Privacy/logging: change to HKP logging for keyservers

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Privacy/logging: change to HKP logging for keyservers

Phil Pennock-17

Previously, did not log anything at the nginx level for
HKP requests, and logged from SKS at a level which only included errors,
not existing keys.

While privacy protecting, that makes it sufficiently hard to diagnose
problems that I decided I can't stick with it.  Rather than silently
change something, this is my public notice.

-----------------------8< nginx logging format >8-----------------------
log_format  hkp-minimal escape=json
                        's=$connection t="$time_iso8601" '
                        'tls_p="$ssl_protocol" tls_c="$ssl_cipher" tls_sni="$ssl_server_name" '
                        'host="$host" '
                        'status=$status rep_len=$body_bytes_sent '
                        'req_len=$request_length req_durms=$request_time';
-----------------------8< nginx logging format >8-----------------------

Two example log-lines, real data:

s=3330 t="2018-05-22T23:17:05+00:00" tls_p="" tls_c="" tls_sni="" host="" status=200 rep_len=2914 req_len=176 req_durms=0.102
s=3329 t="2018-05-22T23:17:05+00:00" tls_p="TLSv1.2" tls_c="ECDHE-RSA-CHACHA20-POLY1305" tls_sni="" host="" status=200 rep_len=13462 req_len=175 req_durms=0.075

I feel that this is a reasonable balance of privacy vs operational
requirements.  If there were a sane way (not embedding JS into nginx) to
log the $remote_addr at IPv4/16 or IPv6/56 level, I might consider that.


Sks-devel mailing list
[hidden email]

signature.asc (1015 bytes) Download Attachment