Re: [Sks-devel] details to configure SKS https web interface

[Daniel Kahn Gillmor]

On 03/07/2009 03:03 PM, Joseph Oreste Bruni wrote:
> On Mar 7, 2009, at 8:11 AM, Gab wrote:
>> I wish to in https ssl the sks web interface .
>> What are the directives for cert.pem and key.pem and to enable ssl ?
> 
> I don't believe that the built-in web server supports SSL. However, you
> could front-end SKS with Apache configured as a proxy.

We're currently doing this on zimmermann with nginx providing the
front-layer proxy (still using X.509-certified TLS, unfortunately).  The
configuration snippet looks like this:

> server {
>         listen  443;
>         listen  11372;
>         server_name zimmermann.mayfirst.org;
>         ssl on;
>         ssl_certificate /etc/ssl/certs/zimmermann.mayfirst.org-cert.pem;
>         ssl_certificate_key /etc/ssl/private/zimmermann.mayfirst.org-key.pem;
>         access_log  off;
> 
>         location / {
>                 proxy_pass http://localhost:11371/;
>         }
> }

We chose to listen on port 443 so people could browse to it with
https://zimmermann.mayfirst.org/  (the X.509 certificate offered here is
 signed by a private certificate authority [0], which i have also
signed, if you care to certify it)

We also are listening on port 11372 because this seems to be the choice
of gnupg maintainers for hkp-over-tls (hkps?), according to this recent
(as yet unreleased) patch to gpg:

http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/branches/STABLE-BRANCH-1-4/keyserver/gpgkeys_hkp.c?root=GnuPG&rev=4924&r1=4878&r2=4924

hope this is useful, and i'm happy to explain more details if folks are
interested.

        --dkg

[0] https://support.mayfirst.org/wiki/mfpl_certificate_authority

signature.asc
Description: OpenPGP digital signature