Ingress03

Purpose

This system provides an incoming IPv4 TLS and HTTP proxy using nginx to share one public IPv4 address for multiple services on Infra03.

Application Links

No direct links, applications run on other systems.

Administration

System Administration

• Primary: Jan Dittberner

• Secondary: None

Application Administration

Application	Administrator(s)
nginx	Jan Dittberner

Contact

• ingress03-admin@cacert.org

Additional People

No additional people have sudo access on that machine.

Basics

Physical Location

This system is located in an LXC container on physical machine Infra03.

Logical Location

IP Internet:

213.154.225.249

IP Intranet:

172.16.2.9

IP Internal:

10.0.3.10

IPv6:

2001:7b8:616:162:3::10

MAC address:

00:ff:8f:34:8c:dd (eth0)

See also

See Network

Monitoring

internal checks:

Monitoring checks for ingress03.infra.cacert.org

external checks:

Monitoring checks for ingress03.cacert.org

DNS

Name	Type	Content
ingress03.cacert.org.	IN A	213.154.225.249
ingress03.cacert.org.	IN AAAA	2001:7b8:616:162:3::10

See also

See Wiki page SystemAdministration/Procedures/DNSChanges

Operating System

• Debian GNU/Linux 13 Trixie

Services

Listening services

Port	Service	Origin	Purpose
22/tcp	ssh	ANY	admin console access
25/tcp	smtp	local	mail delivery to local MTA
80/tcp	http	ANY	nginx reverse proxy
443/tcp	https	ANY	nginx SNI proxy
5665/tcp	icinga2	monitor	remote monitoring service
465/udp	syslog	local	syslog port

Running services

Service	Usage	Start mechanism
cron	job scheduler	systemd unit cron.service
dbus-daemon	System message bus	systemd unit dbus.service
Exim	SMTP server for local mail submission	systemd unit exim4.service
icinga2	Icinga2 monitoring agent	systemd unit icinga2.service
nginx	nginx SNI proxy for backend services	systemd unit nginx.service
openssh server	ssh daemon for remote administration	systemd unit ssh.service
Puppet agent	configuration management agent	systemd unit puppet.service

Connected Systems

• Monitor

Outbound network connections

• DNS (53) resolver at 10.0.0.1 (Infra02)

• Emailout as SMTP relay

• Puppet (tcp/8140) as Puppet master

• Proxyout as HTTP proxy for APT

Security

SSH host keys

Algorithm	Fingerprints
RSA	SHA256:EhpGxNuCNirP/I/e9A85p7M1xe7PuQej4jrNJBSsTAg, MD5:b9:df:fb:fb:4e:8e:34:e4:6a:5d:e7:18:bb:5c:43:82
DSA	-
ECDSA	SHA256:o7ACxl0hkiYobV+gmnrV3eaF09dttdh69K2T6bkO7jE, MD5:a9:c3:df:2a:13:38:14:ad:a6:15:f4:ff:4b:5e:75:2d
ED25519	SHA256:HA8qzC8T62WpiAHt6IClWxwhp2hpg9CjJucPPKyPvUw, MD5:92:00:a9:29:5b:c0:42:da:d8:8e:3b:9a:c2:cf:41:bb

See also

SSH host key list

Risk assessments on critical packages

Critical Configuration items

The system configuration is managed via Puppet profiles. There is no configuration items outside of the CAcert Git repository cacert-puppet.

Tasks

Adding a new forward entry

Add an entry to the profiles::sniproxy::forwarded item in hieradata/nodes/ingress03.yaml in CAcert Git repository cacert-puppet and adjust the firewall configuration on Infra03. You will need to request DNS changes from the critical team if you want to switch an existing service to use the SNI proxy service.

Changes

Planned

• None

System Future

• No plans

Additional documentation

See also

• Wiki page Exim4Configuration

References

• https://nginx.org/en/docs/