Re: Seeking peers for keys.dryusdan.net

[Dryusdan]

Yes, I had both value enable.

I just remove HAP_BEHIND_PROXY_EXCEPT_HKP now and keep HAP_BEHIND_PROXY :)

(I think now is okay ^^)

Thank

Dryusdan

Le 06/04/2024 à 21:30, Andrew Gallagher a écrit :

On 6 Apr 2024, at 18:29, Dryusdan  wrote:

No, these three port are behind nginx

Okay, I see the mistake 
I will remove HAP_BEHIND_PROXY_EXCEPT_HKP tomorrow :)

Yes, if you have all three behind a proxy you need to uncomment 
HAP_BEHIND_PROXY instead.

A



OpenPGP_0xEC1438DDE24E27D7.asc
Description: OpenPGP public key


OpenPGP_signature.asc
Description: OpenPGP digital signature

Re: Seeking peers for keys.dryusdan.net

[Andrew Gallagher via SKS development and deployment list]

On 5 Apr 2024, at 18:36, Dryusdan  wrote:
> 
> I double check and no, HAP_BEHIND_PROXY wasn't set. But 
> HAP_BEHIND_PROXY_EXCEPT_HKP is (in /etc/default/haproxy I directly set 
> variable and it loaded by systemd service)
> 
> Is now ok :)
> 

So that would imply that ports 80 and 443 are behind nginx, but port 11371 is 
not. Is that correct?

A

Re: Seeking peers for keys.dryusdan.net

[Dryusdan]

I double check and no, HAP_BEHIND_PROXY wasn't set. But 
HAP_BEHIND_PROXY_EXCEPT_HKP is (in /etc/default/haproxy I directly set 
variable and it loaded by systemd service)


Is now ok :)


Dryusdan

Le 05/04/2024 à 18:40, Andrew Gallagher a écrit :

On 5 Apr 2024, at 17:34, Dryusdan  wrote:


I change my setup today and add HAProxy and standalone configuration. 
Actually it is behind nginx for both,keys.dryusdan.net 
andgpg.4n0ny.me .


Great stuff! Did you make sure to uncomment HAP_BEHIND_PROXY? If not, 
you may end up tarpitting your own nginx. (and remember to comment it 
out again when you remove nginx, otherwise you won’t be protected at all)


A



OpenPGP_0xEC1438DDE24E27D7.asc
Description: OpenPGP public key


OpenPGP_signature.asc
Description: OpenPGP digital signature

Re: Seeking peers for keys.dryusdan.net

[Andrew Gallagher via SKS development and deployment list]

On 5 Apr 2024, at 17:34, Dryusdan  wrote:
> 
> I change my setup today and add HAProxy and standalone configuration. 
> Actually it is behind nginx for both, keys.dryusdan.net 
>  and gpg.4n0ny.me .

Great stuff! Did you make sure to uncomment HAP_BEHIND_PROXY? If not, you may 
end up tarpitting your own nginx. (and remember to comment it out again when 
you remove nginx, otherwise you won’t be protected at all)

A



signature.asc
Description: Message signed with OpenPGP

Re: Seeking peers for keys.dryusdan.net

[Dryusdan]

Hi 

I change my setup today and add HAProxy and standalone configuration. 
Actually it is behind nginx for both, keys.dryusdan.net and gpg.4n0ny.me.


I check and found no problem (and logs don't report me any problem).

In the futur I will drop nginx (but I need to learn and make an ansible 
playbook to setting HAProxy).


Nginx in place is not totally vanilla, I tweak it configuration ;) 
(details available in my playbook https://git.dryusdan.fr/Ansible/nginx )



Dryusdan


Le 04/04/2024 à 11:54, Andrew Gallagher a écrit :

On 31 Mar 2024, at 21:25, William Hay  wrote:

Do you have protections against flooding attacks in place on your 
keyservers(appropriately
configured rate limiting proxy)?

Hi, guys.

According to the spider at https://spider.pgpkeys.eu/sks-peers, 
keys.dryusdan.net and gpg.4n0ny.me appear to be using a vanilla nginx reverse 
proxy. Can we please confirm whether haproxy is installed as a shim? If not, we 
should refrain from peering until this is in place and tested.

Thanks,
A



OpenPGP_0xEC1438DDE24E27D7.asc
Description: OpenPGP public key


OpenPGP_signature.asc
Description: OpenPGP digital signature

Re: Seeking peers for keys.dryusdan.net

[Andrew Gallagher via SKS development and deployment list]

On 31 Mar 2024, at 21:25, William Hay  wrote:
>> 
> Do you have protections against flooding attacks in place on your 
> keyservers(appropriately
> configured rate limiting proxy)?

Hi, guys.

According to the spider at https://spider.pgpkeys.eu/sks-peers, 
keys.dryusdan.net and gpg.4n0ny.me appear to be using a vanilla nginx reverse 
proxy. Can we please confirm whether haproxy is installed as a shim? If not, we 
should refrain from peering until this is in place and tested.

Thanks,
A



signature.asc
Description: Message signed with OpenPGP

Re: Seeking peers for keys.dryusdan.net

[William Hay]

On Sun, Mar 31, 2024 at 04:37:03PM +0200, Dryusdan wrote:
> Hi (again),
> 
> 
> Finally, gpg.4n0ny.me is finaly operational earlier than expected.
> 
> So I looking for peers for gpg.4n0ny.me too.
> 
> Same description as keys.dryusdan.fr, I get keydyump from Cyberbits
> (|rsync.cyberbits.eu/sks/dump/)|, dated 2024-03-25.
> 
> I see 6587450 keys loaded.
> 
> But I have IPv6 connectivity :D
> 
> So I have :
> 
> - keys.dryusdan.net 11370 # Dryusdan  0x87d8c67ee79958e6 
> (https://pgpkeys.eu:11371/pks/lookup?search=0x87d8c67ee79958e6=on=index)
> 
> 
> - gpg.4n0ny.me 11370 # Dryusdan  0x87d8c67ee79958e6
> 
> Thank you,
> 
> Dryusdan
Do you have protections against flooding attacks in place on your 
keyservers(appropriately
configured rate limiting proxy)?
William
> 
> Le 31/03/2024 à 12:25, Dryusdan a écrit :
> > Hi,
> > 
> > I am looking for peers for a new Hockeypuck installation.
> > 
> > I am running Hockeypuck 2.1.2, on keys.dryusdan.net.
> > I am Dryusdan, a tech and privacy lover. In the past, I was part of the 
> > collective CHATONS (https://www.chatons.org/en), launch by Framasoft (for 
> > french here who know who there are)).
> > This server run on my self hosted server (actually under my TV).
> > The server is physically located in Nantes (FR).
> > The machine haven't IPv6 connectivity (my ISP block all incomming IPv6 
> > trafic :( ).
> > 
> > I have loaded a keydump from Cyberbits (|rsync.cyberbits.eu/sks/dump/)|, 
> > dated 2024-03-25.
> > I see 6587450 keys loaded.
> > 
> > I try to launch also another server, hosted in Helsinki (on Hetzner's ARM 
> > vps), called gpg.4n0ny.me but it not ready yet (key import is very long).
> > (And I write a tech article for openpgp keyserver but it's not important)
> > 
> > For operational issues, please contact me directly.
> > 
> > keys.dryusdan.net 11370 # Dryusdan  0x87d8c67ee79958e6 
> > (https://pgpkeys.eu:11371/pks/lookup?search=0x87d8c67ee79958e6=on=index)
> >  (new key, maded specialy for my GPG card)
> > 
> > Thank you,
> > Dryusdan







signature.asc
Description: PGP signature

Re: Seeking peers for keys.dryusdan.net

[Dryusdan]

Hi (again),


Finally, gpg.4n0ny.me is finaly operational earlier than expected.

So I looking for peers for gpg.4n0ny.me too.

Same description as keys.dryusdan.fr, I get keydyump from Cyberbits 
(|rsync.cyberbits.eu/sks/dump/)|, dated 2024-03-25.


I see 6587450 keys loaded.

But I have IPv6 connectivity :D

So I have :

- keys.dryusdan.net 11370 # Dryusdan  0x87d8c67ee79958e6 
(https://pgpkeys.eu:11371/pks/lookup?search=0x87d8c67ee79958e6=on=index) 



- gpg.4n0ny.me 11370 # Dryusdan  0x87d8c67ee79958e6

Thank you,

Dryusdan

Le 31/03/2024 à 12:25, Dryusdan a écrit :

Hi,

I am looking for peers for a new Hockeypuck installation.

I am running Hockeypuck 2.1.2, on keys.dryusdan.net.
I am Dryusdan, a tech and privacy lover. In the past, I was part of the 
collective CHATONS (https://www.chatons.org/en), launch by Framasoft (for 
french here who know who there are)).
This server run on my self hosted server (actually under my TV).
The server is physically located in Nantes (FR).
The machine haven't IPv6 connectivity (my ISP block all incomming IPv6 trafic 
:( ).

I have loaded a keydump from Cyberbits (|rsync.cyberbits.eu/sks/dump/)|, dated 
2024-03-25.
I see 6587450 keys loaded.

I try to launch also another server, hosted in Helsinki (on Hetzner's ARM vps), 
called gpg.4n0ny.me but it not ready yet (key import is very long).
(And I write a tech article for openpgp keyserver but it's not important)

For operational issues, please contact me directly.

keys.dryusdan.net 11370 # Dryusdan  0x87d8c67ee79958e6 
(https://pgpkeys.eu:11371/pks/lookup?search=0x87d8c67ee79958e6=on=index)
 (new key, maded specialy for my GPG card)

Thank you,
Dryusdan


OpenPGP_0xEC1438DDE24E27D7.asc
Description: OpenPGP public key


OpenPGP_signature.asc
Description: OpenPGP digital signature