[Sks-devel] HA proxy configuration for multiple pools

[Phil Pennock]

[ sks-devel list ]

People with proxies in front of port 11371, can you *please* make sure
that queries for unrecognised vhost names on that port still make it
through to SKS?  You can restrict port 80 to "known vhosts only" and
that makes a degree of security sense, but port 11371 should be open for
any vhostname to reach the PGP keyserver, so that you can be in any
pools.

Sample config:
----------------------------8< cut here >8------------------------------
    # HKP
    server {
        listen      198.51.100.1:11371;
        listen      [2001:db8::1]:11371;
        access_log  off;
        location / {
            proxy_pass         http://127.0.0.1:11371;
            proxy_pass_header  Server;
            add_header         Via "1.1 pgp.example.org:11371 (nginx)";
        }
    }
----------------------------8< cut here >8------------------------------

Check with:
  curl -v --resolve keys.example.org:11371:${your_ip_address} \
    'http://keys.example.org:11371/pks/lookup?op=stats'

That should return results from your server.  If it doesn't, then this
limits which pools you can be part of.  Perhaps that's what you want,
but if you haven't told folks this explicitly, then the expectation is
that you'll be in any pools anyone feels like adding.

("The expectation": okay, my understanding of the woolly view of an
 ad-hoc group of people who haven't explicitly said this, AFAIK)

On 2012-12-04 at 16:45 +0400, Kristian Fiskerstrand wrote:
> On 12/04/2012 01:21 PM, Phil Pennock wrote:
> > On 2012-12-04 at 07:43 +0100, Werner Koch wrote:
> >> If you want me to delegate keys.gnupg.net to another pool
> >> operator group, please let me know.
> > 
> > If you want to get out of the issue entirely, I recommend taking a
> > look at <http://www.sks-keyservers.net/overview-of-pools.php> and
> > pick one to CNAME to.  I suggest "ha.pool.sks-keyservers.net".
> 
> iirc this is the case already[0].

I've apologised to Werner for not noticing that this had changed.

In fact, it looks as though I knew but forgot, since the last time I
changed my proxy config for gnupg.net on port 80 was on 2012-05-29 when
I saw that http-keys.gnupg.net existed, which is almost certainly
_because_ of Werner's announcement about the CNAME change.

*shame*

> The only issue with (in particular the HA pool) is that not all of the
> servers behind reverse proxies are configured for this vhost. Maybe it
> would make sense to put up a pool for servers specificially not behind
> a reverse proxy, but that'd be another can of worm. So I'll see if I
> can get around to adding some additional vhost (HTTP Host Header)
> checks somewhere.

Do you have stats of how many folks running a proxy on 11371 are not
making sure the default vhost for that port passes through?

I'm not sure that encouraging non-proxy use makes sense for service
"hostnames" that will be in default configurations (perhaps commented
out).

Do you have recommendations on a light-weight check for this, given a
working server?  Look for a specific key, or op=stats, or something
else?

-Phil