From 27f9e7e37240bac7d70073fa749389cd61e6b041 Mon Sep 17 00:00:00 2001
From: nemunaire <pomercier@novaquark.com>
Date: Wed, 5 Nov 2014 16:39:05 +0100
Subject: [PATCH] Add setup instructions

---
 README.md | 48 +++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 43 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 606e81bf..fe82b807 100644
--- a/README.md
+++ b/README.md
@@ -1,10 +1,12 @@
-# FIC forensic challenge validation server
+FIC forensic challenge validation server
+========================================
 
 This is a CTF server for distributing and validating exercices. It is design to
 be robust, so it uses some uncommon technologies like client certificate for
 authentication, cryptographic functions and DMZ network architecture.
 
-## Development and testing
+Development and testing
+-----------------------
 
 The easiest way to have a working server is to build a Docker container.
 
@@ -32,17 +34,53 @@ Use `docker ps` to view to which local ports was assigned the contained
 webserver.
 
 
-## Production environnement
+Production environnement
+------------------------
 
 ### Setup
 
+You should compile/install hardened kernel (with latest stable GrSec patch) on
+each machine.
+
+Prefer GNU/Linux distributions where most packages are compiled with `-fPIC`
+and `-fstack-protector`, like Ubuntu or
+[Gentoo Hardened](http://www.gentoo.org/proj/en/hardened/).
+
 #### Frontend
 
-FIXME
+Keep in mind that this is the machine exposed to participant.
+
+##### Requirements
+
+* `nginx` with those modules: `aio` (for fast delivery of huge
+  content), `fastcgi`, `rewrite`, `ssl`;
+* `php-fpm` with `mcrypt` module (for submission encryption);
+
+##### Firewall rules
+
+Expose to participants only 80 and 443 ports.
+
+Expose on synchronization interface the 22 port, used for synchronization and
+administration purpose from backend.
+
+DROP **has to be** the default rule for INPUT, FORWARD and OUTPUT chains; use
+CONNTRACK states.
+
 
 #### Backend
 
-FIXME
+##### Requirements
+
+* `mysql`;
+* `nginx` with `fastcgi` module;
+* `php-fpm` with `mysql` module;
+* `openssl` and `pwgen` for client certificat generation;
+* `Mcrypt` from CPAN (`cpan -i Mcrypt`) to decrypt submissions (see https://metacpan.org/pod/Mcrypt);
+
+##### Firewall rules
+
+This machine shouldn't have any network connection, except outgoing one to the
+frontend for synchronization.
 
 
 ### History