Re: [Sks-devel] Apache setup for refusing to serve bad keys

[John Zaitseff]

Hi, echelon,

You wrote:

> Thank you, but looks like it does only works partly, e.g. from
> webinterface.
>
> e.g.:
> [20/Feb/2019:12:52:40 +0100] "GET /pks/lookup?search=0x69D2EAD9&op=vindex 
> HTTP/1.1" 410 602 "http://keys.i2p-projekt.de/"; "Mozilla/5.0 (X11; Linux 
> x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.96 
> Safari/537.36"
>
> looks like it works fine.  BUT:
>
> [20/Feb/2019:12:55:26 +0100] "GET 
> /pks/lookup?op=get&options=mr&search=0x69D2EAD9 HTTP/1.1" 200 39693256 "-" "-"
>
> does not work with youre rewriteConds.

It works for me :-)

$ HEAD 'https://keyserver.zap.org.au/pks/lookup?search=0x69D2EAD9&op=vindex'
410 Gone
Connection: close
...

$ HEAD 
'https://keyserver.zap.org.au/pks/lookup?op=get&options=mr&search=0x69D2EAD9'
410 Gone
Connection: close
...

(HEAD is a command-line tool in the libwww-perl package under Debian
and Ubuntu.)

My complete set of rules, for reference, is:

  RewriteEngine on

  RewriteMap  badkeys     "txt:/etc/sks/apache-badkeys"
  RewriteMap  lc          int:tolower

  RewriteCond "%{REQUEST_URI}"            "^/pks/lookup"
  RewriteCond "%{QUERY_STRING}"           "op=(get|index|search|vindex)"
  RewriteCond "%{QUERY_STRING}"           "search=([^&]+)(&|$)"
  RewriteCond "${badkeys:${lc:%1}|ok}"    "!=ok"
  RewriteRule ^/pks/lookup                - [L,G]

> (BTW: look at this key: 0xD7FFC063B40A2294B966DB47FF80AE9D1DEC358D [...])

Nice signatures :-)  We're playing "whack-a-mole" here.

I went through my Apache logs for the last month or so, searching
for very large keys being requested, and added these (and certain
variations of them) to my /etc/sks/apache-badkeys file.  I have 15
keys listed so far...

Yours truly,

John Zaitseff

-- 
John Zaitseff                   ,--_|\    The ZAP Group
Telephone: +61 2 9643 7737     /      \   Sydney, Australia
Email: address@hidden   \_,--._*   https://www.zap.org.au/
                                     v