CAcert System Admins discussion list

[Benny Baumann <benbe AT cacert.org>]

Am 02.02.2015 um 22:43 schrieb Ian G:
> Hi Jan,
> 
> On 2/02/2015 22:12 pm, Jan Dittberner wrote:
>> Dear system administrators,
>>
>> this is the first edition of a hopefully regular series of "State of the
>> CAcert Infrastructure" mails. I will prepare future editions in the
>> Wiki [1]
>> and welcome contributions from all of you. I hope this mail will help
>> us to
>> get a better overview of what is happening and what everbody is doing.
>> Another idea is to reuse most of this mail and its successors as input
>> for
>> our part for the AGM report [2].
> 
> Super!  You're 5 months ahead :)
> 
>> Webstatic
>> ---------
>>
>> Shortly before FOSDEM Martin Gummi asked me to setup a new container
>> webstatic [12] that will be used to serve static websites for different
>> purposes. The first application on that container is the funding page
>> [13].
>>
>> Martin and Benny Baumann take care of that container and setup a gitolite
>> instance to allow publishing pages via Git.
> 
> This is welcome news.  Policy Group has dire need of this service. We
> need to be able to handle the pushing of new policy updates without
> going through the Software Assessment system, which is a vestigial
> control left over from the pre-Policy Group days.  We already have our
> 20-eyes process in place!
> 
> Some quick questions:
> 
> What does Policy Group need to do to get access to an instance of this?
Mail a SSH public key (RSA 4096+ or compareable security) to Martin
Gummi or me for each person who should have access to a/the repository.
Providing authenticated read-only access (to the repo) is possible. Also
the name of the subdomain + wish for the name of the repository should
be provided.

> 
> Would we need to provide a sysadm or is that part of the service?
That's part of the service. Note that this only includes pushing static
pages/files via Git, thus the webserver on webstatic does not do any
post-processing (like scripting languages, perl, ...). Only plain 1:1
files are delivered.

Also, unless strictly required/requested every subdomain served by
webstatic will get a Content-Security-Policy header restricting use of
everything apart from CSS and images of the same origin domain.
> 
> Is there a requirement to use a different domain?  This aspect heavily
> effects all the links in policies and other doco.
As webstatic is a (technical) hostname it should not be referred to in
links. Instead a subdomain for content should be used.

On the software side I can ask Wytze to perform proper redirections for
all files within the existing policy directory once things are in place.

Technically reverse-proxying could be used, but as www.cacert.org is a
critical system, while webstatic is not, there is hardly a practical
justification to do this (apart from the security considerations involved).
> 
> This system assumes Git, so we would need to transition the WIP policy
> pages to it.  Is the Git web-readable by community in some sense?
> 
Git is mainly used as a storage/update backend to avoid the otherwise
necessary FTP/SCP access to a broad group. Using gitolite only one,
well-managed (and auditable) point of access is present for changes.

As the setup is intended for static content hosting, and less for broad
public access, it is recommended to do the actual WIP in a more public
space (e.g. github.com/CAcertOrg or git.cacert.org).

Every push to a repository on webstatic automatically publishes the
content on a pre-defined branch (usually master) - with enforced
fast-forward. This might not necessarily be suited for the way Policy
Group works.

>> [12] https://wiki.cacert.org/SystemAdministration/Systems/Webstatic
>> [13] https://funding.cacert.org/
> 
>> PS: please excuse my English, I'm not a native speaker
> 
> I'm not seeing any issues, but let me know if the correction flag is on.
> 
> 
> 
> iang
> 
I hope this answers things.

Regards,
BenBE.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature