Network services provided by FSMG

rsync

Plaintext anonymous rsync is available from rsync://mirror.fsmg.org.nz. The rsync paths are configured by Ansible and should match what is available via the web.

HTTP and HTTPS

Both HTTP and HTTPS access is available via https://mirror.fsmg.org.nz/. While we would encourage as many people as possible to use HTTPS we also fully support HTTP for those systems where HTTPS mirroring is not yet considered necessary.

To allow for identical configuration between HTTP and HTTPs the configuration for the sites themselves is stored in /etc/apache2/includes/mirror.conf and /etc/apache2/includes/website.conf. These files are managed by Ansible.

If you visit one of the direct node hostnames it will still work (to allow for monitoring by our upstreams) but you will see a banner asking you to use the anycast hostname.

Both nodes are also configured to answer for ftp.nz.debian.org as we are candidates for this service, but obviously HTTPS will not work there (and that is fine)

Apache configuration

Because most HTTPS connections to FSMG are relatively long lived we need to increase the maximum number of simultaneous connections to deal with peak load.

Currently we configure mpm_event with:

<IfModule mpm_event_module>
    StartServers            3
    MinSpareThreads         25
    MaxSpareThreads         75
    ThreadLimit             64
    ThreadsPerChild         25
    MaxRequestWorkers       200
    MaxConnectionsPerChild  0
</IfModule>

HTTPS certificates

Certbot is used to issue Let’s Encrypt certificates. It’s configured to use a DNS API hook with Metaname to perform dns-01 challenges.

In /etc/letsencrypt/cli.ini this is set up as:

rsa-key-size = 2048
preferred-challenges = dns
manual-auth-hook = /opt/fsmg/bin/metaname-certbot-hook auth
manual-cleanup-hook = /opt/fsmg/bin/metaname-certbot-hook cleanup
manual-public-ip-logging-ok = True

We’re using a 2048 bit RSA key for the time being as our CPUs are somewhat slow. This will be improved.

The Metaname certbot hook is kept at https://gitlab.com/fsmg/private/blob/master/metaname-certbot-hook.

FTP

We will not be providing FTP service.

SSH for push mirroring

We accept SSH to our anycast address to allow for “push mirroring” for projects that support it, and to our individual node addresses for those projects who preferred that.

Currently we use push mirroring with these projects:

  • Debian
  • Kali