[Sks-devel] Apache setup for refusing to serve bad keys

sks-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Sks-devel] Apache setup for refusing to serve bad keys

From:	John Zaitseff
Subject:	[Sks-devel] Apache setup for refusing to serve bad keys
Date:	Tue, 19 Feb 2019 13:04:46 +1100
User-agent:	NeoMutt/20170113 (1.7.2)

Hi, everyone,

There's been some discussion on this list about refusing to serve
bad OpenPGP keys -- at least as a workaround for the time being.
Andreas Puls has even supplied a configuration snippet for nginx.

Here is my version for the Apache server.  It allows you to include
the list of keys in a separate file that can be updated at any time
without restarting/reloading the server.

In particular, I have something like the following in the file
/etc/sks/apache-badkeys:

  # /etc/sks/apache-badkeys: Prevent hosts from querying bad keys

  # This file contains a list of OpenPGP keys that should NOT be returned
  # to clients using the web interface.  Each line contains the query
  # string followed by a space and a hyphen, as required by the Apache
  # RewriteMap directive; keys MUST be in lowercase only.

  0x1013d73fecac918a0a25823986ce877469d2ead9      -
  0x86ce877469d2ead9                              -
  0x69d2ead9                                      -

  0x2016349f5bc6f49340fccaf99f9169f4b33b4659      -
  0x9f9169f4b33b4659                              -
  0xb33b4659                                      -

Then in my Apache configuration file, I have the following rules:

  RewriteEngine on

  RewriteMap  badkeys     "txt:/etc/sks/apache-badkeys"
  RewriteMap  lc          int:tolower

  RewriteCond "%{REQUEST_URI}"            "^/pks/lookup"
  RewriteCond "%{QUERY_STRING}"           
"op=(get|search|vindex)&?.*search=([^&]+)&?"
  RewriteCond "${badkeys:${lc:%2}|ok}"    "!=ok"
  RewriteRule ^/pks/lookup                - [L,G]

This block appears BEFORE any ProxyPass / ProxyPassReverse /
ProxyVia lines.  Whenever a matching key is requested, a 410 Gone
message is returned.  And I can add to the apache-badkeys file any
time I like...

Yours truly,

John Zaitseff

-- 
John Zaitseff                   ,--_|\    The ZAP Group
Telephone: +61 2 9643 7737     /      \   Sydney, Australia
Email: address@hidden   \_,--._*   https://www.zap.org.au/
                                     v

[Prev in Thread]

Current Thread

[Next in Thread]

[Sks-devel] Apache setup for refusing to serve bad keys, John Zaitseff <=
- Re: [Sks-devel] Apache setup for refusing to serve bad keys, John Zaitseff, 2019/02/18
  - Re: [Sks-devel] Apache setup for refusing to serve bad keys, John Zaitseff, 2019/02/18
  - Message not available
    - Re: [Sks-devel] Apache setup for refusing to serve bad keys, echelon, 2019/02/20
    - Re: [Sks-devel] Apache setup for refusing to serve bad keys, John Zaitseff, 2019/02/20
    - Message not available
    - Re: [Sks-devel] Apache setup for refusing to serve bad keys, echelon, 2019/02/21

Prev by Date: Re: [Sks-devel] Annoying malicious keys - any easy solution?
Next by Date: Re: [Sks-devel] Apache setup for refusing to serve bad keys
Previous by thread: [Sks-devel] Annoying malicious keys - any easy solution?
Next by thread: Re: [Sks-devel] Apache setup for refusing to serve bad keys
Index(es):
- Date
- Thread