150 single: exim
151 single: nrpe
152 single: openssh
153 single: puppet agent
154 single: rsyslog
155
156 +--------------------+----------------------+----------------------------------------+
157 | Service | Usage | Start mechanism |
158 +====================+======================+========================================+
159 | Apache httpd | Webserver for static | init script |
160 | | content | :file:`/etc/init.d/apache2` |
161 +--------------------+----------------------+----------------------------------------+
162 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
163 +--------------------+----------------------+----------------------------------------+
164 | Exim | SMTP server for | init script |
165 | | local mail | :file:`/etc/init.d/exim4` |
166 | | submission | |
167 +--------------------+----------------------+----------------------------------------+
168 | Nagios NRPE server | remote monitoring | init script |
169 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
170 | | :doc:`monitor` | |
171 +--------------------+----------------------+----------------------------------------+
172 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
173 | | remote | |
174 | | administration | |
175 | | and git access | |
176 +--------------------+----------------------+----------------------------------------+
177 | Puppet agent | configuration | init script |
178 | | management agent | :file:`/etc/init.d/puppet` |
179 +--------------------+----------------------+----------------------------------------+
180 | rsyslog | syslog daemon | init script |
181 | | | :file:`/etc/init.d/syslog` |
182 +--------------------+----------------------+----------------------------------------+
183
184 Connected Systems
185 -----------------
186
187 * :doc:`jenkins` for publishing code documentation to codedocs.cacert.org and
188 infrastructure documentation to infradocs.cacert.org
189 * :doc:`monitor`
190 * :doc:`web` as reverse proxy for hostnames funding.cacert.org and
191 infradocs.cacert.org
192
193 Outbound network connections
194 ----------------------------
195
196 * :doc:`infra02` as resolving nameserver
197 * :doc:`emailout` as SMTP relay
198 * :doc:`puppet` (tcp/8140) as Puppet master
199 * :doc:`proxyout` as HTTP proxy for APT
200
201 Security
202 ========
203
204 .. sshkeys::
205 :RSA: SHA256:MrsQxc9IUy0HcGbgEiMAWN3zzOcxxWHyKOMQ63pUbj8 MD5:da:e7:16:f9:98:b0:77:4f:38:a6:49:35:a5:5a:2a:c2
206 :DSA: SHA256:oXO7hewZ9j7LJzvKEw72NQH+G4n9VbYplxleaBbKtUc MD5:12:a5:87:27:6b:2f:e3:cd:d6:e5:fb:f2:43:2f:7c:be
207 :ECDSA: SHA256:aIeSZODtXQkUeXvyKSQ2+zLMokaD3PXZJ6U1icG/ttc MD5:5e:94:ad:e8:84:3b:e2:b0:0b:7f:44:ec:a9:99:95:b2
208 :ED25519: SHA256:NC34l1qSufrBdjxjJk75oOnmhrQW1VkLILsOhJle77A MD5:da:58:d0:89:23:6f:ca:f7:b2:5f:a3:51:2f:6b:95:0d
209
210 Dedicated user roles
211 --------------------
212
213 +-------------------+---------------------------------------------------+
214 | Role | Purpose |
215 +===================+===================================================+
216 | jenkins-infradocs | Used by :doc:`jenkins` to upload documentation to |
217 | | :file:`/var/www/codedocs.cacert.org/html/` and |
218 | | :file:`/var/www/infradocs.cacert.org/html/` |
219 +-------------------+---------------------------------------------------+
220
221 .. todo:: manage ``jenkins-infradocs`` user via Puppet
222
223 Non-distribution packages and modifications
224 -------------------------------------------
225
226 The Puppet agent package and a few dependencies are installed from the official
227 Puppet APT repository because the versions in Debian are too old to use modern
228 Puppet features.
229
230 Risk assessments on critical packages
231 -------------------------------------
232
233 Apache httpd is configured with a minimum of enabled modules to allow serving
234 static content and nothing else to reduce potential security risks.
235
236 Access to the jenkins-infradocs user is gated by a defined ssh key.
237
238 The system uses third party packages with a good security track record and
239 regular updates. The attack surface is small due to the tightly restricted
240 access to the system. The puppet agent is not exposed for access from outside
241 the system.
242
243 Critical Configuration items
244 ============================
245
246 The system configuration is managed via Puppet profiles. There should be no
247 configuration items outside of the :cacertgit:`cacert-puppet`.
248
249 Keys and X.509 certificates
250 ---------------------------
251
252 The host does not provide own TLS services and therefore has no certificates.
253
254 Apache httpd configuration
255 --------------------------
256
257 Apache configuration is managed via the Puppet profile
258 ``profiles::static_websites``.
259
260 Debian repository configuration
261 -------------------------------
262
263 The Debian repository is managed via the Puppet profile
264 ``profiles::debarchive``. Packages that are uploaded to
265 :file:`/srv/upload/incoming` are automatically processed by
266 :program:`inoticoming` and :program:`reprepro`. Only packages signed by a known
267 PGP key (managed via Puppet) are accepted and provided at
268 https://webstatic.infra.cacert.org/.
269
270 The repository signing key is stored in
271 :file:`/srv/debarchive/.gnupg/private-keys-v1.d/223894064EE26851A245DE9208C5C0ABF772F7A7.key`.
272
273 Tasks
274 =====
275
276 Changes
277 =======
278
279 Planned
280 -------
281
282 .. todo:: update to Debian 10 (when Puppet is available)
283
284 System Future
285 -------------
286
287 * No plans
288
289 Additional documentation
290 ========================
291
292 .. seealso::
293
294 * :wiki:`Exim4Configuration`
295
296 References
297 ----------
298
299 * http://httpd.apache.org/docs/2.4/
300 * https://manpages.debian.org/buster/inoticoming/inoticoming.1.en.html
301 * https://manpages.debian.org/buster/reprepro/reprepro.1.en.html