FeministWiki:Technical documentation
This page documents the FeministWiki's technical infrastructure, the target audience being technicians. Note that while this page will help you understand the inner workings of the FeministWiki, it's not optimal for guiding you through the setup of a new server. For that, see the page FW:Server setup instead.
Hosts
The following table documents the basic DNS configuration, and can be used as part of the /etc/hosts
file on each server to obviate the need for DNS lookups when connecting to one another.
IP | FQDN | Host | Purpose | Ports |
---|---|---|---|---|
85.214.206.20 | feministwiki.org | Wiki | 80, 443 | |
85.214.206.20 | www.feministwiki.org | www | Wiki | 80, 443 |
85.214.206.20 | ldap.feministwiki.org | ldap | LDAP | - |
85.214.206.20 | blogs.feministwiki.org | blogs | Blogging | 80, 443 |
85.214.206.20 | chat.feministwiki.org | chat | Web-client for XMPP | 80, 443 |
85.214.206.20 | forum.feministwiki.org | forum | BBS Forum | 80, 443 |
85.214.206.20 | mail.feministwiki.org | Web-client for Mail | 80, 443 | |
85.214.206.20 | files.feministwiki.org | files | File storage | 80, 443 |
85.214.206.20 | imap.feministwiki.org | imap | IMAP | 993 |
85.214.206.20 | pop3.feministwiki.org | pop3 | POP3 | 995 |
85.214.206.20 | smtp.feministwiki.org | smtp | SMTP | 25, 465, 587 |
85.214.206.20 | xmpp.feministwiki.org | xmpp | XMPP | 5222, 5223, 5269, 5270, 5443, 7777 |
85.214.206.20 | irc.feministwiki.org | irc | IRC | 6697 |
85.214.206.20 | account.feministwiki.org | account | Account operations | 80, 443 |
As you can see, all services are on the same server for now. However, it should be kept as an open possibility that the hosts are split across different IPs. When done so, the ldap
host should listen on 636 for LDAPS connections.
There are no AAAA entries in the DNS because we only allow IPv4 for incoming connections. This simplifies security auditing.
Special DNS entries
For CAA:
Type | Name | Flag | Tag | Value |
---|---|---|---|---|
CAA | @ | 0 | issue | letsencrypt.org |
CAA | @ | 0 | iodef | admin@feministwiki.org |
For email:
Type | Host | Data | Purpose |
---|---|---|---|
MX | @ | smtp.feministwiki.org | Mail server |
TXT | @ | v=spf1 mx -all | SPF |
TXT | mail._domainkey | v=DKIM1; k=rsa; p=<pubkey> | DKIM |
TXT | _dmarc | v=DMARC1; p=reject; rua=mailto:admin@feministwiki.org | DMARC |
Note: There must be a direct A or AAAA record (not a CNAME record) for the domain name specified in the MX record.
For XMPP:
Type | Service | Protocol | Name | Destination | Port |
---|---|---|---|---|---|
SRV | _xmpp-client | _tcp | @ | xmpp.feministwiki.org | 5222 |
SRV | _xmpp-server | _tcp | @ | xmpp.feministwiki.org | 5269 |
SRV | _xmpps-client | _tcp | @ | xmpp.feministwiki.org | 5223 |
SRV | _xmpps-server | _tcp | @ | xmpp.feministwiki.org | 5270 |
Google Site Verification:
Type | Host | Data |
---|---|---|
TXT | @ | google-site-verification=<key> |
Firewall
The simple ufw
firewall-frontend is used to trivially limit all network I/O to the ports you can see in the host table above, plus port 22 for ssh and scp.
UFW adds IPv6 rules by default, which can be prevented by using more explicit rules. Consider the following rule:
ufw allow 12345/tcp # will allow TCP connections to port 12345 via IPv4 and IPv6
To limit this to IPv4 you can instead use this:
ufw allow proto tcp to 0.0.0.0/0 port 12345 # will allow TCP connections to port 12345 via IPv4 only
Fail2ban
We use fail2ban
to detect brute force attempts on some services. The git repository for scripts and config contains the relevant Fail2ban configuration under etc/fail2ban
.
SSH access
FeministWiki hosts have ssh enabled for root
access, but password login is disabled. You must own a valid private key to log in.
Git repo of scripts and configuration
The following GitHub account hosts repositories with scripts and configuration used by the FeministWiki:
https://github.com/FeministWiki
Certs
The FeministWiki uses LetsEncrypt to acquire digital certificates for encrypted communication.
After certificates are generated with certbot
, copies of them are put into /etc/fw-certs
, and the group ownership and permissions of the privkey.pem
and bundle.pem
files are set such that any user who's in the ssl-cert
group can read the private key and bundle. (The others can be read by anyone anyway.) A script in /etc/letsencrypt/renewal-hooks/post
is responsible for taking care of this after automatic executions of certbot scheduled by the operating system.
The file /etc/fw-certs/bundle.pem
is useful for programs that don't have the capability of reading a separate cert and key file; it combines the full certificate chain (fullchain.pem
) with the private key in a single file.
If you ever add a new domain under which the FeministWiki server will be reachable, add it as a line to the file /etc/feministwiki/domains
and run the script /root/bin/letsencrypt-refresh
. This script takes care of running certbot
to refresh the cert files, and populating the /etc/fw-certs
directory with updated files.
Note that whenever you run the letsencrypt-refresh
script, it will momentarily stop the web server. This means you're causing a short outage of the web-based services of the FeministWiki whenever you run the script.
Services
This section documents the individual services of the FeministWiki. They should work regardless of what server they're on. I.e. every service could in theory be hosted on its own server.
LDAP
Host: ldap.feministwiki.org
Software: OpenLDAP
The LDAP service contains the central database of FeministWiki members. For details on the LDAP schema, see FeministWiki:LDAP Schema.
Wiki
Host: feministwiki.org, www.feministwiki.org, fem.wiki, feminist.wiki, feminism.wiki, feministwiki.de, www.feministwiki.de
Software: MediaWiki
The wiki uses a MediaWiki installation located at /var/www/wiki/w
. It uses the LDAP Stack extension for login management, and the "Short URL" feature is enabled. The wiki uses the SQL database called "feministwiki" and the SQL user of the same name.
The default wiki is in English. Parallel wiki installations for different languages are supported via a combination of Apache's URL rewriting, and conditional branches in the LocalSettings.php
file of the MediaWiki installation:
- The rewrite rules ensure that, for any supported language
xy
, URLs beginning with/xy/wiki/...
internally resolve to/w/index.php
and URLs beginning with/xy/w/...
resolve to/w/...
. - The LocalSettings file checks
$_SERVER['REQUEST_URI']
to determine the language code prefix in the requested URL, and configures things accordingly:- It sets
$wgArticlePath
to/xy/wiki/$1
so that/w/index.php
knows that when it's invoked via such a URL, it should serve an article. - It sets
$wgScriptPath
to/xy/w
so that links to scripts served by MediaWiki are correct for the language. - It sets the SQL database name to
feministwiki_xy
. - It configures a "foreign" image database via the ForeignDBRepo method so that the media upload database of the default wiki is used by all, instead of every parallel wiki having its own media database.
- It sets
To add a new language, follow these steps:
- Clone the English wiki's database into a new one via:
mysqldump feministwiki | mysql feministwiki_xy
- Grant permissions on the new database via:
GRANT ALL ON feministwiki_xy.* TO feministwiki@localhost;
- Edit
/etc/apache2/sites-available/000-wiki.conf
to add the line:Use Wiki xy
- Add the language to
~/bin/fw-update-languages.sh
and run it
The last step will produce a lot of errors complaining about keys already existing; these can be safely ignored.
The domain names feministwiki.de and www.feministwiki.de redirect to https://feministwiki.org/de
. For instance, requesting https://feministwiki.de/wiki/Hauptseite
will result in an HTTP redirect to https://feministwiki.org/de/wiki/Hauptseite
.
