[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] New server at keyserver.mesh.deuxpi.ca
|
From: |
Phil Pennock |
|
Subject: |
Re: [Sks-devel] New server at keyserver.mesh.deuxpi.ca |
|
Date: |
Tue, 20 Nov 2012 02:43:26 -0500 |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
On 2012-11-19 at 18:12 -0500, Philippe Gauthier wrote:
> On 2012-11-18 23:55, Phil Pennock wrote:
> > The hostname in DNS now has an A record too, but the recon port is
> > not open on IPv4. This isn't going to work too well.
>
> Good point. I moved the A record to the dynamic IPv4 address -- it
> will take one day to propagate. Also, if I understand correctly,
> Gossip works with NAT but proxying wouldn't have helped.
Gossip is two-way: you gossip to others, others gossip to you. Each
time a server decides to gossip, it talks to you on 11370 to figure out
what keydata is needed, then talks on 11371 to get that data.
> The hkp port is handled by nginx which responds to port 11371 and 80.
> In the case of port 80, the connection be correctly proxied to sks
> only if the hostname of the keyserver matches. Should I add
> "pool.sks-keyservers.net *.pool.sks-keyservers.net" to server_name?
If you want to be included in the p80.pool.sks-keyservers.net pool, then
yes. The pool maintenance script checks on port 80 to be sure it works
before including you.
http://sks-keyservers.net/overview-of-pools.php
If you forward on the HTTPS port too want to be included in
hkps.pool.sks-keyservers.net then check recent list archives for
discussion; it's documented at in the overview and basically means "if
you want to be in the _pool_ hkps hostname, generate a dedicated TLS
key, send Christian a CSR, then install the CRT for use by those
vhosts".
If you're happy to not be in the hkps pool, then you don't need to set a
pool vhost cert for 443 traffic.
I have this for port 443, aside from paths, beware the custom log
format and the redirect URL to unbreak requests not under /pks (which
helps ensure that if someone visits pool.sks-keyserver.net in a browser,
if they hit your site, then images, favicons and other resources will
all actually load from you, instead of possibly erroring on other hosts
in the pool):
- ----------------------------8< cut here >8------------------------------
server {
listen 94.142.241.93:443;
listen [2a02:898:31:0:48:4558:73:6b73]:443;
server_name pool.sks-keyservers.net *.pool.sks-keyservers.net
ssl on;
ssl_certificate /www/conf/tls/hkps-sks-fiskerstrand.crt;
ssl_certificate_key /www/conf/tls/hkps-sks-fiskerstrand.key;
ssl_verify_client off;
access_log /var/log/nginx/sks-tls.log combine-tls;
location / {
rewrite ^ $scheme://sks.spodhuis.org$request_uri redirect;
}
location /pks {
proxy_pass http://127.0.0.1:11371;
proxy_pass_header Server;
add_header Via "1.1 sks.spodhuis.org:443 (nginx)";
}
}
- ----------------------------8< cut here >8------------------------------
Regards,
- -Phil
-----BEGIN PGP SIGNATURE-----
iEYEAREDAAYFAlCrNJYACgkQQDBDFTkDY3/xawCfUNwPenPP/9rTFh8TvMFmnEkX
GKkAniaqwMKyUTLiY9ZNEhU2x1vCBy6l
=ltO7
-----END PGP SIGNATURE-----