[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] Just coincidence or targeted attack?
|
From: |
Phil Pennock |
|
Subject: |
Re: [Sks-devel] Just coincidence or targeted attack? |
|
Date: |
Mon, 19 May 2014 15:08:17 -0400 |
On 2014-05-19 at 19:12 +0200, Tobias Frei wrote:
> ...about every five seconds. The connections appear to come from
> 127.0.0.1 because of the reverse proxying; nginx's access logs are
> disabled for this host and I don't think that enabling them will help
> here at all. All I could get is a list of abusive IP addresses, which
> might change frequently - and these requests don't cause any trouble
> for me anyway. The logs are rotated and compressed automatically, so
> I'll just ignore these requests.
You don't need to enable nginx logs, if you just set up nginx to include
IP information in a header. An X-Real-IP: header will be included in
the db.log for any event which triggers a request dump to logs at your
log level.
----------------------------8< cut here >8------------------------------
2014-05-15 14:35:35 Error handling request (POST,/pks/add,[
accept:*/*
connection:close
content-length:82
content-type:application/x-www-form-urlencoded
host:pool.sks-keyservers.net:11371
x-forwarded-for:2001:16d8:ee00:58::2
x-real-ip:2001:16d8:ee00:58::2]): Failure("Error while decoding ascii-armored
key: text terminated before beginning of ascii block")
----------------------------8< cut here >8------------------------------
Reverse DNS on that IPv6 address points to SixXS in Norway, hanging off
an Oslo PoP (given that network engineers often name devices/zones by
the nearest airport's IATA code, since it works for an easy scheme to
get a short code which is globally unique but identifies the locality).
... domain name pointer cl-89.osl-01.no.sixxs.net.
The configuration in
<https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Peering>
is a minimum to interoperate, not a "you must or should use exactly
this"; my actual configuration is:
----------------------------8< cut here >8------------------------------
# HKP
server {
listen 94.142.242.225:11371;
listen [2a02:898:31:0:48:4558:73:6b73]:11371;
access_log off;
# Like `include fragment-pks;` but for `/`:
location / {
proxy_pass http://127.0.0.3:11371;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass_header Server;
add_header Via "1.1 sks.spodhuis.org:11371 (nginx)";
proxy_ignore_client_abort on;
client_max_body_size 8m;
}
}
----------------------------8< cut here >8------------------------------
and every vhost for other hostnames or ports has `include fragment-pks;`
inside the `server { ... }` block; that include file is simply:
----------------------------8< cut here >8------------------------------
# Pass /pks onto the SKS keyserver
location /pks {
proxy_pass http://127.0.0.3:11371;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass_header Server;
add_header Via "1.1 $server_name:$server_port (nginx)";
proxy_ignore_client_abort on;
client_max_body_size 8m;
}
----------------------------8< cut here >8------------------------------
This brings the number of places where the content is repeated down to
2, which is almost the ideal of 1. Note the differences in the Via:
header construction.
--
My employer, Apcera Inc, is hiring sysadmin; primarily San Francisco:
http://www.apcera.com/jobs/#operations-engineer
(but all the mistakes in this email are made in my personal capacity)
pgpg24vVTZxUw.pgp
Description: PGP signature