Web

Purpose

Reverse proxy for different websites that handles http to https redirection and TLS handshakes. The following services are currently proxied by this system:

  • Jenkins on Jenkins

  • codedocs.cacert.org, funding.cacert.org and infradocs.cacert.org on Webstatic

The proxy should be used for all web applications that do not need access to the TLS parameters (client certificates, other peer information). Applications that need to perform TLS handshakes themselves can be proxied through Proxyin.

Administration

System Administration

Application Administration

Application

Administrator(s)

Apache httpd

Jan Dittberner

Additional People

Mario Lipinski has sudo access on that machine too.

Basics

Physical Location

This system is located in an LXC container on physical machine Infra02.

Logical Location

IP Internet

213.154.225.242

IP Intranet

172.16.2.26

IP Internal

10.0.0.26

MAC address

00:ff:c7:e5:66:ae (eth0)

See also

See Network

DNS

Name

Type

Content

web.cacert.org.

IN A

213.154.225.242

web.cacert.org.

IN SSHFP

1 1 85F5338D90930200CBBFCE1AAB56988B4C8F0F22

web.cacert.org.

IN SSHFP

1 2 D39CBD51588F322F7B4384274CF0166F25B10F54A6CD153ED7251FF30B5B516E

web.cacert.org.

IN SSHFP

2 1 906F0C17BB0E233B0F52CE33CFE64038D45AC4F2

web.cacert.org.

IN SSHFP

2 2 DBF6221A8A403B4C9F537B676305FDAE07FF45A1C18D88B1141031402AF0250F

web.cacert.org.

IN SSHFP

3 1 7B62D8D1E093C28CDA0F3D2444846128B41C10DE

web.cacert.org.

IN SSHFP

3 2 0917DA677C9E6CAF1818C1151EC2A813623A2B2955A1A850F260D64EF041400B

web.intra.cacert.org.

IN A

172.16.2.26

Operating System

  • Debian GNU/Linux 9.4

Services

Listening services

Port

Service

Origin

Purpose

22/tcp

ssh

ANY

admin console access

25/tcp

smtp

local

mail delivery to local MTA

80/tcp

http

ANY

redirects to https

443/tcp

https

ANY

https termination and reverse proxy

5666/tcp

nrpe

monitor

remote monitoring service

Running services

Service

Usage

Start mechanism

Apache httpd

http redirector, https reverse proxy

init script /etc/init.d/apache2

cron

job scheduler

init script /etc/init.d/cron

Nagios NRPE server

remote monitoring service queried by Monitor

init script /etc/init.d/nagios-nrpe-server

openssh server

ssh daemon for remote administration

init script /etc/init.d/ssh

Postfix

SMTP server for local mail submission

init script /etc/init.d/postfix

Puppet agent

configuration management agent

init script /etc/init.d/puppet

rsyslog

syslog daemon

init script /etc/init.d/syslog

Connected Systems

Outbound network connections

  • Infra02 as resolving nameserver

  • Emailout as SMTP relay

  • Puppet (tcp/8140) as Puppet master

  • Proxyout as HTTP proxy for APT

  • Jenkins as backend for the jenkins.cacert.org VirtualHost

  • Webstatic as backend for the codedocs.cacert.org, funding.cacert.org and infradocs.cacert.org VirtualHosts

Security

SSH host keys

Algorithm

Fingerprints

RSA

SHA256:05y9UViPMi97Q4QnTPAWbyWxD1SmzRU+1yUf8wtbUW4, MD5:6d:e5:7e:1d:72:d5:5e:f8:43:80:94:a8:b1:0d:9b:81

DSA

SHA256:2/YiGopAO0yfU3tnYwX9rgf/RaHBjYixFBAxQCrwJQ8, MD5:00:27:11:fe:58:9d:d8:e5:c5:35:34:27:bb:79:86:16

ECDSA

SHA256:CRfaZ3yebK8YGMEVHsKoE2I6KylVoahQ8mDWTvBBQAs, MD5:7f:91:92:80:f2:b5:2f:5d:8e:11:3f:9b:62:48:e7:18

ED25519

SHA256:IHm9Gjf0u753ADO+WDYLFuHwPK3ReAe101xG/NeCwYk, MD5:82:ab:13:33:ee:69:cf:09:18:20:d0:9c:b9:a0:0e:61

Non-distribution packages and modifications

The Puppet agent package and a few dependencies are installed from the official Puppet APT repository because the versions in Debian are too old to use modern Puppet features.

Risk assessments on critical packages

Apache httpd is configured with a minimum of enabled modules to allow proxying and TLS handling only to reduce potential security risks.

The system uses third party packages with a good security track record and regular updates. The attack surface is small due to the tightly restricted access to the system. The puppet agent is not exposed for access from outside the system.

Critical Configuration items

The system configuration is managed via Puppet profiles. There should be no configuration items outside of the CAcert Git repository cacert-puppet.

Todo

move configuration of Web to Puppet code

Keys and X.509 certificates

  • Certificate for CN codedocs.cacert.org, see details in the certificate list

    • certificate in file /etc/ssl/certs/codedocs.cacert.org.crt

    • private key in file /etc/ssl/private/codedocs.cacert.org.key

  • Certificate for CN funding.cacert.org, see details in the certificate list

    • certificate in file /etc/ssl/certs/funding.cacert.org.crt

    • private key in file /etc/ssl/private/funding.cacert.org.key

  • Certificate for CN infradocs.cacert.org, see details in the certificate list

    • certificate in file /etc/ssl/certs/infradocs.cacert.org.crt

    • private key in file /etc/ssl/private/infradocs.cacert.org.key

  • Certificate for CN jenkins.cacert.org, see details in the certificate list

    • certificate in file /etc/ssl/certs/jenkins.cacert.org.crt

    • private key in file /etc/ssl/private/jenkins.cacert.org.key

  • Certificate for CN web.cacert.org, see details in the certificate list

    • certificate in file /etc/ssl/certs/web.cacert.org.crt

    • private key in file /etc/ssl/private/web.cacert.org.key

  • /usr/share/ca-certificates/CAcert/class3.crt CAcert.org Class 3 certificate for server certificate chains. The Apache httpd configuration files reference the symlinked version at /etc/ssl/certs/class3.pem.

Apache httpd configuration

Tasks

Changes

Planned

Todo

manage the web system using Puppet

System Future

  • No plans

Additional documentation

Note

The system hosted the Drupal based community portal https://www.cacert.eu/ in the past. The DNS records for this portal have been changed to point to the regular https://www.cacert.org/ site. All unreachable VirtualHosts have been archived to the backup disk at Infra02.