Blog¶
Purpose¶
This system hosts the blog, blog.cacert.org. The blog meets the needs of public relations and the CAcert community to publish CAcert’s activities.
Application Links¶
- Blog URL
- Adding a category
Administration¶
System Administration¶
Primary: Dirk Astrath
Secondary: Jan Dittberner
Application Administration¶
Role |
Users |
|---|---|
Wordpress Admin |
|
Wordpress Editor |
PR Team, Support |
Wordpress Author |
Anyone with a certificate |
Wordpress Contributor |
Anyone with contributor privileges |
Wordpress Subscriber |
Any Spammer or person who has not posted or has not logged in |
Contact¶
Additional People¶
No additional people have sudo access on that machine.
Basics¶
Physical Location¶
This system is located in an LXC container on physical machine Infra02.
Logical Location¶
- IP Internet:
- IP Intranet:
- IP Internal:
- IPv6:
- MAC address:
00:ff:fa:af:b2:9b(eth0)
See also
See Network
Monitoring¶
- internal checks:
DNS¶
Name |
Type |
Content |
|---|---|---|
blog.cacert.org. |
IN A |
213.154.225.234 |
blog.cacert.org. |
IN AAAA |
2001:7b8:616:162:2::13 |
blog.cacert.org. |
IN SSHFP |
1 1 32CA6E4BA3275AAB0D65F0F46969B11A4C4B36E8 |
blog.cacert.org. |
IN SSHFP |
1 2 3afb452ac3690cf7cd9a3332813bf7b13dbd288c7a4efbd9ab9dd4b4649ff2b6 |
blog.cacert.org. |
IN SSHFP |
3 1 8fa85a31215f10ea78fd0126d1c705c9a3662c86 |
blog.cacert.org. |
IN SSHFP |
3 2 86d330b900db9bf0a8bc9ec34b126aa8261fec9e02b123ab61c2aee0b56ae047 |
blog.cacert.org. |
IN SSHFP |
4 1 90903e8f4b35457bf41235f070adf592d7f724dd |
blog.cacert.org. |
IN SSHFP |
4 2 f24b770c16dcb91afc9461e62e6fe63a63d413efa4794751c039ed6d5213127b |
blog.intra.cacert.org. |
IN A |
172.16.2.13 |
See also
Operating System¶
Debian GNU/Linux 11 Bullseye
Applicable Documentation¶
A small (work in progress) guide can be found in the Wiki page BlogDoc.
Services¶
Listening services¶
Port |
Service |
Origin |
Purpose |
|---|---|---|---|
22/tcp |
ssh |
ANY |
admin console access |
25/tcp |
smtp |
local |
mail delivery to local MTA |
80/tcp |
http |
ANY |
redirect to https |
443/tcp |
https |
ANY |
application |
5665/tcp |
icinga2 |
monitor |
remote monitoring service |
3306/tcp |
mariadb |
local |
MariaDB database for blog |
Running services¶
Service |
Usage |
Start mechanism |
|---|---|---|
Apache httpd |
Webserver for blog |
systemd unit |
cron |
job scheduler |
systemd unit |
dbus-daemon |
System message bus |
systemd unit |
icinga2 |
Icinga2 monitoring agent |
systemd unit |
MariaDB |
MariaDB database server for blog |
systemd unit |
openssh server |
ssh daemon for remote administration |
systemd unit |
Postfix |
SMTP server for local mail submission |
systemd unit |
Puppet agent |
configuration management agent |
systemd unit |
rsyslog |
syslog daemon |
systemd unit |
Databases¶
RDBMS |
Name |
Used for |
|---|---|---|
MariaDB |
blog |
Wordpress blog |
Connected Systems¶
Outbound network connections¶
HTTP (80/tcp) and HTTPS (443/tcp) Ping-o-matic blog update service [1]
HTTP (80/tcp) and HTTPS (443/tcp) to Akismet anti spam service [2]
HTTP (80/tcp) and HTTPS (443/tcp) to wordpress.org
DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
Emailout as SMTP relay
Proxyout as HTTP proxy for APT
Puppet (tcp/8140) as Puppet master
crl.cacert.org (rsync) for getting CRLs
Security¶
SSH host keys¶
Algorithm |
Fingerprints |
|---|---|
RSA |
|
DSA |
- |
ECDSA |
|
ED25519 |
|
See also
Dedicated user roles¶
Group |
Purpose |
|---|---|
blog |
group owning the blog file content and temporary files. This group is used to execute the Wordpress PHP code. |
Non-distribution packages and modifications¶
Wordpress Plugins
Risk assessments on critical packages¶
Software |
Risk rating |
Mitigation |
|---|---|---|
Wordpress |
high |
Regular updates, avoid unnecessary plugins, Consider Wordpress hardening |
Todo
Critical Configuration items¶
The system configuration is managed via Puppet profiles. There should be no configuration items outside of the CAcert Git repository cacert-puppet.
Todo
move configuration of blog to Puppet code
Keys and X.509 certificates¶
Certificate for CN blog.cacert.org, see details in the certificate list
certificate in file /etc/ssl/public/blog.cacert.org.chain.pem
private key in file /etc/ssl/private/blog.cacert.org.key.pem
/etc/ssl/certs/cacert.org/directory containing CAcert.org Class 1 and Class 3 certificates (allowed CA certificates for client certificates) and symlinks with hashed names as expected by OpenSSL/etc/ssl/certs/cacert.org.pemCAcert.org Class 1 certificate (certificate chain for server certificate)
Apache httpd configuration¶
/etc/apache2/cacert/blog.inc.confDefines settings that are shared by the HTTP and the HTTPS VirtualHost definitions. This file takes care of the PHP FCGI setup.
/etc/apache2/cacert/headers.inc.confDefines HTTP headers that are shared by the HTTP and the HTTPS VirtualHost definitions. The file is included by
/etc/apache2/cacert/blog.inc.conf./etc/apache2/sites-available/blog-ssl.confThis file contains the HTTPS VirtualHost definition and defines client certificate authentication for
/wp-adminand/wp-login.php./etc/apache2/sites-available/blog-nossl.confThis file defines the HTTP VirtualHost definition and takes care of redirecting
/wp-adminand/wp-login.phpto the HTTPS VirtualHost.
The following RewriteRule is used to redirect old blog URLs:
RewriteRule ^/[0-9]{4}/[0-9]{2}/([0-9]+)\.html$ ?p=$1 [R=302,L]
Wordpress configuration¶
/srv/www/blog/wp-config.phpcontains the Wordpress database configuration. The rest of the Wordpress configuration is stored in the database (assumption).
Tasks¶
Todo
add a section documenting wordpress and plugin updates
Todo
add a section documenting wordpress user management
Changes¶
Planned¶
Todo
manage the blog system using Puppet
Todo
setup CRL checks (can be borrowed from svn for client certificates
System Future¶
No plans
Additional documentation¶
See also
