Re: [Sks-devel] HKPS + ssl + nginx

[Jeremy T. Bouse]

Here is my nginx configuration that I use for my server. Obviously some of it would need to be customized and it is setup to support my 3 SKS nodes.

upstream sks_servers {
        least_conn;
        server 127.0.0.1:11371;
        server xx.xx.xx.228:11371;
        server xx.xx.xx.229:11371;
}

server {
        listen  xx.xx.xx.xx:11371    default_server;
        listen  xx.xx.xx.xx:80    default_server;
        listen  [xxxx:xxxx:xxxx:xxxx::xxxx:xxxx]:11371  default_server ipv6only=on;
        listen  [xxxx:xxxx:xxxx:xxxx::xxxx:xxxx]:80  default_server ipv6only=on;
        access_log  off;
        server_tokens off;

        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection '1; mode=block';

        # deny access to files, starting with dot (hidden) or ending with ~ (temp)

        location ~ /\. {
                log_not_found off;
                deny all;
        }

        location ~ ~$ {
                log_not_found off;
                deny all;
        }

        # block of rules for static content

        location ~ /(favicon.ico|favicon.png|robots.txt)$ {
                log_not_found off;
                expires 1y;
                add_header Cache-Control public,max-age=259200;
        }

        location ~*  \.(jpg|jpeg|png|gif|ico|css|js|mp3)$ {
                expires 30d;
                add_header Cache-Control public,max-age=259200;
        }

        location / {
                root  /srv/www;
                index index.html;
        }

        location /pks {
                proxy_pass         http://sks_servers/pks;
                proxy_set_header   Host            $host:$server_port;
                proxy_set_header   X-Real-IP       $remote_addr;
                proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_pass_header  Server;
                add_header         Via "1.1 sks.undergrid.net:$server_port (nginx)";
                proxy_ignore_client_abort on;
                client_max_body_size 8m;
        }
}

server {
        listen  xx.xx.xx.xx:443    default_server ssl;
        listen  [xxxx:xxxx:xxxx:xxxx::xxxx:xxxx]:443  default_server ssl ipv6only=on;
        access_log  off;
        server_tokens off;

        ssl_certificate /etc/ssl/certs/sks.undergrid.net.crt;
        ssl_certificate_key /etc/ssl/private/sks.undergrid.net.key;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_dhparam /etc/ssl/dhparams.pem;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

        add_header Strict-Transport-Security 'max-age=31536000;';
        add_header Public-Key-Pins 'pin-sha256="Xnu7zI1oPbsQ4x47NpJVpOiMPPC3rLO81mTuKMiEjlI="; pin-sha256="9eGb55deEj42vOObXCSswgduvM5JNB7z/PriVx/AQUo="; max-age=315366000';
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection '1; mode=block';

        # deny access to files, starting with dot (hidden) or ending with ~ (temp)

        location ~ /\. {
                log_not_found off;
                deny all;
        }

        location ~ ~$ {
                log_not_found off;
                deny all;
        }

        # block of rules for static content

        location ~ /(favicon.ico|favicon.png|robots.txt)$ {
                log_not_found off;
                expires 1y;
                add_header Cache-Control public,max-age=259200;
        }

        location ~*  \.(jpg|jpeg|png|gif|ico|css|js|mp3)$ {
                expires 30d;
                add_header Cache-Control public,max-age=259200;
        }

        location / {
                root  /srv/www;
                index index.html;
        }

        location /pks {
                proxy_pass         http://sks_servers/pks;
                proxy_set_header   Host            $host:$server_port;
                proxy_set_header   X-Real-IP       $remote_addr;
                proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_pass_header  Server;
                add_header         Via "1.1 sks.undergrid.net:$server_port (nginx)";
                proxy_ignore_client_abort on;
                client_max_body_size 8m;
        }
}

On 7/30/2015 7:05 PM, Mike Forbes wrote:

Hi,

We've managed to get an HKPS cert from Kristian (thanks!)

So now begins the task of trying to make HKPS and SSL and SKS all work
together.

Currently we're serving up our main pgp pages with our own SSL cert
(https://pgp.net.nz)

If we were to serve this using the HKPS cert I imagine it would throw
a certificate warning for most people who haven't imported the
hkps.pool.sks-keyservers.net CA.

My question is, how have other people managed to get HKPS working
together with their own SSL certs?

Our nginx config pushes all requests on port 80 to 443, then has a
location section for /pks that points to the locally running sks
daemon on 127.0.0.1:11371

I'd love to hear how others have managed this.


Cheers,

> > _______________________________________________ > Sks-devel mailing list > address@hidden > https://lists.nongnu.org/mailman/listinfo/sks-devel