Webstatic

Purpose

This system provides a web server for serving static content. HTTP requests for this system are proxied through Web which also handles TLS termination and redirects from http scheme URLs to https.

Application Links

Code Documentation

https://codedocs.cacert.org/

Funding

https://funding.cacert.org/

Infrastructure Documentation

https://infradocs.cacert.org/

CAcert internal Debian repository

https://webstatic.infra.cacert.org/

Administration

System Administration

• Primary: Jan Dittberner

• Secondary: None

Todo

find an additional admin

Application Administration

Application	Administrator(s)
Apache httpd	Jan Dittberner
Gitolite	Jan Dittberner

Contact

• webstatic-admin@cacert.org

Additional People

No additional people have access to this machine.

Basics

Physical Location

This system is located in an LXC container on physical machine Infra02.

Logical Location

IP Internet

reverse proxied from Web

IP Intranet

172.16.2.116

IP Internal

10.0.0.116

MAC address

00:ff:67:39:23:f2 (eth0)

See also

See Network

Monitoring

internal checks

Monitoring checks for webstatic.infra.cacert.org

DNS

Name	Type	Content
codedocs.cacert.org.	IN CNAME	web.cacert.org.
funding.cacert.org.	IN CNAME	web.cacert.org.
infradocs.cacert.org.	IN CNAME	web.cacert.org.
webstatic.cacert.org.	IN A	213.154.225.242
webstatic.cacert.org.	IN SSHFP	1 1 30897A7A984D8350495946D54C6374E9331237EF
webstatic.cacert.org.	IN SSHFP	1 2 32BB10C5CF48532D077066E012230058DDF3CCE731C561F228E310EB7A546E3F
webstatic.cacert.org.	IN SSHFP	2 1 868361A51EC60607BFD964D0F8F3E4EE5E803FC6
webstatic.cacert.org.	IN SSHFP	2 2 A173BB85EC19F63ECB273BCA130EF63501FE1B89FD55B62997195E6816CAB547
webstatic.cacert.org.	IN SSHFP	3 1 7FC847CEC20B9D65296D4A0EDAFBA22A14EE9DC4
webstatic.cacert.org.	IN SSHFP	3 2 68879264E0ED5D0914797BF2292436FB32CCA24683DCF5D927A53589C1BFB6D7
webstatic.intra.cacert.org.	IN A	172.16.2.116

See also

See Wiki SystemAdministration/Procedures/DNSChanges

Operating System

• Debian GNU/Linux 9.9

Services

Listening services

Port	Service	Origin	Purpose
22/tcp	ssh	ANY	admin console access
25/tcp	smtp	local	mail delivery to local MTA
80/tcp	http	ANY	application
5666/tcp	nrpe	monitor	remote monitoring service

Running services

Service	Usage	Start mechanism
Apache httpd	Webserver for static content	init script /etc/init.d/apache2
cron	job scheduler	init script /etc/init.d/cron
Exim	SMTP server for local mail submission	init script /etc/init.d/exim4
Nagios NRPE server	remote monitoring service queried by Monitor	init script /etc/init.d/nagios-nrpe-server
openssh server	ssh daemon for remote administration and git access	init script /etc/init.d/ssh
Puppet agent	configuration management agent	init script /etc/init.d/puppet
rsyslog	syslog daemon	init script /etc/init.d/syslog

Connected Systems

• Jenkins for publishing code documentation to codedocs.cacert.org and infrastructure documentation to infradocs.cacert.org

• Monitor

• Web as reverse proxy for hostnames funding.cacert.org and infradocs.cacert.org

Outbound network connections

• Infra02 as resolving nameserver

• Emailout as SMTP relay

• Puppet (tcp/8140) as Puppet master

• Proxyout as HTTP proxy for APT

Security

SSH host keys

Algorithm	Fingerprints
RSA	SHA256:MrsQxc9IUy0HcGbgEiMAWN3zzOcxxWHyKOMQ63pUbj8, MD5:da:e7:16:f9:98:b0:77:4f:38:a6:49:35:a5:5a:2a:c2
DSA	SHA256:oXO7hewZ9j7LJzvKEw72NQH+G4n9VbYplxleaBbKtUc, MD5:12:a5:87:27:6b:2f:e3:cd:d6:e5:fb:f2:43:2f:7c:be
ECDSA	SHA256:aIeSZODtXQkUeXvyKSQ2+zLMokaD3PXZJ6U1icG/ttc, MD5:5e:94:ad:e8:84:3b:e2:b0:0b:7f:44:ec:a9:99:95:b2
ED25519	SHA256:NC34l1qSufrBdjxjJk75oOnmhrQW1VkLILsOhJle77A, MD5:da:58:d0:89:23:6f:ca:f7:b2:5f:a3:51:2f:6b:95:0d

See also

SSH host key list

Dedicated user roles

Role	Purpose
jenkins-infradocs	Used by Jenkins to upload documentation to /var/www/codedocs.cacert.org/html/ and /var/www/infradocs.cacert.org/html/

Todo

manage jenkins-infradocs user via Puppet

Non-distribution packages and modifications

The Puppet agent package and a few dependencies are installed from the official Puppet APT repository because the versions in Debian are too old to use modern Puppet features.

Risk assessments on critical packages

Apache httpd is configured with a minimum of enabled modules to allow serving static content and nothing else to reduce potential security risks.

Access to the jenkins-infradocs user is gated by a defined ssh key.

The system uses third party packages with a good security track record and regular updates. The attack surface is small due to the tightly restricted access to the system. The puppet agent is not exposed for access from outside the system.

Critical Configuration items

The system configuration is managed via Puppet profiles. There should be no configuration items outside of the CAcert Git repository cacert-puppet.

Keys and X.509 certificates

The host does not provide own TLS services and therefore has no certificates.

Apache httpd configuration

Apache configuration is managed via the Puppet profile profiles::static_websites.

Debian repository configuration

The Debian repository is managed via the Puppet profile profiles::debarchive. Packages that are uploaded to /srv/upload/incoming are automatically processed by inoticoming and reprepro. Only packages signed by a known PGP key (managed via Puppet) are accepted and provided at https://webstatic.infra.cacert.org/.

The repository signing key is stored in /srv/debarchive/.gnupg/private-keys-v1.d/223894064EE26851A245DE9208C5C0ABF772F7A7.key.

Tasks

Changes

Planned

Todo

update to Debian 10 (when Puppet is available)

System Future

• No plans

Additional documentation

See also

• Wiki Exim4Configuration

References

• http://httpd.apache.org/docs/2.4/

• https://manpages.debian.org/buster/inoticoming/inoticoming.1.en.html

• https://manpages.debian.org/buster/reprepro/reprepro.1.en.html