Proxyin¶
Purpose¶
This system provides an incoming TLS proxy using nginx to share one public IPv4 address between multiple services.
Application Links¶
No direct links, applications run on other systems.
Administration¶
System Administration¶
Primary: Jan Dittberner
Secondary: None
Application Administration¶
Application |
Administrator(s) |
---|---|
nginx |
Contact¶
Additional People¶
No additional people have sudo access on that machine.
Basics¶
Physical Location¶
This system is located in an LXC container on physical machine Infra02.
Logical Location¶
- IP Internet:
- IP Intranet:
- IP Internal:
- IPv6:
- MAC address:
00:16:3e:3c:c8:a6
(eth0)
See also
See Network
Monitoring¶
- internal checks:
- external checks:
DNS¶
Name |
Type |
Content |
---|---|---|
proxyin.cacert.org. |
IN A |
213.154.225.241 |
proxyin.cacert.org. |
IN AAAA |
2001:7b8:616:162:2::35 |
proxyin.cacert.org. |
IN SSHFP |
1 1 c7c559bc06d236b4128e6d720a573d805a27727a |
proxyin.cacert.org. |
IN SSHFP |
1 2 affa8cc26dffa7f0803db2d027ab23f013aeabfb3b2d1b1a16659e38dba14528 |
proxyin.cacert.org. |
IN SSHFP |
2 1 19bb944a917067131f02be4e9a709ade68c260f8 |
proxyin.cacert.org. |
IN SSHFP |
2 2 b9b5860f3427ea9c3460c62a880527a41470c77000e5083ffffb7defa0d42e4e |
proxyin.cacert.org. |
IN SSHFP |
3 1 b9581a544ca96fe071341acb450a2cf74b1b7c9f |
proxyin.cacert.org. |
IN SSHFP |
3 2 be3dd21fde37042659a25143cb5171b39d22ea2c846745af9c098003a9004185 |
proxyin.cacert.org. |
IN SSHFP |
4 1 9b4ba8c78b6585abaf2b46bce78a6f366f1e9bac |
proxyin.cacert.org. |
IN SSHFP |
4 2 59125e8706a208fa8eed2b5994ec60f7ba8e31b1c26d90ce909d78a0027359ef |
proxyin.intra.cacert.org. |
IN A |
172.16.2.241 |
proxyin.infra.cacert.org. |
IN A |
10.0.0.35 |
See also
Operating System¶
Debian GNU/Linux 11 Bullseye
Services¶
Listening services¶
Port |
Service |
Origin |
Purpose |
---|---|---|---|
22/tcp |
ssh |
ANY |
admin console access |
25/tcp |
smtp |
local |
mail delivery to local MTA |
80/tcp |
http |
ANY |
nginx |
443/tcp |
https |
ANY |
nginx |
5665/tcp |
icinga2 |
monitor |
remote monitoring service |
Running services¶
Service |
Usage |
Start mechanism |
---|---|---|
cron |
job scheduler |
systemd unit |
dbus-daemon |
System message bus daemon |
systemd unit |
Exim |
SMTP server for local mail submission |
systemd unit |
icinga2 |
Icinga2 monitoring agent |
systemd unit |
openssh server |
ssh daemon for remote administration |
systemd unit |
Puppet agent |
configuration management agent |
systemd unit |
nginx |
TLS SNI proxy and http to https redirector |
systemd unit |
rsyslog |
syslog daemon |
systemd unit |
Databases¶
None
Connected Systems¶
Outbound network connections¶
DNS (53) resolver at 10.0.0.1 (Infra02)
Emailout as SMTP relay
Puppet (tcp/8140) as Puppet master
Proxyout as HTTP proxy for APT
The mapping from host names to target backends is managed via Puppet and configured in the profiles::sniproxy::https_forwards map in https://git.cacert.org/cacert-puppet.git/tree/hieradata/nodes/proxyin.yaml.
Security¶
SSH host keys¶
Algorithm |
Fingerprints |
---|---|
RSA |
|
DSA |
|
ECDSA |
|
ED25519 |
|
See also
Dedicated user roles¶
None
Non-distribution packages and modifications¶
None
Risk assessments on critical packages¶
The Puppet agent package and a few dependencies are installed from the official Puppet APT repository because the versions in Debian are too old to use modern Puppet features.
The system is stripped down to the bare minimum. nginx is security supported. The nginx-full package is used for nginx to support streaming after SNI.
Critical Configuration items¶
The system configuration is managed via Puppet profiles. There should be no configuration items outside of the CAcert Git repository cacert-puppet.
Keys and X.509 certificates¶
The host does not provide own TLS services and therefore has no certificates.
nginx configuration¶
nginx is configured via Puppet profile profiles::sniproxy
and
just redirects all http traffic to https.
nginx configuration¶
nginx is configured via Puppet profile profiles::sniproxy
, TCP
traffic on port 80 is redirected to the https port and https traffic is
forwarded to the target hosts as configured in
hieradata/nodes/proxyin.yaml
.
Tasks¶
Adding a new forward entry¶
Add an entry to the profiles::sniproxy::forwarded
item in
hieradata/nodes/proxyin.yaml
in CAcert Git repository cacert-puppet and adjust
the firewall configuration on Infra02. You will need to request DNS
changes from the critical team if you want to switch an existing service to use
the SNI proxy service.
Changes¶
Planned¶
None
System Future¶
No plans
Additional documentation¶
See also