[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Sks-devel] Privacy/logging: change to HKP logging for spodhuis.org keys
From: |
Phil Pennock |
Subject: |
[Sks-devel] Privacy/logging: change to HKP logging for spodhuis.org keyservers |
Date: |
Tue, 22 May 2018 19:29:16 -0400 |
Folks,
Previously, sks.spodhuis.org did not log anything at the nginx level for
HKP requests, and logged from SKS at a level which only included errors,
not existing keys.
While privacy protecting, that makes it sufficiently hard to diagnose
problems that I decided I can't stick with it. Rather than silently
change something, this is my public notice.
-----------------------8< nginx logging format >8-----------------------
log_format hkp-minimal escape=json
's=$connection t="$time_iso8601" '
'tls_p="$ssl_protocol" tls_c="$ssl_cipher"
tls_sni="$ssl_server_name" '
'host="$host" '
'status=$status rep_len=$body_bytes_sent '
'req_len=$request_length req_durms=$request_time';
-----------------------8< nginx logging format >8-----------------------
Two example log-lines, real data:
s=3330 t="2018-05-22T23:17:05+00:00" tls_p="" tls_c="" tls_sni=""
host="pool.sks-keyservers.net" status=200 rep_len=2914 req_len=176
req_durms=0.102
s=3329 t="2018-05-22T23:17:05+00:00" tls_p="TLSv1.2"
tls_c="ECDHE-RSA-CHACHA20-POLY1305" tls_sni="hkps.pool.sks-keyservers.net"
host="hkps.pool.sks-keyservers.net" status=200 rep_len=13462 req_len=175
req_durms=0.075
I feel that this is a reasonable balance of privacy vs operational
requirements. If there were a sane way (not embedding JS into nginx) to
log the $remote_addr at IPv4/16 or IPv6/56 level, I might consider that.
Regards,
-Phil
signature.asc
Description: Digital signature
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Sks-devel] Privacy/logging: change to HKP logging for spodhuis.org keyservers,
Phil Pennock <=