Web¶
Purpose¶
Reverse proxy for different websites that handles http to https redirection and TLS handshakes. The following services are currently proxied by this system:
The proxy should be used for all web applications that do not need access to the TLS parameters (client certificates, other peer information). Applications that need to perform TLS handshakes themselves can be proxied through Proxyin.
Administration¶
System Administration¶
Primary: Jan Dittberner
Secondary: None
Application Administration¶
Application |
Administrator(s) |
|---|---|
Apache httpd |
Contact¶
Additional People¶
No additional people have sudo access on that machine.
Basics¶
Physical Location¶
This system is located in an LXC container on physical machine Infra02.
Logical Location¶
- IP Internet:
- IP Intranet:
- IP Internal:
- IPv6:
- MAC address:
00:ff:c7:e5:66:ae(eth0)
See also
See Network
Monitoring¶
- internal checks:
DNS¶
Name |
Type |
Content |
|---|---|---|
web.cacert.org. |
IN A |
213.154.225.242 |
web.cacert.org. |
IN SSHFP |
1 1 85F5338D90930200CBBFCE1AAB56988B4C8F0F22 |
web.cacert.org. |
IN SSHFP |
1 2 D39CBD51588F322F7B4384274CF0166F25B10F54A6CD153ED7251FF30B5B516E |
web.cacert.org. |
IN SSHFP |
2 1 906F0C17BB0E233B0F52CE33CFE64038D45AC4F2 |
web.cacert.org. |
IN SSHFP |
2 2 DBF6221A8A403B4C9F537B676305FDAE07FF45A1C18D88B1141031402AF0250F |
web.cacert.org. |
IN SSHFP |
3 1 7B62D8D1E093C28CDA0F3D2444846128B41C10DE |
web.cacert.org. |
IN SSHFP |
3 2 0917DA677C9E6CAF1818C1151EC2A813623A2B2955A1A850F260D64EF041400B |
web.intra.cacert.org. |
IN A |
172.16.2.26 |
Todo
add SSHFP for ED25519 key, remove SSHFP for DSA key, add AAAA record for IPv6
See also
Operating System¶
Debian GNU/Linux 11 Bullseye
Services¶
Listening services¶
Port |
Service |
Origin |
Purpose |
|---|---|---|---|
22/tcp |
ssh |
ANY |
admin console access |
25/tcp |
smtp |
local |
mail delivery to local MTA |
80/tcp |
http |
ANY |
redirects to https |
443/tcp |
https |
ANY |
https termination and reverse proxy |
5665/tcp |
icinga2 |
monitor |
remote monitoring service |
Running services¶
Service |
Usage |
Start mechanism |
|---|---|---|
Apache httpd |
http redirector, https reverse proxy |
systemd unit |
cron |
job scheduler |
systemd unit |
icinga2 |
Icinga2 monitoring agent |
systemd unit |
openssh server |
ssh daemon for remote administration |
systemd unit |
Postfix |
SMTP server for local mail submission |
systemd unit |
Puppet agent |
configuration management agent |
systemd unit |
rsyslog |
syslog daemon |
systemd unit |
Connected Systems¶
Outbound network connections¶
Security¶
SSH host keys¶
Algorithm |
Fingerprints |
|---|---|
RSA |
|
DSA |
- |
ECDSA |
|
ED25519 |
|
See also
Non-distribution packages and modifications¶
The Puppet agent package and a few dependencies are installed from the official Puppet APT repository because the versions in Debian are too old to use modern Puppet features.
Risk assessments on critical packages¶
Apache httpd is configured with a minimum of enabled modules to allow proxying and TLS handling only to reduce potential security risks.
The system uses third party packages with a good security track record and regular updates. The attack surface is small due to the tightly restricted access to the system. The puppet agent is not exposed for access from outside the system.
Critical Configuration items¶
The system configuration is managed via Puppet profiles. There should be no configuration items outside of the CAcert Git repository cacert-puppet.
Keys and X.509 certificates¶
All keys and certificates are managed in the file
hieradata/nodes/web.yaml in the CAcert Git repository cacert-puppet.
Certificate for CN codedocs.cacert.org, see details in the certificate list
certificate in file /etc/ssl/certs/codedocs.cacert.org.crt
private key in file /etc/ssl/private/codedocs.cacert.org.key
Certificate for CN funding.cacert.org, see details in the certificate list
certificate in file /etc/ssl/certs/funding.cacert.org.crt
private key in file /etc/ssl/private/funding.cacert.org.key
Certificate for CN infradocs.cacert.org, see details in the certificate list
certificate in file /etc/ssl/certs/infradocs.cacert.org.crt
private key in file /etc/ssl/private/infradocs.cacert.org.key
Certificate for CN jenkins.cacert.org, see details in the certificate list
certificate in file /etc/ssl/certs/jenkins.cacert.org.crt
private key in file /etc/ssl/private/jenkins.cacert.org.key
Certificate for CN web.cacert.org, see details in the certificate list
certificate in file /etc/ssl/certs/web.cacert.org.crt
private key in file /etc/ssl/private/web.cacert.org.key
/usr/share/ca-certificates/CAcert/class3_X0E.crtCAcert.org Class 3 certificate for server certificate chains. The file is installed from the Debian package ca-cacert
Apache httpd configuration¶
Apache httpd configuration is fully managed by Puppet. The VirtualHosts are
defined in hieradata/nodes/web.yaml and the configuration is done via
the web_proxy profile in sitemodules/profiles/manifests/web_proxy.pp
of the CAcert Git repository cacert-puppet.
Tasks¶
Changes¶
Planned¶
System Future¶
No plans
Additional documentation¶
Note
The system hosted the Drupal based community portal https://www.cacert.eu/ in the past. The DNS records for this portal have been changed to point to the regular https://www.cacert.org/ site. All unreachable VirtualHosts have been archived to the backup disk at Infra02.
See also