Blogs
Host: blogs.feministwiki.org
Software: WordPress (multisite)
This is an installation of WordPress in /var/www/blogs
, with the "multisite network" feature enabled on a path-basis, so users can have their own blogs on URLs like blogs.feministwiki.org/janedoe
. LDAP authentication is enabled via the AD/LDAP plugin from miniOrange.
Users from LDAP who log in for the first time are automatically registered as "Subscriber" accounts, and the admin can change their WordPress role "Author" to allow publishing.
This WordPress installation uses the SQL database called "blogs" and an SQL user of the same name.
Chat (web interface)
Host: chat.feministwiki.org
Software: Converse.js
The web-interface for the FeministChat uses the full-screen "Impress" variant of the Converse.js XMPP client. The hosted HTML and JS files are located at /var/www/chat
, although they load Converse.js as an external script from upstream, which is why the self-hosted HTML and JS are very minimal.
Forum
Host: forum.feministwiki.org
Software: phpBB
The forum uses a phpBB installation located at /var/www/forum
. Most configuration of phpBB, including LDAP authentication, is done through its administration panel. The style used by the forum is a minimally changed "ProSilver Dark". The forum uses the SQL database called "feministforum" and the SQL user of the same name.
Mail (web interface)
Host: mail.feministwiki.org
Software: Roundcube
The web-interface for the FeministMail uses the Roundcube mail client, installed at /var/www/mail
. It uses a FeministWiki-branded modification of the new "elastic" style.
Files
Host: files.feministwiki.org
Software: Nextcloud
FeministFiles is a Nextcloud installation with some branding, and LDAP authentication, installed at /var/www/files
.
IMAP
Host: imap.feministwiki.org
Software: Dovecot
FeministMail uses the Dovecot IMAP server, configured for LDAP authentication and using virtual mail boxes under /home/vmail
.
POP3
Host: pop3.feministwiki.org
Software: Dovecot
While Dovecot is primarily an IMAP server, it also offers POP3 support, which the FeministWiki installation has enabled.
SMTP
Host: smtp.feministwiki.org
Software: Postfix, OpenDKIM
FeministMail uses the Postfix SMTP server, using SASL authentication through Dovecot, LDAP-based virtual mail boxes under /home/vmail
, and DKIM signing via OpenDKIM. Send a mail to a Gmail account and use the "Show original" feature of Gmail to see if the mail passes SPF, DKIM, and DMARC tests.
There are also various tools on the web to automatically test the DNS settings for correctness, to check if the domain/IP is on blacklists, etc., which you can find via Google. All in all, FeministMail is probably the most complicated service of the FeministWiki, as far as technical background goes.
Mailing lists
Email domain: lists.feministwiki.org
Software: GNU Mailman, Postfix
Postfix is configured to recognize lists.feministwiki.org
as a "local" domain. This means it uses the file specified in the alias_maps
configuration directive (typically /etc/aliases
) to decide the final recipient of an e-mail sent to this domain. Correspondingly, we populate /etc/aliases
with the aliases needed by Mailman to operate each mailing list it controls.
Note that there is no DNS entry for lists.feministwiki.org
because e-mail software just checks the MX record for feministwiki.org
when the recipient is from the domain anything.feministwiki.org
.
XMPP
Host: xmpp.feministwiki.org
Software: ejabberd
FeministChat uses the ejabberd XMPP server, configured to use LDAP authentication and an LDAP-based shared roster group for all members.
IRC
Host: irc.feministwiki.org
Software: InspIRCd
FeministIRC uses the InspIRCd IRC server with the ldapauth
module for LDAP authentication. The client is authenticated via the combination of the NICK and PASS provided upon connection, which must correspond to the FeministWiki credentials.
Account operations
Host: account.feministwiki.org
Software: custom
This custom web interface hosted at /var/www/account
lets you complete several tasks related to FeministWiki membership, such as changing your account settings, resetting your password, or adding a new member. It also contains a form to request membership. The interface is written in HTML, CSS, PHP, and C.