Webstatic¶
Purpose¶
This system provides a web server for serving static content. HTTP requests for this system are proxied through Web which also handles TLS termination and redirects from http scheme URLs to https.
Application Links¶
- Code Documentation
- Funding
- Infrastructure Documentation
- CAcert internal Debian repository
Administration¶
System Administration¶
Primary: Jan Dittberner
Secondary: None
Todo
find an additional admin
Application Administration¶
Application |
Administrator(s) |
---|---|
Apache httpd |
Contact¶
Additional People¶
No additional people have access to this machine.
Basics¶
Physical Location¶
This system is located in an LXC container on physical machine Infra02.
Logical Location¶
- IP Internet:
reverse proxied from Web
- IP Intranet:
- IP Internal:
- MAC address:
00:ff:67:39:23:f2
(eth0)
See also
See Network
Monitoring¶
- internal checks:
DNS¶
Name |
Type |
Content |
---|---|---|
codedocs.cacert.org. |
IN CNAME |
web.cacert.org. |
funding.cacert.org. |
IN CNAME |
web.cacert.org. |
infradocs.cacert.org. |
IN CNAME |
web.cacert.org. |
webstatic.cacert.org. |
IN A |
213.154.225.242 |
webstatic.cacert.org. |
IN SSHFP |
1 1 30897A7A984D8350495946D54C6374E9331237EF |
webstatic.cacert.org. |
IN SSHFP |
1 2 32BB10C5CF48532D077066E012230058DDF3CCE731C561F228E310EB7A546E3F |
webstatic.cacert.org. |
IN SSHFP |
2 1 868361A51EC60607BFD964D0F8F3E4EE5E803FC6 |
webstatic.cacert.org. |
IN SSHFP |
2 2 A173BB85EC19F63ECB273BCA130EF63501FE1B89FD55B62997195E6816CAB547 |
webstatic.cacert.org. |
IN SSHFP |
3 1 7FC847CEC20B9D65296D4A0EDAFBA22A14EE9DC4 |
webstatic.cacert.org. |
IN SSHFP |
3 2 68879264E0ED5D0914797BF2292436FB32CCA24683DCF5D927A53589C1BFB6D7 |
webstatic.intra.cacert.org. |
IN A |
172.16.2.116 |
See also
Operating System¶
Debian GNU/Linux 11 Bullseye
Services¶
Listening services¶
Port |
Service |
Origin |
Purpose |
---|---|---|---|
22/tcp |
ssh |
ANY |
admin console access |
25/tcp |
smtp |
local |
mail delivery to local MTA |
80/tcp |
http |
ANY |
application |
5665/tcp |
icinga2 |
monitor |
remote monitoring service |
Running services¶
Service |
Usage |
Start mechanism |
---|---|---|
Apache httpd |
Webserver for static content |
systemd unit |
cron |
job scheduler |
systemd unit |
dbus-daemon |
System message bus daemon |
systemd unit |
Exim |
SMTP server for local mail submission |
systemd unit |
icinga2 |
Icinga2 monitoring agent |
systemd unit |
openssh server |
ssh daemon for remote administration |
systemd unit |
Puppet agent |
configuration management agent |
systemd unit |
rsyslog |
syslog daemon |
systemd unit |
Connected Systems¶
Outbound network connections¶
Security¶
SSH host keys¶
Algorithm |
Fingerprints |
---|---|
RSA |
|
DSA |
|
ECDSA |
|
ED25519 |
|
See also
Dedicated user roles¶
Role |
Purpose |
---|---|
jenkins-infradocs |
Used by Jenkins to upload documentation to
|
Todo
manage jenkins-infradocs
user via Puppet
Non-distribution packages and modifications¶
The Puppet agent package and a few dependencies are installed from the official Puppet APT repository because the versions in Debian are too old to use modern Puppet features.
Risk assessments on critical packages¶
Apache httpd is configured with a minimum of enabled modules to allow serving static content and nothing else to reduce potential security risks.
Access to the jenkins-infradocs user is gated by a defined ssh key.
The system uses third party packages with a good security track record and regular updates. The attack surface is small due to the tightly restricted access to the system. The puppet agent is not exposed for access from outside the system.
Critical Configuration items¶
The system configuration is managed via Puppet profiles. There should be no configuration items outside of the CAcert Git repository cacert-puppet.
Keys and X.509 certificates¶
The host does not provide own TLS services and therefore has no certificates.
Apache httpd configuration¶
Apache configuration is managed via the Puppet profile
profiles::static_websites
.
Debian repository configuration¶
The Debian repository is managed via the Puppet profile
profiles::debarchive
. Packages that are uploaded to
/srv/upload/incoming
are automatically processed by
inoticoming and reprepro. Only packages signed by a known
PGP key (managed via Puppet) are accepted and provided at
https://webstatic.infra.cacert.org/.
The repository signing key is stored in
/srv/debarchive/.gnupg/private-keys-v1.d/223894064EE26851A245DE9208C5C0ABF772F7A7.key
.
Tasks¶
Changes¶
Planned¶
System Future¶
No plans
Additional documentation¶
See also