sks-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] Proxy config issue and question

From: Phil Pennock
Subject: Re: [Sks-devel] Proxy config issue and question
Date: Mon, 19 Aug 2013 20:00:42 -0400 
On 2013-08-19 at 17:59 -0400, James Cloos wrote:
> If one configures a proxy (such as nginx) with a config like:

Don't, because that's not what the Peering wiki page says to do and
advertises the wrong port.

Use:
  https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Peering#!nginx

> Instead, you need to specify 'hkp_port: 11371' in sksconf and configure
> the proxy like:

> with listen directives for each specific address.

Yes, that's why the Peering wiki page explicitly does this: SKS needs to
listen on localhost, nginx (or other reverse proxy) on the public
addresses, using the same port number for each.  This is handled in the
examples for all three web-servers for which example configurations are
provided.

> Perhaps this is why some severs seem to lack some keys?

I doubt it.

The spiders tend to force port 11371; if you know of a server where
/pks/lookup?op=stats works on 11371 but shows a different port, then
please re-educate the server operator.

The peering code actually just uses the SKS reconciliation port "+1",
not the value configured in sksconf, so peering will get the keys
through as long as you peer on 11370.

> Continuing on the nginx front, what is the optimal config for ports 80
> and 443, presuming that one wants to be able to serve other content on
> those ports in addition to /pks/?  I've tried several, and non worked
> reliably.

Make sure that /pks/ is passed through to SKS, no matter what hostname
is used, so that you can be in various pools.  For 443, additionally
look into what certificates you want to use, and read this page:

  http://www.sks-keyservers.net/overview-of-pools.php

for instructions on getting a cert for the hkps.pool.sks-keyservers.net
hostname.

You'll need to either have `default_server` on the listen lines for one
of the servers, or make sure you know which is first in the config
parsing for a given IP/port, so that on the default server for port 80
and 443, you can pass through /pks.

For myself, the various relevant server blocks just have:

        location /pks {
            proxy_pass         http://127.0.0.1:11371;
            proxy_set_header   Host $host:$server_port;
            proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
            proxy_pass_header  Server;
            add_header         Via "1.1 sks.spodhuis.org:80 (nginx)";
            proxy_ignore_client_abort on;
        }

The proxy_set_header rules are not needed, they just give SKS's own
debug logs more meaningful data.

-Phil
reply via email to
[Prev in Thread] Current Thread [Next in Thread]