Webstatic¶
Purpose¶
This system provides a web server for serving static content. HTTP requests for this system are proxied through Web which also handles TLS termination and redirects from http scheme URLs to https.
Application Links¶
- Code Documentation
- Funding
- Infrastructure Documentation
- CAcert internal Debian repository
Administration¶
System Administration¶
Primary: Jan Dittberner
Secondary: None
Todo
find an additional admin
Application Administration¶
Application |
Administrator(s) |
---|---|
Apache httpd |
Contact¶
Additional People¶
No additional people have access to this machine.
Basics¶
Physical Location¶
This system is located in an LXC container on physical machine Infra02.
Logical Location¶
- IP Internet:
reverse proxied from Web
- IP Intranet:
- IP Internal:
- MAC address:
00:ff:67:39:23:f2
(eth0)
See also
See Network
Monitoring¶
- internal checks:
DNS¶
Name |
Type |
Content |
---|---|---|
codedocs.cacert.org. |
IN CNAME |
web.cacert.org. |
funding.cacert.org. |
IN CNAME |
web.cacert.org. |
infradocs.cacert.org. |
IN CNAME |
web.cacert.org. |
webstatic.cacert.org. |
IN A |
213.154.225.242 |
webstatic.cacert.org. |
IN SSHFP |
1 1 30897A7A984D8350495946D54C6374E9331237EF |
webstatic.cacert.org. |
IN SSHFP |
1 2 32BB10C5CF48532D077066E012230058DDF3CCE731C561F228E310EB7A546E3F |
webstatic.cacert.org. |
IN SSHFP |
2 1 868361A51EC60607BFD964D0F8F3E4EE5E803FC6 |
webstatic.cacert.org. |
IN SSHFP |
2 2 A173BB85EC19F63ECB273BCA130EF63501FE1B89FD55B62997195E6816CAB547 |
webstatic.cacert.org. |
IN SSHFP |
3 1 7FC847CEC20B9D65296D4A0EDAFBA22A14EE9DC4 |
webstatic.cacert.org. |
IN SSHFP |
3 2 68879264E0ED5D0914797BF2292436FB32CCA24683DCF5D927A53589C1BFB6D7 |
webstatic.intra.cacert.org. |
IN A |
172.16.2.116 |
See also
Operating System¶
Debian GNU/Linux 12 Bookworm
Services¶
Listening services¶
Port |
Service |
Origin |
Purpose |
---|---|---|---|
22/tcp |
ssh |
ANY |
admin console access |
25/tcp |
smtp |
local |
mail delivery to local MTA |
80/tcp |
http |
ANY |
application |
5665/tcp |
icinga2 |
monitor |
remote monitoring service |
Running services¶
Service |
Usage |
Start mechanism |
---|---|---|
Apache httpd |
Webserver for static content |
systemd unit |
cron |
job scheduler |
systemd unit |
dbus-daemon |
System message bus daemon |
systemd unit |
Exim |
SMTP server for local mail submission |
systemd unit |
icinga2 |
Icinga2 monitoring agent |
systemd unit |
openssh server |
ssh daemon for remote administration |
systemd unit |
Puppet agent |
configuration management agent |
systemd unit |
Connected Systems¶
Outbound network connections¶
Security¶
SSH host keys¶
Algorithm |
Fingerprints |
---|---|
RSA |
|
DSA |
- |
ECDSA |
|
ED25519 |
|
See also
Dedicated user roles¶
Role |
Purpose |
---|---|
jenkins-infradocs |
Used by Jenkins to upload documentation to
|
Todo
manage jenkins-infradocs
user via Puppet
Non-distribution packages and modifications¶
None
Risk assessments on critical packages¶
Apache httpd is configured with a minimum of enabled modules to allow serving static content and nothing else to reduce potential security risks.
Access to the jenkins-infradocs user is gated by a defined ssh key.
Critical Configuration items¶
The system configuration is managed via Puppet profiles. There should be no configuration items outside of the CAcert Git repository cacert-puppet.
Keys and X.509 certificates¶
The host does not provide own TLS services and therefore has no certificates.
Apache httpd configuration¶
Apache configuration is managed via the Puppet profile
profiles::static_websites
.
Debian repository configuration¶
The Debian repository is managed via the Puppet profile
profiles::debarchive
. Packages that are uploaded to
/srv/upload/incoming
are automatically processed by
inoticoming and reprepro. Only packages signed by a known
PGP key (managed via Puppet) are accepted and provided at
https://webstatic.infra.cacert.org/.
The repository signing key is stored in
/srv/debarchive/.gnupg/private-keys-v1.d/223894064EE26851A245DE9208C5C0ABF772F7A7.key
.
Tasks¶
Changes¶
Planned¶
System Future¶
No plans
Additional documentation¶
See also