Apache setup for refusing to serve bad keys

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Apache setup for refusing to serve bad keys

John Zaitseff
Hi, everyone,

There's been some discussion on this list about refusing to serve
bad OpenPGP keys -- at least as a workaround for the time being.
Andreas Puls has even supplied a configuration snippet for nginx.

Here is my version for the Apache server.  It allows you to include
the list of keys in a separate file that can be updated at any time
without restarting/reloading the server.

In particular, I have something like the following in the file
/etc/sks/apache-badkeys:

  # /etc/sks/apache-badkeys: Prevent hosts from querying bad keys

  # This file contains a list of OpenPGP keys that should NOT be returned
  # to clients using the web interface.  Each line contains the query
  # string followed by a space and a hyphen, as required by the Apache
  # RewriteMap directive; keys MUST be in lowercase only.

  0x1013d73fecac918a0a25823986ce877469d2ead9      -
  0x86ce877469d2ead9                              -
  0x69d2ead9                                      -

  0x2016349f5bc6f49340fccaf99f9169f4b33b4659      -
  0x9f9169f4b33b4659                              -
  0xb33b4659                                      -

Then in my Apache configuration file, I have the following rules:

  RewriteEngine on

  RewriteMap  badkeys     "txt:/etc/sks/apache-badkeys"
  RewriteMap  lc          int:tolower

  RewriteCond "%{REQUEST_URI}"            "^/pks/lookup"
  RewriteCond "%{QUERY_STRING}"           "op=(get|search|vindex)&?.*search=([^&]+)&?"
  RewriteCond "${badkeys:${lc:%2}|ok}"    "!=ok"
  RewriteRule ^/pks/lookup                - [L,G]

This block appears BEFORE any ProxyPass / ProxyPassReverse /
ProxyVia lines.  Whenever a matching key is requested, a 410 Gone
message is returned.  And I can add to the apache-badkeys file any
time I like...

Yours truly,

John Zaitseff

--
John Zaitseff                   ,--_|\    The ZAP Group
Telephone: +61 2 9643 7737     /      \   Sydney, Australia
Email: [hidden email]   \_,--._*   https://www.zap.org.au/
                                     v

_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: Apache setup for refusing to serve bad keys

John Zaitseff
Hi, all,

I previously wrote:

> [...] Here is my version for the Apache server.  It allows you to
> include the list of keys in a separate file that can be updated at
> any time without restarting/reloading the server.

I've since revised the Apache configuration file to contain:

  RewriteEngine on

  RewriteMap  badkeys     "txt:/etc/sks/apache-badkeys"
  RewriteMap  lc          int:tolower

  RewriteCond "%{REQUEST_URI}"            "^/pks/lookup"
  RewriteCond "%{QUERY_STRING}"           "op=(get|index|search|vindex)"
  RewriteCond "%{QUERY_STRING}"           "search=([^&]+)&?"
  RewriteCond "${badkeys:${lc:%1}|ok}"    "!=ok"
  RewriteRule ^/pks/lookup                - [L,G]

Yours truly,

John Zaitseff

--
John Zaitseff                   ,--_|\    The ZAP Group
Telephone: +61 2 9643 7737     /      \   Sydney, Australia
Email: [hidden email]   \_,--._*   https://www.zap.org.au/
                                     v

_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: Apache setup for refusing to serve bad keys

John Zaitseff
Hi, all again,

Slight bug fix: replace:

  RewriteCond "%{QUERY_STRING}"           "search=([^&]+)&?"

with:

  RewriteCond "%{QUERY_STRING}"           "search=([^&]+)(&|$)"

John Zaitseff

--
John Zaitseff                   ,--_|\    The ZAP Group
Telephone: +61 2 9643 7737     /      \   Sydney, Australia
Email: [hidden email]   \_,--._*   https://www.zap.org.au/
                                     v

_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: Apache setup for refusing to serve bad keys

echelon
In reply to this post by John Zaitseff
On 19.02.2019 04:11, John Zaitseff wrote:
> Hi, all again,
>
> Slight bug fix: replace:
>
>   RewriteCond "%{QUERY_STRING}"           "search=([^&]+)&?"
>
> with:
>
>   RewriteCond "%{QUERY_STRING}"           "search=([^&]+)(&|$)"

Thank you, but looks like it does only works partly, e.g. from webinterface.

