Updating WebServer deployment

This commit is contained in:
2022-09-15 14:23:34 -05:00
parent 81b9a0a190
commit 12d2ca9a1d
26 changed files with 2095 additions and 30 deletions

View File

@@ -4,28 +4,14 @@ Having some information be publicly accessible is useful to the network -- it's
The WebServer serves content on the Web -- its name is simple to match the function.
# Relevant Files and Software
Configuration files live in [file:///etc/lighttpd/lighttpd.conf lighttpd.conf], including ciphersuites, URI redirection, and pathing. It can be validated with the following.
<pre>lighttpd -t -f /etc/lighttpd/lighttpd.conf</pre>
Configuration files live in [/opt/openresty/nginx/](file:///opt/openresty/nginx), including ciphersuites, URI redirection, and pathing. It can be validated with the `openresty -t` command. Webserver isn't meant to hold files itself -- it generally proxies and SSL-terminates connections for other apps, using location-based hosting and fastcgi.
Most notably, our lighttpd.conf is set to set specific headers to prevent XSS vulnerabilities. We allow the plaintext listener for a better user experience, but we restrict scripts and style resources from loading from plaintext links via Content-Security-Policy. Our X-Frame options are also set to be restrictive against XSS vulnerabilities. We pin the [[Category:SSL|Let's Encrypt]] sha-256 public key signature, and require strict transport security.
Data files live in [file:///srv/http/ the http directory]. Each domain is virtually hosted by the AniNIX and pathing is set up in configuration. Sites in the WebServer are designed to be as sparse and lightweight as possible for rapidly disseminating information; this comes at a cost of beauty.
The WebServer uses six PHP child processes to handle the processing of pages. Both the WebServer and [[Wiki]] are built on PHP engines to reduce code sprawl and edit times. We will install a custom php.ini to handle things like disabling expose_php and configuring open_basedir.
Of security note are the default.csp.conf and sec.conf files in [the conf folder](/AniNIX/Ubiqtorate/src/branch/main/roles/WebServer/files/conf). These files include our security remediations, as we have been able to get them to work with our apps.
**Please note:** We offer a redirect on www.aninix.net and http://aninix.net:80/ only as a legacy convenience as browsers do not yet support 443 by default -- no data is transmitted on these. When the webhosting community acknowledges the death of the empty www. subdomain and the necessity of encryption, we will drop these. However, for usability, we include them for now.
# Available Clients
* Windows users should use [http://google.com/chrome/browser/desktop/ Chrome] or Firefox. A copy of Chrome is stored in [https://aninix.net/wolfpack WolfPack].
* Privacy-conscious users may be interested in [http://www.seamonkey-project.org/ Seamonkey], also stored in WolfPack. This browser includes mail and IRC clients and can be installed on a [[Holocron|flash drive]]. It can be set to silently purge privacy information on closing, and it is lighter on the OS.
* [[ShadowArch]] users should use Seamonkey; chromium can be used to support custom Chrome extensions and bleeding-edge services, like Pushbullet or Netflix.
[[Category:CachedClient]]
* Mac users should use Safari or Chrome.
* Mobile users should use the built-in browser.
Users should use [Chrome](http://google.com/chrome/browser/desktop/) where possible, though other standard browsers will work. [AniNIX/Maat](https://maat.aninix.net) builds google-chrome as a package for ArchLinux.
# Equivalents or Competition
Hosting services like [https://godaddy.com GoDaddy] and [http://freehostia.com/ FreeHostia] will provide hosting services for web pages. Content management can be done with systems like WordPress.
}}
[[Category:Public_Service]]
[[Category:SSL]]
Hosting services like [GoDaddy](https://godaddy.com) and [FreeHostia](http://freehostia.com/) will provide hosting services for web pages. Content management can be done with systems like WordPress, but these solutions are wildly insecure, even if they can be convenient.