Re: [Sks-devel] HKPS + ssl + nginx

sks-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] HKPS + ssl + nginx

From:	Daniel Roesler
Subject:	Re: [Sks-devel] HKPS + ssl + nginx
Date:	Sat, 1 Aug 2015 11:37:48 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here's the nginx config I use for my server. This setup tries
to be the most secure with HTTPS and HSTS with cert pinning.
Also, the cipher list is 100% forward secrecy and uses a strong
4096 dhparam.

Unfortunately, the only downside is that if you visit
http://sks.daylightpirates.org:11371/ using Firefox or Chrome,
your browser will try to force https (since the domain cert is
pinned in those browsers), and I can't use https over that
port. Not a problem for normal keyserver usage via gpg, but
it's confusing for someone who clicks on my domain in the
sks-keyservers.net list.

Daniel

###################

server {
    listen 104.131.30.118:443;
    listen [2604:a880:800:10::688:e001]:443;
    server_name sks.daylightpirates.org;

    ssl on;
    ssl_certificate sks.daylightpirates.org.crt;
    ssl_certificate_key sks.daylightpirates.org.key;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GC
M-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDH
E-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:D
HE-RSA-AES256-SHA:DHE-RSA-AES128-SHA;
    ssl_dhparam /etc/nginx/sks.daylightpirates.org.dhparam;
    ssl_session_cache shared:SSL:50m;
    ssl_prefer_server_ciphers on;

    access_log off;

    location / {
        proxy_pass http://127.0.0.1:11371/;
        proxy_pass_header Server;
        add_header Via "1.1 sks.daylightpirates.org:11371 (ngin
x)";
        add_header Strict-Transport-Security "max-age=63072000;
 includeSubdomains; preload";
        proxy_ignore_client_abort on;
        client_max_body_size 8m;
    }
}

server {
    listen 104.131.30.118:443;
    listen [2604:a880:800:10::688:e001]:443;
    server_name *.sks-keyservers.net;
    server_name *.pool.sks-keyservers.net;
    server_name keys.gnupg.net;

    ssl on;
    ssl_certificate pool.sks-keyservers.net.crt;
    ssl_certificate_key pool.sks-keyservers.net.key;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GC
M-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDH
E-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:D
HE-RSA-AES256-SHA:DHE-RSA-AES128-SHA;
    ssl_session_cache shared:SSL:50m;
    ssl_prefer_server_ciphers on;

    access_log off;

    location / {
        proxy_pass http://127.0.0.1:11371/;
        proxy_pass_header Server;
        add_header Via "1.1 sks.daylightpirates.org:11371 (ngin
x)";
        add_header Strict-Transport-Security "max-age=63072000;
 includeSubdomains; preload";
        proxy_ignore_client_abort on;
        client_max_body_size 8m;
    }
}

server {
    listen 104.131.30.118:11371;
    listen [2604:a880:800:10::688:e001]:11371;
    server_name sks.daylightpirates.org;
    server_name *.sks-keyservers.net;
    server_name *.pool.sks-keyservers.net;
    server_name keys.gnupg.net;

    access_log off;

    location / {
        proxy_pass http://127.0.0.1:11371/;
        proxy_pass_header Server;
        add_header Via "1.1 sks.daylightpirates.org:11371 (ngin
x)";
        proxy_ignore_client_abort on;
        client_max_body_size 8m;
    }
}

server {
    listen 104.131.30.118:80;
    listen [2604:a880:800:10::688:e001]:80;
    server_name sks.daylightpirates.org;
    server_name *.sks-keyservers.net;
    server_name *.pool.sks-keyservers.net;
    server_name keys.gnupg.net;

    access_log off;

    location / {
        proxy_pass http://127.0.0.1:11371/;
        proxy_pass_header Server;
        add_header Via "1.1 sks.daylightpirates.org:11371 (ngin
x)";
        proxy_ignore_client_abort on;
        client_max_body_size 8m;
    }
}

###################

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJVvRHbAAoJEOf2+tFy7+49c+oP+wZ2bnna1LWw7okmJOBh+/21
d+dNTZPS/PqfMjw7HLB8lfOeDQtdi+s7VTz1ZMPJ9NyKExyyi1/W5eVCNng5NgNG
7HuK3tc3FN8X2UbUb5aHFH9aWEZR18t+y39oSrepaMEJ9zkYJBEDTVxmZPqpIrum
/gVHBY7MrKTQjZ/8naaPglBvn1OV+LLkSuZzy/X+No5hAzJ8oynPqeF8wNkHUcxv
gT3Ce3txQcPds62x1PDi550rZNzyuin9bw/WQaaRzkte6oEXhFiO2LOemBPV4dTu
/BQ5YzAXv+6pkDi3Oli/5UUdw+3PaOIh2lXrWBDphuTx5O+zytCNCYklVO+QjvYQ
hLUEppUz6zKJYqnbC0CQR1CeBlat8owbRcJt5Q2PRWMlaxYYlfXqW1CCtWKAvbJ+
9ZfjQItwq+QtazVQjwKAmax2UgbqMRbgu7zGEIdpk1434NYKQje6zI3TBqlief6U
pqe3mShpRTJuuSGKUKMOc6Wshj4n5qgDyhsSyQSu5zzGBb8o250BsW9lGf03X9n+
L3U5GXugJHG/fvFT8cZMQVuiO07CYW0hVDbmZ0YvYZ54BxKprThxMwwaRyWHp9Zj
MXw08ByS6qKty5bmKd22OaJsrpThvhzuCRKTF6U0NKr6krfE+SqIrGjVVM6tM7rA
dY8dKX/6JN6scGvmY/Z/
=0Qk8
-----END PGP SIGNATURE-----

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Sks-devel] HKPS + ssl + nginx, address@hidden, 2015/08/01
- Re: [Sks-devel] HKPS + ssl + nginx, Alain Wolf, 2015/08/01
- Re: [Sks-devel] HKPS + ssl + nginx, Daniel Roesler <=

Prev by Date: Re: [Sks-devel] Monit and Munin script for sks server
Next by Date: Re: [Sks-devel] Keyserver Stats Hourly Histogram upgrade cycle and cut hour
Previous by thread: Re: [Sks-devel] HKPS + ssl + nginx
Next by thread: Re: [Sks-devel] Monit and Munin script for sks server
Index(es):
- Date
- Thread