e.g.:
[20/Feb/2019:12:52:40 +0100] "GET
/pks/lookup?search=0x69D2EAD9&op=vindex HTTP/1.1" 410 602
"http://keys.i2p-projekt.de/" "Mozilla/5.0 (X11; Linux x86_64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.96 Safari/537.36"

looks like it works fine.
BUT:

[20/Feb/2019:12:55:26 +0100] "GET
/pks/lookup?op=get&options=mr&search=0x69D2EAD9 HTTP/1.1" 200 39693256
"-" "-"

does not work with youre rewriteConds.
Hm

(BTW: look at this key: 0xD7FFC063B40A2294B966DB47FF80AE9D1DEC358D WTH?? )


> John Zaitseff

echelon



_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: Apache setup for refusing to serve bad keys

John Zaitseff
Hi, echelon,

You wrote:

> Thank you, but looks like it does only works partly, e.g. from
> webinterface.
>
> e.g.:
> [20/Feb/2019:12:52:40 +0100] "GET /pks/lookup?search=0x69D2EAD9&op=vindex HTTP/1.1" 410 602 "http://keys.i2p-projekt.de/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.96 Safari/537.36"
>
> looks like it works fine.  BUT:
>
> [20/Feb/2019:12:55:26 +0100] "GET /pks/lookup?op=get&options=mr&search=0x69D2EAD9 HTTP/1.1" 200 39693256 "-" "-"
>
> does not work with youre rewriteConds.

It works for me :-)

$ HEAD 'https://keyserver.zap.org.au/pks/lookup?search=0x69D2EAD9&op=vindex'
410 Gone
Connection: close
...

$ HEAD 'https://keyserver.zap.org.au/pks/lookup?op=get&options=mr&search=0x69D2EAD9'
410 Gone
Connection: close
...

(HEAD is a command-line tool in the libwww-perl package under Debian
and Ubuntu.)

My complete set of rules, for reference, is:

  RewriteEngine on

  RewriteMap  badkeys     "txt:/etc/sks/apache-badkeys"
  RewriteMap  lc          int:tolower

  RewriteCond "%{REQUEST_URI}"            "^/pks/lookup"
  RewriteCond "%{QUERY_STRING}"           "op=(get|index|search|vindex)"
  RewriteCond "%{QUERY_STRING}"           "search=([^&]+)(&|$)"
  RewriteCond "${badkeys:${lc:%1}|ok}"    "!=ok"
  RewriteRule ^/pks/lookup                - [L,G]

> (BTW: look at this key: 0xD7FFC063B40A2294B966DB47FF80AE9D1DEC358D [...])

Nice signatures :-)  We're playing "whack-a-mole" here.

I went through my Apache logs for the last month or so, searching
for very large keys being requested, and added these (and certain
variations of them) to my /etc/sks/apache-badkeys file.  I have 15
keys listed so far...

Yours truly,

John Zaitseff

--
John Zaitseff                   ,--_|\    The ZAP Group
Telephone: +61 2 9643 7737     /      \   Sydney, Australia
Email: [hidden email]   \_,--._*   https://www.zap.org.au/
                                     v

_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: Apache setup for refusing to serve bad keys

echelon
In reply to this post by echelon
On 20.02.2019 21:46, John Zaitseff wrote:

> Hi, echelon,
>
> You wrote:
>
>> Thank you, but looks like it does only works partly, e.g. from
>> webinterface.
>>
>> e.g.:
>> [20/Feb/2019:12:52:40 +0100] "GET /pks/lookup?search=0x69D2EAD9&op=vindex HTTP/1.1" 410 602 "http://keys.i2p-projekt.de/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.96 Safari/537.36"
>>
>> looks like it works fine.  BUT:
>>
>> [20/Feb/2019:12:55:26 +0100] "GET /pks/lookup?op=get&options=mr&search=0x69D2EAD9 HTTP/1.1" 200 39693256 "-" "-"
>>
>> does not work with youre rewriteConds.
>
> It works for me :-)

Ok, now it works for me, to. Feel kinda dumb, had the wrong link in
enabled-sites :-/


>> (BTW: look at this key: 0xD7FFC063B40A2294B966DB47FF80AE9D1DEC358D [...])
>
> Nice signatures :-)  We're playing "whack-a-mole" here.

First one is a bit "funny", but all others are spam.

> I went through my Apache logs for the last month or so, searching
> for very large keys being requested, and added these (and certain
> variations of them) to my /etc/sks/apache-badkeys file.  I have 15
> keys listed so far...

Yeah, more will come.

TZhanks so far.

> Yours truly,
>
> John Zaitseff

echelon

_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel