PageRenderTime 66ms CodeModel.GetById 29ms RepoModel.GetById 0ms app.codeStats 0ms

/documentation/hosting.md

https://gitlab.com/internet-cleanup-foundation/server
Markdown | 133 lines | 81 code | 52 blank | 0 comment | 0 complexity | 89b0992c41dce2f41d906166fbd28407 MD5 | raw file
    

  1. # WebSecMap server installation and maintenance
    2. 

  2. 

  3. ## Introduction
    4. 

  4. 

  5. One of the core principles of the WebSecMap project is automation. This is reflected in the server configuration by having almost full configuration management. Setting up a hosted production instance of WebSecMap should be trivial and not require extensive knowledge of involved components (although it will help in troubleshooting).
    6. 

  6. 

  7. The following knowledge is _required_ for basic installation:
    8. 

  8. 

  9. - Basic Linux experience (using terminal/shell/ssh)
    10. 

  10. 

  11. The following knowledge _may_ be needed for advanced maintenance or troubleshooting:
    12. 

  12. 

  13. - Linux (Debian)
    14. 

  14. - Puppet
    15. 

  15. - Docker
    16. 

  16. - Nginx
    17. 

  17. - MySQL
    18. 

  18. - Python
    19. 

  19. - Django
    20. 

  20. - Redis
    21. 

  21. - Celery
    22. 

  22. - Git
    23. 

  23. - Consul
    24. 

  24. 

  25. Additionally knowledge of the following related technologies is advised:
    26. 

  26. 

  27. - Virtualization/Hosting
    28. 

  28. - DNS
    29. 

  29. - Networking
    30. 

  30. 

  31. ## Whats in the box
    32. 

  32. 

  33. When using this installation method you will end up with a fully featured WebSecMap server including:
    34. 

  34. 

  35. - Full websecmap installation with:
    36. 

  36.   - Frontend map website (with https, http/2 and caching)
    37. 

  37.   - Administrative backend (secured by TLS client certificates)
    38. 

  38.   - Workers to automatically perform scanning tasks
    39. 

  39. - Hardened server (firewall, security updates, etc)
    40. 

  40. - Monitoring dashboards (Grafana, secured by TLS client certificates)
    41. 

  41. - SSH for remote access
    42. 

  42. 

  43. ## Requirements
    44. 

  44. 

  45. To install the fully featured WebSecMap server the following is required:
    46. 

  46. 

  47. - Dedicated bare-metal or virtual host with:
    48. 

  48.   - Debian based Linux (Debian 9 or Ubuntu 18.04) clean installed
    49. 

  49.   - 1-2 CPU
    50. 

  50.   - 2-8GB RAM
    51. 

  51.   - 50-100GB disks
    52. 

  52.   - internet connectivity (IPv4 and optional IPv6)
    53. 

  53. - Terminal access to the host (SSH or via VM console, etc)
    54. 

  54. - Sudo/root permissions on the host
    55. 

  55. - DNS A record pointing to the server IPv4 addresses (and optional AAAA record for IPv6). In this document we will use `example.com` as placeholder for the DNS record name you intend to use for the website. Using a subdomain is also possible, eg: `map.example.com`. (optional, highly recommended)
    56. 

  56. 

  57. ## Installation
    58. 

  58. 

  59. **Warning**: this installation assumes to run on a **clean and dedicated** host for a WebSecMap installation! It will **modify the OS** and take over things like firewalling, Docker, SSH, etc! **Do not run** on a server with existing other software or configuration that you do not want modified!
    60. 

  60. 

  61. With that said please follow these instructions to get a WebSecMap instance up and running:
    62. 

  62. 

  63. 1. Bring the server up and follow the basic OS (Ubuntu/Debian) installation procedure (if it is not already installed). Configure basic settings (language, keyboard, user) as seen fit and give it a hostname you like (it does not have to match the DNS A record used for the website).
    64. 

  64. 

  65. 1. Log in to the server via SSH or VM terminal as `root` user. Or as normal user and sudo to root `sudo su -`.
    66. 

  66. 

  67. 1. Run the following command to start installation:
    68. 

  68. 

  69.         wget -q -O- https://gitlab.com/internet-cleanup-foundation/server/raw/master/install.sh > /install.sh; /bin/bash /install.sh
    70. 

  70. 

  71. 

  72. 1. Grab a Club-Mate (or 2) and wait until everything completes and you are greeted by a rainbow.
    73. 

  73. 

  74. 1. You WebSecMap server is now ready, you can visit the frontend at it's public IP address or the domain name (if you have already configured a DNS record).
    75. 

    76. 

  76. 1. HTTPS is enabled by default but with a **insecure** self-signed certificate. To properly configure automatic HTTPS using Letsencrypt please use the server tool:
    77. 

  77. 

  78.         sudo websecmap-server-tool
    79. 

  79. 

  80.         > Configure domain name / Setup HTTPS
    81. 

  81. 

  82. 1. For visiting the administrative backend (https://example.com/admin/) or monitoring (https://example.com/grafana), credentials are required. You can create and manage admin user acces using the server tool:
    83. 

  83. 

  84.         sudo websecmap-server-tool
    85. 

  85. 

  86.         > Manage administrative users / SSH access
    87. 

  87. 

  88. ## Troubleshooting
    89. 

  89. 

  90. If after the installation things don't work as expected please first try the following steps:
    91. 

    92. 

  92. Run server provisioning and verify configuration is complete:
    93. 

  93. 

  94. 1. Open a terminal (eg: SSH) on the server and become root user (`sudo su -`)
    95. 

  95. 

  96. 2. Run provisioning step:
    97. 

  97. 

  98.         sudo websecmap-server-apply-configuration
    99. 

  99. 

  100. 3.    This command should provide output similar to this:
    101. 

  101. 

  102.         Starting server provisioning (showing Puppet catalog compiler warnings (deprecations, etc))
    103. 

  103.         Notice: Scope(Class[Base]): fqdn=faalserver.faalkaart.test, env=hosted, os=Ubuntu 18.04.2 LTS
    104. 

  104.         Notice: Compiled catalog for faalserver.faalkaart.test in environment production in 4.49 seconds
    105. 

  105.         Notice: Applied catalog in 20.51 seconds
    106. 

  106. 

  107.       Any lines between `Notice: Compiled catalog for...` and `Notice: Applied catalog in...` indicate changes made to the system. If repeated apply commands still keep showing changes made this indicates a problem with provisioning. Please contact the Internet Cleanup Foundation team for further assistance (https://gitlab.com/internet-cleanup-foundation/web-security-map#get-involved).
    108. 

  108. 

  109. ## Upgrading
    110. 

  110. 

  111. WebSecMap server configuration is split into a _base configuration_ (maintained by Internet Cleanup Foundation at https://gitlab.com/internet-cleanup-foundation/server/) and a _server configuration_ (with customizations for a specific installation).
    112. 

  112. 

  113. If new features or bugfixes are developed in the _base configuration_ the server can be updated on demand using the following procedure:
    114. 

  114. 

  115. 1. Open a terminal (eg: SSH) on the server and become root user (`sudo su -`)
    116. 

  116. 

  117. 1. Run the following command to pull in new changes and apply the configuration:
    118. 

  118. 

  119.         sudo websecmap-server-update
    120. 

  120. 

  121. ## Configuration (advanced)
    122. 

  122. 

  123. An initial configuration file (the 'server configuration') is created during installation (see above) and is stored on the server on the path: `/opt/websecmap/server/configuration/settings.yaml`
    124. 

  124. 

  125. Aspects of the server can be customized in this file. All available settings and documentation can be found in this configuration file.
    126. 

  126. 

  127. After the configuration file has changed, the following command has to be run to apply the new configuration:
    128. 

  128. 

  129.         sudo websecmap-server-apply-configuration
    130. 

  130. 

  131. ## Customization (advanced)
    132. 

  132. 

  133. If you want customizations outside of the current possibilities of the configuration. Or want to make custom changes on the server that will not be overwritten by the configuration system (eg: custom firewall rules). Please contact the Internet Cleanup Foundation team for further assistance. Or if you know Puppet feel free to drop a merge-request in the Gitlab repository.
    134. 

  134.