Re: [Sks-devel] SKS behind NAT firewall

sks-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] SKS behind NAT firewall

From:	Alain Wolf
Subject:	Re: [Sks-devel] SKS behind NAT firewall
Date:	Wed, 24 Jan 2018 00:20:41 +0100

Hi Hendrik

Me again.

On 23.01.2018 21:48, Hendrik Visage wrote:
> Hi there,
> 
>  Anybody else running a SKS behind a NAT firewall?

I do.

> Could you perhaps share any advice on the recon/hkp settings? (I’ll be
> setting up/running nginx reverse proxy for HKP)

Nothing unusual on the router/firewall, it gets complicated on the host
itself.

External IPv4 does port-forwarding to 80,443,11370,11371 to the internal
IPv4 of the host. IPv6 just the same as access rules instead of NAT.

But then on the internal host:

sks-recon listens on 11370.

sslh listens on port 11371 checks if TLS is in use and then
    forwards HTTP to port 80 to nginx on the same host
    forwards HTTPS to port 443 to nginx on the same host
It does this for IPv4 and IPv6

nginx listens on 80 for HTTP and on 443 for HTTPS

It then uses one of 3 virtual servers according to the HTTP requested
host name.

1. HTTP for my own pgpkeys.urown.net.
2. HTTP for all the SKS pool names.
3. HTTPS for for pgpkeys.urown.net with LE cert
4. Is inactive but ready to do HTTPS ready for the hkps-pool with some
day ;)
5. HTTP for the Tor onion service.

They all proxy to port 11371 on localhost.

> 
>  Or should I rather have the outside IP bound to a virtual/loopback
> interface, and then route it directly via the firewall to the SKS server?
Since I have different servers running and only one global IPv4, this
wouldn't work for me.
> 
> Reason I’m asking: I’m not quite clear in understanding the recon
> settings, and I’d rather ask experience before I chase down the wrong alley.

Recon is the easier part. No proxy, no TLS, just a port who listens on
the internal IP.

> 
I wrote all this down a while ago.
If not look here:
https://roll.urown.net/server/pgp-keyserver.html#firewall-rules

Its not very fresh but should still be valid for the most part. Main
difference is that nowadays I just manually download the latest deb
package from a future Linux-dist for installation instead of all the
building from source.

-- 
pgpkeys.urown.net 11370 # <address@hidden> 0x27A69FC9A1744242

signature.asc
Description: OpenPGP digital signature

[Prev in Thread]

Current Thread

[Next in Thread]

[Sks-devel] SKS behind NAT firewall, Hendrik Visage, 2018/01/23
- Re: [Sks-devel] SKS behind NAT firewall, Alain Wolf <=
- Re: [Sks-devel] SKS behind NAT firewall, Shengjing Zhu, 2018/01/28

Prev by Date: Re: [Sks-devel] Out of the pool
Next by Date: Re: [Sks-devel] Debian asks package and default paths
Previous by thread: [Sks-devel] SKS behind NAT firewall
Next by thread: Re: [Sks-devel] SKS behind NAT firewall
Index(es):
- Date
- Thread