Making SKS available on port 80 with nginx
Posted: Sat, 30 July 2011 | permalink | No comments
Being the conscientious sysadmin that I am1, I happened to be looking
in my nginx error logs today and noticed a few requests for slightly
funny-looking URLs pointed at the hostname pool.sks-keyservers.net. This
isn’t as strange as it sounds, given that I run a server that is part of the
Synchronising Keyserver network.
Typically, clients connect to the pool using the HKP protocol, a bastard variant of HTTP that runs on port 11371. However it appears that some people hit the pool using port 80, and so I decided to help them out a little by adding a vhost to nginx that will do the right thing for those people and point them to the keyserver.
It turned out to be surprisingly easy; my vhost config, in it’s entireity, is as follows:
upstream sks {
server 127.0.0.1:11371;
}
server {
listen 80;
listen [::]:80;
server_name sks.hezmatt.org pool.sks-keyservers.net;
access_log /var/log/nginx/sites/sks.hezmatt.org/access.log;
error_log /var/log/nginx/sites/sks.hezmatt.org/error.log;
root /usr/share/empty;
location / {
proxy_pass http://sks;
}
}
A couple of things to note:
- In addition to adding the hostname of my own keyserver (
sks.hezmatt.org) in theserver_nameline, it’s important to havepool.sks-keyservers.netin there, because that’s what most clients will connect to. - It’s unlikely that your SKS keyserver is setup to listen on
127.0.0.1; you will probably have to add that to thehkp_addressoption in/etc/sks/sksconf(otherwise you’ll get “connection refused” errors).
Hopefully this spurs a few more people to make the SKS pool a bit more user friendly. The person who had a wide-open PBX management console on port 80 should definitely implement this, before someone naughty finds it.
-
Actually, I was bored. It’s the same thing though, really. ↩
Post a comment
All comments are held for moderation; markdown formatting accepted.