This page documents the FeministWiki's technical infrastructure, the target audience being technicians.
- 1 Hosts
- 2 Special DNS entries
- 3 Firewall
- 4 Fail2ban
- 5 SSH access
- 6 Git repo of scripts and configuration
- 7 Certs
- 8 Ubuntu package repositories
- 9 Services
The following table documents the basic DNS configuration, and can be used as part of the
/etc/hosts file on each server to obviate the need for DNS lookups when connecting to one another.
|220.127.116.11||chat.feministwiki.org||chat||Web-client for XMPP||80, 443|
|18.104.22.168||forum.feministwiki.org||forum||BBS Forum||80, 443|
|22.214.171.124||mail.feministwiki.org||Web-client for Mail||80, 443|
|126.96.36.199||files.feministwiki.org||files||File storage||80, 443|
|188.8.131.52||smtp.feministwiki.org||smtp||SMTP||25, 465, 587|
|184.108.40.206||xmpp.feministwiki.org||xmpp||XMPP||5222, 5269, 5280|
|220.127.116.11||account.feministwiki.org||account||Account operations||80, 443|
As you can see, all services are on the same server for now. However, it should be kept as an open possibility that the hosts are split across different IPs. When done so, the
ldap host should listen on 636 for LDAPS connections.
There are no AAAA entries in the DNS because we only allow IPv4 for incoming connections. This simplifies security auditing.
Special DNS entries
|TXT||@||v=spf1 mx -all||SPF|
|TXT||mail._domainkey||v=DKIM1; k=rsa; p=<pubkey>||DKIM|
|TXT||_dmarc||v=DMARC1; p=reject; rua=mailto:email@example.com||DMARC|
Note: There must be a direct A or AAAA record (not a CNAME record) for the domain name specified in the MX record.
Google Site Verification:
ufw firewall-frontend is used to trivially limit all network I/O to the ports you can see in the host table above, plus port 22 for ssh and scp.
UFW adds IPv6 rules by default, which can be prevented by using more explicit rules. Consider the following rule:
ufw allow 12345/tcp # will allow TCP connections to port 12345 via IPv4 and IPv6
To limit this to IPv4 you can instead use this:
ufw allow proto tcp to 0.0.0.0/0 port 12345 # will allow TCP connections to port 12345 via IPv4 only
fail2ban to detect brute force attempts on some services. The git repository for scripts and config contains the relevant Fail2ban configuration under
FeministWiki hosts have ssh enabled for
root access, but password login is disabled. You must own a valid private key to log in.
Git repo of scripts and configuration
The following GitHub account hosts repositories with scripts and configuration used by the FeministWiki:
The FeministWiki uses LetsEncrypt to acquire digital certificates for encrypted communication.
To ease use of the letsencrypt command, the file
/root/etc/domains contains all the FQDNs used by the FeministWiki, one per line. Given that, the preferred way to populate the
/etc/letsencrypt/live/feministwiki.org directory with fresh certs is to run the following commands while TCP port 80 is free (e.g. stop Apache first):
# Use $() to eliminate the terminating newline, if any. domains=$(cat /root/etc/domains) domains=$(printf '%s' "$domains" | tr '\n' ',') letsencrypt certonly --authenticator standalone --keep --expand -d "$domains"
Additionally, for programs that require a cert file and its private key in a single combined
.pem file, run the following commands to generate such a file:
cd /etc/letsencrypt/live/feministwiki.org cat fullchain.pem privkey.pem > certbundle.pem
/root/bin/letsencrypt-refresh does all of the above automatically. It stops Apache, runs the commands described above, and starts Apache again. This can be used not only to refresh a cert that's running out, but also to add a new domain to the cert. Just add the domain to
/root/etc/domains and run the commands. Note that the letsencrypt command may not work well on a "dumb" terminal such as an Emacs shell buffer. If in doubt, run it from within a proper terminal emulator.
Readability of the key files
To ensure that processes running under unprivileged users can read key files, ensure that the users they run under are members of the
ssl-cert group, which should have read access to the files in
Ubuntu package repositories
Currently, FeministWiki runs on Ubuntu 16.04 LTS (Xenial), which has rather old Apache and PHP packages. We use the Ubuntu PPAs
ondrej/php to get newer versions.
For F-Droid packages, we use the
fdroid/fdroidserver Ubuntu PPA.
This section documents the individual services of the FeministWiki. They should work regardless of what server they're on. I.e. every service could in theory be hosted on its own server.
The LDAP service contains the central database of FeministWiki members. For details on the LDAP schema, see FeministWiki:LDAP Schema.
