Re: [Sks-devel] Get SKS to listen on port 80

[Phil Pennock]

On 2016-08-25 at 21:37 +0100, Danny Horne wrote:
> I've googled this and can't find an answer.  The SKS man page states -
> 
> -use_port_80
> Have the HKP interface listen on port 80, as well as the hkp_port.
> 
> I've added 'use_port_80:'  to sksconf but it doesn't listen on port 80

Port 80 is a privileged port, being numbered less than 1024.  On Unix
systems, by default, you require elevated privileges to be able to bind
to that port.

Dedicated web-servers typically start as root to do things like bind
ports before dropping privilege to a run-time user.  Since SKS is
"single-request-at-a-time", with no ability to handle concurrent
requests, one slow request by one user can slow everything down.  Thus
roughly everyone today puts a reverse proxy in front of SKS, to handle
the requests and get the SKS communication done as quickly as possible,
not blocking other requests.

You probably should not run SKS as root.  If you _really_ want to have
SKS directly bind port 80, then look into what your OS requires for
this.  On a Linux system, the `CAP_NET_BIND_SERVICE` capability should
suffice; if your filesystem permits capabilities, then:

    setcap cap_net_bind_service=+ep /path/to/executable/of/sks

But really, really truly, please just use a reverse proxy which can
handle caching, static assets, and batching access to the "real" SKS.

Many helpful instructions are in:

  https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Peering

Regards,
-Phil