Differenze tra le versioni di "Sito/Technical documentation"
< Sito
Jump to navigation
Jump to search
m (→Hardening: tab) |
(more info) |
||
| Riga 1: | Riga 1: | ||
{{Bozza}} | {{Bozza}} | ||
| + | Public technical documentation for the '''https://www.wikimedia.it/''' website. | ||
| − | == | + | == Server access == |
| + | |||
| + | <pre> | ||
| + | ssh fabula.wikimedia.it | ||
| + | </pre> | ||
| + | |||
| + | To request access: | ||
| + | |||
| + | * [[Infrastruttura]] | ||
| − | + | == Overview == | |
<pre> | <pre> | ||
| − | + | ┌─────┐ ┌─────────────────┐ ┌───────────────┐ | |
| + | │Alice│ │Apache (:80 :443)│ │PHP-FPM (:9003)│ | ||
| + | └──┬──┘ └────────┬────────┘ └───────┬───────┘ | ||
| + | │ request │ │ | ||
| + | │<────────────────────>│ │ | ||
| + | │ │ │ | ||
| + | │ │ request │ | ||
| + | │ │<─────────────────────────>│ | ||
| + | ┌──┴──┐ ┌────────┴────────┐ ┌───────┴───────┐ | ||
| + | │Alice│ │Apache (:80 :443)│ │PHP-FPM (:9003)│ | ||
| + | └─────┘ └─────────────────┘ └───────────────┘ | ||
</pre> | </pre> | ||
| + | |||
| + | ([http://www.plantuml.com/plantuml/uml/SoWkIImgAStDuNBCoKnELR3HjLDGSYn8JCv8LT2miZ1Gi38nCTPKKh1IA4ejB4qjBk728WlH5U0HeEiMu0kKi3GmGDNZa9gN0hG30000 refresh]) | ||
| + | |||
| + | == File system == | ||
| + | |||
| + | The application is under: | ||
| + | |||
| + | /var/www/wmi/wordpress | ||
| + | |||
| + | == Database == | ||
| + | |||
| + | The database is called <code>WMIDB</code>. | ||
| + | |||
| + | It has a dedicated user called in the same way. | ||
| + | |||
| + | == Update == | ||
| + | |||
| + | Before being able to do an update, run this: | ||
<pre> | <pre> | ||
| − | + | chown apache-wmi: -R /var/www/wmi/wordpress | |
| − | |||
</pre> | </pre> | ||
| + | |||
| + | When your upgrade is concluded, run again the [[#Hardening]] part. | ||
== Hardening == | == Hardening == | ||
| + | |||
| + | After you have done any [[#Update]], please execute this hardening process: | ||
<pre> | <pre> | ||
| Riga 31: | Riga 71: | ||
</pre> | </pre> | ||
| − | == | + | == Configuration == |
| + | |||
| + | WordPress configuration: | ||
| + | |||
| + | nano /var/www/wmi/wordpress/wp-config.php | ||
| + | |||
| + | Apache configuration: | ||
| + | |||
| + | nano [[phabricator:diffusion/WIIN/browse/master/servers/fabula/conf/httpd/sites-available/it-wikimedia-www-ssl.conf|/etc/httpd/sites-enabled/it-wikimedia-www-ssl.conf]] | ||
| + | nano [[phabricator:diffusion/WIIN/browse/master/servers/fabula/conf/httpd/sites-available/it-wikimedia-www-txt.conf|/etc/httpd/sites-enabled/it-wikimedia-www-txt.conf]] | ||
| + | |||
| + | PHP-FPM configuration: | ||
| + | |||
| + | nano /etc/opt/rh/rh-php73/php-fpm.d/9003-it.wikimedia-wordpress.conf | ||
| + | |||
| + | To publish whatever change in Wikimedia Phabricator please run this: | ||
| + | |||
| + | <pre> | ||
| + | /root/scripts/commit.sh | ||
| + | </pre> | ||
| + | |||
| + | == Log == | ||
| + | |||
| + | Generic Apache error log: | ||
| + | |||
| + | tail -f /var/log/httpd/error_log | ||
| + | |||
| + | Generic Apache access log: | ||
| + | |||
| + | tail -f /var/log/httpd/access_log | ||
| + | |||
| + | == Service == | ||
| + | |||
| + | To apply your changes you need to restart the services. | ||
| + | |||
| + | Service of the apache frontend webserver: | ||
| + | |||
| + | <pre> | ||
| + | apache2ctl configtest | ||
| + | apache2ctl graceful | ||
| + | </pre> | ||
| + | |||
| + | Service of the PHP-FPM backend webserver: | ||
| + | <pre> | ||
| + | systemctl status rh-php73-php-fpm | ||
| + | systemctl restart rh-php73-php-fpm | ||
