Differenze tra le versioni di "Sito/Technical documentation"
m (→Hardening: tab) |
(more info) |
||
Riga 1: | Riga 1: | ||
{{Bozza}} | {{Bozza}} | ||
+ | Public technical documentation for the '''https://www.wikimedia.it/''' website. | ||
− | == | + | == Server access == |
+ | |||
+ | <pre> | ||
+ | ssh fabula.wikimedia.it | ||
+ | </pre> | ||
+ | |||
+ | To request access: | ||
+ | |||
+ | * [[Infrastruttura]] | ||
− | + | == Overview == | |
<pre> | <pre> | ||
− | + | ┌─────┐ ┌─────────────────┐ ┌───────────────┐ | |
+ | │Alice│ │Apache (:80 :443)│ │PHP-FPM (:9003)│ | ||
+ | └──┬──┘ └────────┬────────┘ └───────┬───────┘ | ||
+ | │ request │ │ | ||
+ | │<────────────────────>│ │ | ||
+ | │ │ │ | ||
+ | │ │ request │ | ||
+ | │ │<─────────────────────────>│ | ||
+ | ┌──┴──┐ ┌────────┴────────┐ ┌───────┴───────┐ | ||
+ | │Alice│ │Apache (:80 :443)│ │PHP-FPM (:9003)│ | ||
+ | └─────┘ └─────────────────┘ └───────────────┘ | ||
</pre> | </pre> | ||
+ | |||
+ | ([http://www.plantuml.com/plantuml/uml/SoWkIImgAStDuNBCoKnELR3HjLDGSYn8JCv8LT2miZ1Gi38nCTPKKh1IA4ejB4qjBk728WlH5U0HeEiMu0kKi3GmGDNZa9gN0hG30000 refresh]) | ||
+ | |||
+ | == File system == | ||
+ | |||
+ | The application is under: | ||
+ | |||
+ | /var/www/wmi/wordpress | ||
+ | |||
+ | == Database == | ||
+ | |||
+ | The database is called <code>WMIDB</code>. | ||
+ | |||
+ | It has a dedicated user called in the same way. | ||
+ | |||
+ | == Update == | ||
+ | |||
+ | Before being able to do an update, run this: | ||
<pre> | <pre> | ||
− | + | chown apache-wmi: -R /var/www/wmi/wordpress | |
− | |||
</pre> | </pre> | ||
+ | |||
+ | When your upgrade is concluded, run again the [[#Hardening]] part. | ||
== Hardening == | == Hardening == | ||
+ | |||
+ | After you have done any [[#Update]], please execute this hardening process: | ||
<pre> | <pre> | ||
Riga 31: | Riga 71: | ||
</pre> | </pre> | ||
− | == | + | == Configuration == |
+ | |||
+ | WordPress configuration: | ||
+ | |||
+ | nano /var/www/wmi/wordpress/wp-config.php | ||
+ | |||
+ | Apache configuration: | ||
+ | |||
+ | nano [[phabricator:diffusion/WIIN/browse/master/servers/fabula/conf/httpd/sites-available/it-wikimedia-www-ssl.conf|/etc/httpd/sites-enabled/it-wikimedia-www-ssl.conf]] | ||
+ | nano [[phabricator:diffusion/WIIN/browse/master/servers/fabula/conf/httpd/sites-available/it-wikimedia-www-txt.conf|/etc/httpd/sites-enabled/it-wikimedia-www-txt.conf]] | ||
+ | |||
+ | PHP-FPM configuration: | ||
+ | |||
+ | nano /etc/opt/rh/rh-php73/php-fpm.d/9003-it.wikimedia-wordpress.conf | ||
+ | |||
+ | To publish whatever change in Wikimedia Phabricator please run this: | ||
+ | |||
+ | <pre> | ||
+ | /root/scripts/commit.sh | ||
+ | </pre> | ||
+ | |||
+ | == Log == | ||
+ | |||
+ | Generic Apache error log: | ||
+ | |||
+ | tail -f /var/log/httpd/error_log | ||
+ | |||
+ | Generic Apache access log: | ||
+ | |||
+ | tail -f /var/log/httpd/access_log | ||
+ | |||
+ | == Service == | ||
+ | |||
+ | To apply your changes you need to restart the services. | ||
+ | |||
+ | Service of the apache frontend webserver: | ||
+ | |||
+ | <pre> | ||
+ | apache2ctl configtest | ||
+ | apache2ctl graceful | ||
+ | </pre> | ||
+ | |||
+ | Service of the PHP-FPM backend webserver: | ||
+ | <pre> | ||
+ | systemctl status rh-php73-php-fpm | ||
+ | systemctl restart rh-php73-php-fpm | ||
+ | </pre> | ||
+ | |||
+ | == Unix user == | ||
+ | |||
