Network services provided by FSMG¶
Plaintext anonymous rsync is available from rsync://mirror.fsmg.org.nz. The rsync paths are configured by Ansible and should match what is available via the web.
HTTP and HTTPS¶
Both HTTP and HTTPS access is available via https://mirror.fsmg.org.nz/. While we would encourage as many people as possible to use HTTPS we also fully support HTTP for those systems where HTTPS mirroring is not yet considered necessary.
To allow for identical configuration between HTTP and HTTPs the configuration for the sites themselves is stored in
/etc/apache2/includes/website.conf. These files are managed by Ansible.
If you visit one of the direct node hostnames it will still work (to allow for monitoring by our upstreams) but you will see a banner asking you to use the anycast hostname.
Both nodes are also configured to answer for
ftp.nz.debian.org as we are candidates for this service, but obviously HTTPS will not work there (and that is fine)
Because most HTTPS connections to FSMG are relatively long lived we need to increase the maximum number of simultaneous connections to deal with peak load.
Currently we configure
<IfModule mpm_event_module> StartServers 3 MinSpareThreads 25 MaxSpareThreads 75 ThreadLimit 64 ThreadsPerChild 25 MaxRequestWorkers 200 MaxConnectionsPerChild 0 </IfModule>
Certbot is used to issue Let’s Encrypt certificates. It’s configured to use a DNS API hook with Catalyst to perform
/etc/letsencrypt/cli.ini this is set up as:
rsa-key-size = 4096 preferred-challenges = dns manual-auth-hook = /opt/fsmg/bin/catalyst-certbot-hook auth manual-cleanup-hook = /opt/fsmg/bin/catalyst-certbot-hook cleanup manual-public-ip-logging-ok = True
The Catalyst certbot hook is kept at https://gitlab.com/fsmg/private/blob/master/catalyst-certbot-hook.
We will not be providing FTP service.
SSH for push mirroring¶
We accept SSH to our anycast address to allow for “push mirroring” for projects that support it, and to our individual node addresses for those projects who preferred that.