On 2013-08-19 at 17:59 -0400, James Cloos wrote: > If one configures a proxy (such as nginx) with a config like:
Don't, because that's not what the Peering wiki page says to do and advertises the wrong port. Use: https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Peering#!nginx > Instead, you need to specify 'hkp_port: 11371' in sksconf and configure > the proxy like: > with listen directives for each specific address. Yes, that's why the Peering wiki page explicitly does this: SKS needs to listen on localhost, nginx (or other reverse proxy) on the public addresses, using the same port number for each. This is handled in the examples for all three web-servers for which example configurations are provided. > Perhaps this is why some severs seem to lack some keys? I doubt it. The spiders tend to force port 11371; if you know of a server where /pks/lookup?op=stats works on 11371 but shows a different port, then please re-educate the server operator. The peering code actually just uses the SKS reconciliation port "+1", not the value configured in sksconf, so peering will get the keys through as long as you peer on 11370. > Continuing on the nginx front, what is the optimal config for ports 80 > and 443, presuming that one wants to be able to serve other content on > those ports in addition to /pks/? I've tried several, and non worked > reliably. Make sure that /pks/ is passed through to SKS, no matter what hostname is used, so that you can be in various pools. For 443, additionally look into what certificates you want to use, and read this page: http://www.sks-keyservers.net/overview-of-pools.php for instructions on getting a cert for the hkps.pool.sks-keyservers.net hostname. You'll need to either have `default_server` on the listen lines for one of the servers, or make sure you know which is first in the config parsing for a given IP/port, so that on the default server for port 80 and 443, you can pass through /pks. For myself, the various relevant server blocks just have: location /pks { proxy_pass http://127.0.0.1:11371; proxy_set_header Host $host:$server_port; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass_header Server; add_header Via "1.1 sks.spodhuis.org:80 (nginx)"; proxy_ignore_client_abort on; } The proxy_set_header rules are not needed, they just give SKS's own debug logs more meaningful data. -Phil _______________________________________________ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel