Sito/Technical documentation

Da Wikimedia Italia.
Jump to navigation Jump to search
Pagina legata al server ⚙️ fabula
Questa pagina è una bozza.

Public technical documentation for the https://www.wikimedia.it/ website.

Server access

ssh fabula.wikimedia.it

To request access:

Overview

     ┌─────┐          ┌─────────────────┐          ┌───────────────┐
     │Alice│          │Apache (:80 :443)│          │PHP-FPM (:9003)│
     └──┬──┘          └────────┬────────┘          └───────┬───────┘
        │       request        │                           │        
        │<────────────────────>│                           │        
        │                      │                           │        
        │                      │         request           │        
        │                      │<─────────────────────────>│        
     ┌──┴──┐          ┌────────┴────────┐          ┌───────┴───────┐
     │Alice│          │Apache (:80 :443)│          │PHP-FPM (:9003)│
     └─────┘          └─────────────────┘          └───────────────┘

(refresh)

File system

The application is under: 

/var/www/wmi/wordpress

Database

The database is called WMIDB.

It has a dedicated user called in the same way.

Update

Normally, for security reasons, the application should be set in read-only more, writable only by root.

Before being able to do an update you have to run this: 

chown apache-wmi: -R /var/www/wmi/wordpress

Then, when your upgrade is concluded, run again the #Hardening part.

Hardening

After you have done any #Update, please execute this hardening process: 

# first step: make whole application read-only for everyone
chown root: -R       /var/www/wmi/wordpress

# second step: protect some secrets
chmod o=             /var/www/wmi/{tmp,session}
chown apache-wmi:    /var/www/wmi/{tmp,session}
chmod o=             /var/www/wmi/wordpress/wp-config.php
chown apache-wmi:    /var/www/wmi/wordpress/wp-config.php

# third step: allow write-mode on some locations
chown -R apache-wmi: /var/www/wmi/wordpress/wp-content
chown apache-wmi:    /var/www/wmi/{tmp,session}

Configuration

WordPress configuration: 

nano /var/www/wmi/wordpress/wp-config.php

Apache configuration: 

nano /etc/httpd/sites-enabled/it-wikimedia-www-ssl.conf
nano /etc/httpd/sites-enabled/it-wikimedia-www-txt.conf

PHP-FPM configuration: 

nano /etc/opt/rh/rh-php73/php-fpm.d/9003-it.wikimedia-wordpress.conf

To publish whatever change in Wikimedia Phabricator please run this: 

/root/scripts/commit.sh

Log

Generic Apache error log: 

tail -f /var/log/httpd/error_log

Generic Apache access log: 

tail -f /var/log/httpd/access_log

Service

To apply your changes you need to restart the services.

Service of the apache frontend webserver: 

apache2ctl configtest
apache2ctl graceful

Service of the PHP-FPM backend webserver: 

systemctl status  rh-php73-php-fpm
systemctl restart rh-php73-php-fpm

Unix user

The PHP-FPM application runs under a dedicated low-privileged Unix user: 

$ id apache-wmi
uid=1439(apache-wmi) gid=1439(apache-wmi) groups=1439(apache-wmi),48(apache)

Created with: 

$ adduser -d /var/www/html -s /sbin/nologin -g apache apache-wmi

E-mail

TODO

This service uses an SMTP account @wikimedia.it with username noreply.

See #Configuration.

See technical addresses.

Phabricator

Estratto da "https://wiki.wikimedia.it/index.php?title=Sito/Technical_documentation&oldid=966321"