Skip to end of metadata
Go to start of metadata

Logic:

Apache is an entry point for:

  • HTTP
  • HTTPS
  • HKPS

All traffic then is routed directly to Varnish, without any magic which is listening on port 10371, but Apache host main index files of website.

Two SKS instances are running localhost on ports:

  • 12372
  • 11372

One Recon is public with all members (including second local node) in membershit file and using standard port.

Second Recon only connect to first one and using non-standard port and it's not visible for outside world.

Webpage files are located in web directory of each SKS nodes, all of them have also robots.txt file which is also used to Varnish health checks.

Apache configuration:

httpd.conf
...
Listen 80
Listen 11371
...
<VirtualHost *:80>
        ServerName sks.e-utp.net
        ServerAlias pool.sks-keyservers.net
        ServerAlias *.pool.sks-keyservers.net
        ProxyRequests Off
        <Proxy *>
                Order deny,allow
                Allow from all
        </Proxy>
        ProxyPass / http://127.0.0.1:10371/pks
        ProxyPassReverse / http://127.0.0.1:10371/pks
        DocumentRoot /var/www/html/sks
</VirtualHost>

<VirtualHost *:11371>
        ServerName sks.e-utp.net
        ServerAlias pool.sks-keyservers.net
        ServerAlias *.pool.sks-keyservers.net

        ProxyRequests Off
        <Proxy *>
                Order deny,allow
                Allow from all
        </Proxy>
        ProxyPass /pks http://127.0.0.1:10371/pks
        ProxyPassReverse /pks http://127.0.0.1:10371/pks
        DocumentRoot /var/www/html/sks
</VirtualHost>


ssl.conf
<VirtualHost *:443>

ServerName sks.e-utp.net:443

ErrorLog logs/ssl_error_log
LogFormat "%v %h %l %u %t \"%r\" %>s %b"
TransferLog logs/ssl_access_log
LogLevel warn

SSLEngine on
SSLProtocol TLSv1.2
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLCertificateFile /etc/ssl/e-utp.net/e-utp.net.crt
SSLCertificateKeyFile /etc/ssl/e-utp.net/e-utp.net.key
SSLCertificateChainFile /etc/ssl/e-utp.net/fullchain.crt
SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

<IfModule mod_headers.c>
  Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>
        ProxyRequests Off
        <Proxy *>
                Order deny,allow
                Allow from all
        </Proxy>
        ProxyPass /pks http://127.0.0.1:10371/pks
        ProxyPassReverse /pks http://127.0.0.1:10371/pks
        DocumentRoot /var/www/html/sks
</VirtualHost>

Varnish configuration:

default.vcl
vcl 4.0;
import std;
import directors;

backend node1 {
    .host = "127.0.0.1";
    .port = "11372";
    .probe = {
        .url = "/robots.txt";
        .timeout = 1s;
        .interval = 5s;
        .window = 5;
        .threshold = 3;
    }
}

backend node2 {
    .host = "127.0.0.1";
    .port = "12372";
    .probe = {
        .url = "/robots.txt";
        .timeout = 1s;
        .interval = 5s;
        .window = 5;
        .threshold = 3;
    }
}

sub vcl_init {
    new cluster1 = directors.round_robin();
    cluster1.add_backend(node1);
    cluster1.add_backend(node2);
}

sub vcl_recv {
    unset req.http.cookie;
}

sub vcl_backend_response {
        unset beresp.http.set-cookie;
        unset beresp.http.expires;
        unset beresp.http.Cache-Control;
        unset beresp.http.Surrogate-Control;
        set beresp.http.X-Backend = beresp.backend.name;
        set beresp.ttl = 30m;
        set beresp.grace = 60m;
        set beresp.http.Cache-Control = "max-age=1800";
        if (beresp.status >= 500 && beresp.status <= 599) {
             set beresp.ttl = 30s;
        }
}

sub vcl_deliver {
   if (obj.hits > 0) {
                set resp.http.X-Cache = "HIT";
        } else {
                set resp.http.X-Cache = "MISS";
        }
   set resp.http.X-Powered-By = "e-utp.net SKS Server";
}
varnish.params
RELOAD_VCL=1
VARNISH_VCL_CONF=/etc/varnish/default.vcl
VARNISH_LISTEN_PORT=10371
VARNISH_ADMIN_LISTEN_ADDRESS=127.0.0.1
VARNISH_ADMIN_LISTEN_PORT=6082
VARNISH_SECRET_FILE=/etc/varnish/secret
VARNISH_STORAGE="malloc,8G"
VARNISH_USER=varnish
VARNISH_GROUP=varnish

SKS configuration - node 1:

sksconf
basedir:                        /srv/sks
debuglevel:                     5

hostname:                       sks.e-utp.net
nodename:                       node1
hkp_address:                    127.0.0.1 ::1
hkp_port:                       11372
recon_port:                     11370
http_fetch_size:                25

server_contact:                 0x81668C5871BA671A
disable_mailsync:
initial_stat:

membership_reload_interval:     1
stat_hour:                      0

pagesize:                       128
keyid_pagesize:                 64
meta_pagesize:                  1
subkeyid_pagesize:              128
time_pagesize:                  128
tqueue_pagesize:                1
ptree_pagesize:                 8
membership
external_node_definitions       11370   # 
...
127.0.0.1                       12370   # local to node2

SKS configuration - node 2:

sksconf
basedir:                        /srv/sks2
debuglevel:                     5

hostname:                       sks.e-utp.net
nodename:                       node2
hkp_address:                    127.0.0.1 ::1
hkp_port:                       12372
recon_port:                     12370
http_fetch_size:                25

server_contact:                 0x81668C5871BA671A
disable_mailsync:
initial_stat:

membership_reload_interval:     1
stat_hour:                      0

pagesize:                       128
keyid_pagesize:                 64
meta_pagesize:                  1
subkeyid_pagesize:              128
time_pagesize:                  128
tqueue_pagesize:                1
ptree_pagesize:                 8
membership
127.0.0.1                       11370   # local to node1
  • No labels