| + | </pre> | ||
| + | |||
| + | == Unix user == | ||
| + | |||
| + | The PHP-FPM application runs under a dedicated low-privileged Unix user: | ||
| + | |||
| + | <pre> | ||
| + | $ id apache-wmi | ||
| + | uid=1439(apache-wmi) gid=1439(apache-wmi) groups=1439(apache-wmi),48(apache) | ||
| + | </pre> | ||
| − | + | Created with: | |
<pre> | <pre> | ||
| − | + | $ adduser -d /var/www/html -s /sbin/nologin -g apache apache-wmi | |
</pre> | </pre> | ||
| − | + | == E-mail == | |
| + | |||
| + | This service uses an SMTP account <code>@wikimedia.it</code> with username <code>noreply</code>. | ||
| + | |||
| + | See [[#Configuration]]. | ||
| + | |||
| + | See [[Associazione:Mail/Caselle tecniche|technical addresses]]. | ||
| + | |||
| + | == Phabricator == | ||
| + | |||
| + | * [[phabricator:search/query/mTCwTQdJGR4a/#R|phabricator:search]] - search recent activity | ||
Versione delle 13:20, 5 mar 2021
Questa pagina è una bozza.
Public technical documentation for the https://www.wikimedia.it/ website.
Server access
ssh fabula.wikimedia.it
To request access:
Overview
┌─────┐ ┌─────────────────┐ ┌───────────────┐
│Alice│ │Apache (:80 :443)│ │PHP-FPM (:9003)│
└──┬──┘ └────────┬────────┘ └───────┬───────┘
│ request │ │
│<────────────────────>│ │
│ │ │
│ │ request │
│ │<─────────────────────────>│
┌──┴──┐ ┌────────┴────────┐ ┌───────┴───────┐
│Alice│ │Apache (:80 :443)│ │PHP-FPM (:9003)│
└─────┘ └─────────────────┘ └───────────────┘
(refresh)
File system
The application is under:
/var/www/wmi/wordpress
Database
The database is called WMIDB.
It has a dedicated user called in the same way.
Update
Before being able to do an update, run this:
chown apache-wmi: -R /var/www/wmi/wordpress
When your upgrade is concluded, run again the #Hardening part.
Hardening
After you have done any #Update, please execute this hardening process:
# first step: make whole application read-only for everyone
chown root: -R /var/www/wmi/wordpress
# second step: protect some secrets
chmod o= /var/www/wmi/{tmp,session}
chown apache-wmi: /var/www/wmi/{tmp,session}
chmod o= /var/www/wmi/wordpress/wp-config.php
chown apache-wmi: /var/www/wmi/wordpress/wp-config.php
# third step: allow write-mode on some locations
chown -R apache-wmi: /var/www/wmi/wordpress/wp-content
chown apache-wmi: /var/www/wmi/{tmp,session}
Configuration
WordPress configuration:
nano /var/www/wmi/wordpress/wp-config.php
Apache configuration:
nano /etc/httpd/sites-enabled/it-wikimedia-www-ssl.conf nano /etc/httpd/sites-enabled/it-wikimedia-www-txt.conf
PHP-FPM configuration:
nano /etc/opt/rh/rh-php73/php-fpm.d/9003-it.wikimedia-wordpress.conf
To publish whatever change in Wikimedia Phabricator please run this:
/root/scripts/commit.sh
Log
Generic Apache error log:
tail -f /var/log/httpd/error_log
Generic Apache access log:
tail -f /var/log/httpd/access_log
Service
To apply your changes you need to restart the services.
Service of the apache frontend webserver:
apache2ctl configtest apache2ctl graceful
Service of the PHP-FPM backend webserver:
systemctl status rh-php73-php-fpm systemctl restart rh-php73-php-fpm
Unix user
The PHP-FPM application runs under a dedicated low-privileged Unix user:
$ id apache-wmi uid=1439(apache-wmi) gid=1439(apache-wmi) groups=1439(apache-wmi),48(apache)
Created with:
$ adduser -d /var/www/html -s /sbin/nologin -g apache apache-wmi
This service uses an SMTP account @wikimedia.it with username noreply.
See #Configuration.
See technical addresses.
Phabricator
- phabricator:search - search recent activity