+ | The PHP-FPM application runs under a dedicated low-privileged Unix user: | ||
+ | |||
+ | <pre> | ||
+ | $ id apache-wmi | ||
+ | uid=1439(apache-wmi) gid=1439(apache-wmi) groups=1439(apache-wmi),48(apache) | ||
+ | </pre> | ||
− | + | Created with: | |
<pre> | <pre> | ||
− | + | $ adduser -d /var/www/html -s /sbin/nologin -g apache apache-wmi | |
</pre> | </pre> | ||
− | + | == E-mail == | |
+ | |||
+ | This service uses an SMTP account <code>@wikimedia.it</code> with username <code>noreply</code>. | ||
+ | |||
+ | See [[#Configuration]]. | ||
+ | |||
+ | See [[Associazione:Mail/Caselle tecniche|technical addresses]]. | ||
+ | |||
+ | == Phabricator == | ||
+ | |||
+ | * [[phabricator:search/query/mTCwTQdJGR4a/#R|phabricator:search]] - search recent activity |
Versione delle 13:20, 5 mar 2021
Public technical documentation for the https://www.wikimedia.it/ website.
Server access
ssh fabula.wikimedia.it
To request access:
Overview
┌─────┐ ┌─────────────────┐ ┌───────────────┐ │Alice│ │Apache (:80 :443)│ │PHP-FPM (:9003)│ └──┬──┘ └────────┬────────┘ └───────┬───────┘ │ request │ │ │<────────────────────>│ │ │ │ │ │ │ request │ │ │<─────────────────────────>│ ┌──┴──┐ ┌────────┴────────┐ ┌───────┴───────┐ │Alice│ │Apache (:80 :443)│ │PHP-FPM (:9003)│ └─────┘ └─────────────────┘ └───────────────┘
(refresh)
File system
The application is under:
/var/www/wmi/wordpress
Database
The database is called WMIDB
.
It has a dedicated user called in the same way.
Update
Before being able to do an update, run this:
chown apache-wmi: -R /var/www/wmi/wordpress
When your upgrade is concluded, run again the #Hardening part.
Hardening
After you have done any #Update, please execute this hardening process:
# first step: make whole application read-only for everyone chown root: -R /var/www/wmi/wordpress # second step: protect some secrets chmod o= /var/www/wmi/{tmp,session} chown apache-wmi: /var/www/wmi/{tmp,session} chmod o= /var/www/wmi/wordpress/wp-config.php chown apache-wmi: /var/www/wmi/wordpress/wp-config.php # third step: allow write-mode on some locations chown -R apache-wmi: /var/www/wmi/wordpress/wp-content chown apache-wmi: /var/www/wmi/{tmp,session}
Configuration
WordPress configuration:
nano /var/www/wmi/wordpress/wp-config.php
Apache configuration:
nano /etc/httpd/sites-enabled/it-wikimedia-www-ssl.conf nano /etc/httpd/sites-enabled/it-wikimedia-www-txt.conf
PHP-FPM configuration:
nano /etc/opt/rh/rh-php73/php-fpm.d/9003-it.wikimedia-wordpress.conf
To publish whatever change in Wikimedia Phabricator please run this:
/root/scripts/commit.sh
Log
Generic Apache error log:
tail -f /var/log/httpd/error_log
Generic Apache access log:
tail -f /var/log/httpd/access_log
Service
To apply your changes you need to restart the services.
Service of the apache frontend webserver:
apache2ctl configtest apache2ctl graceful
Service of the PHP-FPM backend webserver:
systemctl status rh-php73-php-fpm systemctl restart rh-php73-php-fpm
Unix user
The PHP-FPM application runs under a dedicated low-privileged Unix user:
$ id apache-wmi uid=1439(apache-wmi) gid=1439(apache-wmi) groups=1439(apache-wmi),48(apache)
Created with:
$ adduser -d /var/www/html -s /sbin/nologin -g apache apache-wmi
This service uses an SMTP account @wikimedia.it
with username noreply
.
See #Configuration.
See technical addresses.
Phabricator
- phabricator:search - search recent activity