[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] HKPS + ssl + nginx
From: |
John Zaitseff |
Subject: |
Re: [Sks-devel] HKPS + ssl + nginx |
Date: |
Fri, 31 Jul 2015 09:48:35 +1000 |
User-agent: |
Mutt/1.5.23 (2014-03-12) |
Hi, Mike,
> My question is, how have other people managed to get HKPS working
> together with their own SSL certs?
I'm doing this with the Apache web server for
https://keyserver.zap.org.au/, which is part of the SSL pool. Here
are the appropriate config file sections; hope this helps:
# For non-SSL:
Listen 129.94.172.224:11371
<VirtualHost *:11371 *:80>
ServerAdmin address@hidden
ServerName keyserver.zap.org.au
ServerAlias *.sks-keyservers.net
<Proxy *>
Require all granted
</Proxy>
ProxyPass / http://127.0.0.1:11371/
ProxyPassReverse / http://127.0.0.1:11371/
ProxyVia On
SetEnv proxy-nokeepalive 1
#RequestHeader unset Expect early
ErrorLog ${APACHE_LOG_DIR}/hosted/keyserver.zap.org.au--error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/hosted/keyserver.zap.org.au--access.log combined
ServerSignature On
</VirtualHost>
# For SSL on https://keyserver.zap.org.au/:
Listen *:11372
#NameVirtualHost *:11372
<VirtualHost *:11372 *:443>
ServerAdmin address@hidden
ServerName keyserver.zap.org.au
SSLEngine on
# Only allow secure ciphers and protocols
SSLCipherSuite HIGH:!aNULL:!MD5
SSLProtocol all -SSLv2
SSLCertificateFile /etc/ssl/certs/keyserver.pem
SSLCertificateKeyFile /etc/ssl/private/keyserver.pem
SSLCACertificateFile /etc/ssl/certs/ZAP_Group_CA_Root.pem
<Proxy *>
Require all granted
</Proxy>
ProxyPass / http://127.0.0.1:11371/
ProxyPassReverse / http://127.0.0.1:11371/
ProxyVia On
SetEnv proxy-nokeepalive 1
#RequestHeader unset Expect early
ErrorLog ${APACHE_LOG_DIR}/hosted/keyserver.zap.org.au-ssl--error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/hosted/keyserver.zap.org.au-ssl--access.log
combined_ssl
ServerSignature On
# Work around SSL (and other) problems in Microsoft Internet Explorer
# (see default-ssl and /usr/share/doc/apache2.2-common/README.Debian.gz
# for more information).
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
# For SSL on https://hkps.pool.sks-keyservers.net/:
<VirtualHost *:11372 *:443>
ServerAdmin address@hidden
ServerName hkps.pool.sks-keyservers.net
ServerAlias *.pool.sks-keyservers.net *.sks-keyservers.net
SSLEngine on
# Only allow secure ciphers and protocols
SSLCipherSuite HIGH:!aNULL:!MD5
SSLProtocol all -SSLv2
SSLCertificateFile /etc/ssl/certs/keyserver-sks.pem
SSLCertificateKeyFile /etc/ssl/private/keyserver-sks.pem
SSLCACertificateFile /etc/ssl/certs/sks-keyservers.netCA.pem
<Proxy *>
Require all granted
</Proxy>
ProxyPass / http://127.0.0.1:11371/
ProxyPassReverse / http://127.0.0.1:11371/
ProxyVia On
SetEnv proxy-nokeepalive 1
#RequestHeader unset Expect early
ErrorLog ${APACHE_LOG_DIR}/hosted/keyserver.zap.org.au-ssl-hkps--error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog
${APACHE_LOG_DIR}/hosted/keyserver.zap.org.au-ssl-hkps--access.log combined_ssl
ServerSignature On
# Work around SSL (and other) problems in Microsoft Internet Explorer
# (see default-ssl and /usr/share/doc/apache2.2-common/README.Debian.gz
# for more information).
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
--
John Zaitseff ,--_|\ The ZAP Group
Phone: +61 2 9643 7737 / \ Sydney, Australia
E-mail: address@hidden \_,--._* http://www.zap.org.au/
v