Differenze tra le versioni di "Sito/Technical documentation"
(→E-mail: todo) |
m (improve hardening) |
||
Riga 61: | Riga 61: | ||
<pre> | <pre> | ||
# first step: make whole application read-only for everyone | # first step: make whole application read-only for everyone | ||
− | chown root: -R | + | chown root: -R /var/www/wmi/wordpress |
# second step: protect some secrets | # second step: protect some secrets | ||
− | chmod o= | + | chmod o= /var/www/wmi/{tmp,session} |
− | + | chmod o= /var/www/wmi/wordpress/wp-config.php | |
− | chmod o= | + | chown root:apache-wmi /var/www/wmi/wordpress/wp-config.php |
− | chown apache-wmi | ||
# third step: allow write-mode on some locations | # third step: allow write-mode on some locations | ||
− | chown -R apache-wmi: /var/www/wmi/ | + | chown -R apache-wmi: /var/www/wmi/{tmp,session} |
− | chown apache-wmi: | + | chown -R apache-wmi: /var/www/wmi/wordpress/wp-content |
</pre> | </pre> | ||
Versione delle 09:22, 6 mar 2021
Public technical documentation for the https://www.wikimedia.it/ website.
Server access
ssh fabula.wikimedia.it
To request access:
Overview
┌─────┐ ┌─────────────────┐ ┌───────────────┐ │Alice│ │Apache (:80 :443)│ │PHP-FPM (:9003)│ └──┬──┘ └────────┬────────┘ └───────┬───────┘ │ request │ │ │<────────────────────>│ │ │ │ │ │ │ request │ │ │<─────────────────────────>│ ┌──┴──┐ ┌────────┴────────┐ ┌───────┴───────┐ │Alice│ │Apache (:80 :443)│ │PHP-FPM (:9003)│ └─────┘ └─────────────────┘ └───────────────┘
(refresh)
File system
The application is under:
/var/www/wmi/wordpress
Database
The database is called WMIDB
.
It has a dedicated user called in the same way.
Update
Normally, for security reasons, the application should be set in read-only more, writable only by root
.
Before being able to do an update you have to run this:
chown apache-wmi: -R /var/www/wmi/wordpress
Then, when your upgrade is concluded, run again the #Hardening part.
Hardening
After you have done any #Update, please execute this hardening process:
# first step: make whole application read-only for everyone chown root: -R /var/www/wmi/wordpress # second step: protect some secrets chmod o= /var/www/wmi/{tmp,session} chmod o= /var/www/wmi/wordpress/wp-config.php chown root:apache-wmi /var/www/wmi/wordpress/wp-config.php # third step: allow write-mode on some locations chown -R apache-wmi: /var/www/wmi/{tmp,session} chown -R apache-wmi: /var/www/wmi/wordpress/wp-content
Configuration
WordPress configuration:
nano /var/www/wmi/wordpress/wp-config.php
Apache configuration:
nano /etc/httpd/sites-enabled/it-wikimedia-www-ssl.conf nano /etc/httpd/sites-enabled/it-wikimedia-www-txt.conf
PHP-FPM configuration:
nano /etc/opt/rh/rh-php73/php-fpm.d/9003-it.wikimedia-wordpress.conf
To publish whatever change in Wikimedia Phabricator please run this:
/root/scripts/commit.sh
Log
Generic Apache error log:
tail -f /var/log/httpd/error_log
Generic Apache access log:
tail -f /var/log/httpd/access_log
Service
To apply your changes you need to restart the services.
Service of the apache frontend webserver:
apache2ctl configtest apache2ctl graceful
Service of the PHP-FPM backend webserver:
systemctl status rh-php73-php-fpm systemctl restart rh-php73-php-fpm
Unix user
The PHP-FPM application runs under a dedicated low-privileged Unix user:
$ id apache-wmi uid=1439(apache-wmi) gid=1439(apache-wmi) groups=1439(apache-wmi),48(apache)
Created with:
$ adduser -d /var/www/html -s /sbin/nologin -g apache apache-wmi
TODO
This service uses an SMTP account @wikimedia.it
with username noreply
.
See #Configuration.
See technical addresses.
Phabricator
- phabricator:search - search recent activity