Network services provided by FSMG¶
rsync¶
Plaintext anonymous rsync is available from rsync://mirror.fsmg.org.nz. The rsync paths are configured by Ansible and should match what is available via the web.
HTTP and HTTPS¶
Both HTTP and HTTPS access is available via https://mirror.fsmg.org.nz/. While we would encourage as many people as possible to use HTTPS we also fully support HTTP for those systems where HTTPS mirroring is not yet considered necessary.
To allow for identical configuration between HTTP and HTTPs the configuration for the sites themselves is stored in /etc/apache2/includes/mirror.conf and /etc/apache2/includes/website.conf. These files are managed by Ansible.
If you visit one of the direct node hostnames it will still work (to allow for monitoring by our upstreams) but you will see a banner asking you to use the anycast hostname.
Both nodes are also configured to answer for ftp.nz.debian.org as we are candidates for this service, but obviously HTTPS will not work there (and that is fine)
Apache configuration¶
Because most HTTPS connections to FSMG are relatively long lived we need to increase the maximum number of simultaneous connections to deal with peak load.
Currently we configure mpm_event with:
<IfModule mpm_event_module>
StartServers 3
MinSpareThreads 25
MaxSpareThreads 75
ThreadLimit 64
ThreadsPerChild 25
MaxRequestWorkers 200
MaxConnectionsPerChild 0
</IfModule>
HTTPS certificates¶
Certbot is used to issue Let’s Encrypt certificates. It’s configured to use a DNS API hook with Catalyst to perform dns-01 challenges.
In /etc/letsencrypt/cli.ini this is set up as:
rsa-key-size = 4096
preferred-challenges = dns
manual-auth-hook = /opt/fsmg/bin/catalyst-certbot-hook auth
manual-cleanup-hook = /opt/fsmg/bin/catalyst-certbot-hook cleanup
manual-public-ip-logging-ok = True
The Catalyst certbot hook is kept at https://gitlab.com/fsmg/private/blob/master/catalyst-certbot-hook.
FTP¶
We will not be providing FTP service.
SSH for push mirroring¶
We accept SSH to our anycast address to allow for “push mirroring” for projects that support it, and to our individual node addresses for those projects who preferred that.