Host: feministwiki.org, www.feministwiki.org, fem.wiki, feministwiki.de, www.feministwiki.de
The wiki uses a MediaWiki installation located at
/var/www/wiki/w. It uses the LDAP Stack extension for login management, and the "Short URL" feature is enabled. The wiki uses the SQL database called "feministwiki" and the SQL user of the same name.
The default wiki is in English. Parallel wiki installations for different languages are supported via a combination of Apache's URL rewriting, and conditional branches in the
LocalSettings.php file of the MediaWiki installation:
- The rewrite rules ensure that, for any supported language
xy, URLs beginning with
/xy/wiki/...internally resolve to
/w/index.phpand URLs beginning with
- The LocalSettings file checks
$_SERVER['REQUEST_URI']to determine the language code prefix in the requested URL, and configures things accordingly:
- It sets
/w/index.phpknows that when it's invoked via such a URL, it should serve an article.
- It sets
/xy/wso that links to scripts served by MediaWiki are correct for the language.
- It sets the SQL database name to
- It configures a "foreign" image database via the ForeignDBRepo method so that the media upload database of the default wiki is used by all, instead of every parallel wiki having its own media database.
- It sets
The domain names feministwiki.de and www.feministwiki.de redirect to
https://feministwiki.org/de. For instance, requesting
https://feministwiki.de/wiki/Hauptseite will result in an HTTP redirect to
Software: WordPress (multisite)
This is an installation of WordPress in
/var/www/blogs, with the "multisite network" feature enabled on a path-basis, so users can have their own blogs on URLs like
blogs.feministwiki.org/janedoe. LDAP authentication is enabled via the AD/LDAP plugin from miniOrange.
Users from LDAP who log in for the first time are automatically registered as "Subscriber" accounts, and the admin can change their WordPress role "Author" to allow publishing.
This WordPress installation uses the SQL database called "blogs" and an SQL user of the same name.
Chat (web interface)
The web-interface for the FeministChat uses the full-screen "Impress" variant of the Converse.js XMPP client. The hosted HTML and JS files are located at
/var/www/chat, although they load Converse.js as an external script from upstream, which is why the self-hosted HTML and JS are very minimal.
The forum uses a phpBB installation located at
/var/www/forum. Most configuration of phpBB, including LDAP authentication, is done through its administration panel. The style used by the forum is a minimally changed "ProSilver Dark". The forum uses the SQL database called "feministforum" and the SQL user of the same name.
Mail (web interface)
The web-interface for the FeministMail uses the Roundcube mail client, installed at
/var/www/mail. It uses a FeministWiki-branded modification of the new "elastic" style.
FeministFiles is a Nextcloud installation with some branding, and LDAP authentication, installed at
FeministMail uses the Dovecot IMAP server, configured for LDAP authentication and using virtual mail boxes under
While Dovecot is primarily an IMAP server, it also offers POP3 support, which the FeministWiki installation has enabled.
Software: Postfix, OpenDKIM
FeministMail uses the Postfix SMTP server, using SASL authentication through Dovecot, LDAP-based virtual mail boxes under
/home/vmail, and DKIM signing via OpenDKIM. Send a mail to a Gmail account and use the "Show original" feature of Gmail to see if the mail passes SPF, DKIM, and DMARC tests.
There are also various tools on the web to automatically test the DNS settings for correctness, to check if the domain/IP is on blacklists, etc., which you can find via Google. All in all, FeministMail is probably the most complicated service of the FeministWiki, as far as technical background goes.
Email domain: lists.feministwiki.org
Software: GNU Mailman, Postfix
Postfix is configured to recognize
lists.feministwiki.org as a "local" domain. This means it uses the file specified in the
alias_maps configuration directive (typically
/etc/aliases) to decide the final recipient of an e-mail sent to this domain. Correspondingly, we populate
/etc/aliases with the aliases needed by Mailman to operate each mailing list it controls.
Note that there is no DNS entry for
lists.feministwiki.org because e-mail software just checks the MX record for
feministwiki.org when the recipient is from the domain
FeministChat uses the ejabberd XMPP server, configured to use LDAP authentication and an LDAP-based shared roster group for all members.
FeministIRC uses the InspIRCd IRC server with the
ldapauth module for LDAP authentication. The client is authenticated via the combination of the NICK and PASS provided upon connection, which must correspond to the FeministWiki credentials.
This custom web interface hosted at
/var/www/account lets you complete several tasks related to FeministWiki membership, such as changing your account settings, resetting your password, or adding a new member. It also contains a form to request membership. The interface is written in HTML, CSS, PHP, and C.