ansible/roles/keyserver/files/sks.conf

ServerName keys.fedoraproject.org
Listen 140.211.169.202:11371
NameVirtualHost *:443

<ifModule !mod_proxy.c>
    LoadModule proxy_module modules/mod_proxy.so
</IfModule>

<IfModule !mod_proxy_http.c>
    LoadModule proxy_http_module modules/mod_proxy_http.so
</IfModule>

<IfModule !mod_proxy_balancer.c>
    LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
</IfModule>

<IfModule !mod_headers.c>
    LoadModule headers_module modules/mod_headers.so
</IfModule>

<IfModule !mod_authz_host.c>
    LoadModule authz_host_module modules/mod_authz_host.so
</IfModule>

<IfModule !mod_log_config.c>
    LoadModule log_config_module modules/mod_log_config.so
</IfModule>

<IfModule !mod_env.c>
    LoadModule env_module modules/mod_env.so
</IfModule>

<Directory />
    Options FollowSymLinks
    AllowOverride None
    Order deny,allow
    Deny from all
</Directory>

<VirtualHost *:80>
        ServerAdmin sysadmin-keys-members@fedoraproject.org
        ServerName keys.fedoraproject.org
        RewriteEngine On
        RewriteCond %{HTTPS} off
        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [NE]
        Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
</VirtualHost>

<VirtualHost *:443>
        ServerAdmin sysadmin-keys-members@fedoraproject.org
        ServerName keys.fedoraproject.org
	ServerAlias keys02.fedoraproject.org
        Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"

        SSLEngine on
        SSLCertificateFile /etc/pki/tls/wildcard-2014.fedoraproject.org.cert
	SSLCertificateChainFile /etc/pki/tls/wildcard-2014.fedoraproject.org.intermediate.cert
        SSLCertificateKeyFile /etc/pki/tls/wildcard-2014.fedoraproject.org.key
        SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
	SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

	ProxyPass / http://localhost:11371/
	ProxyPassReverse / http://localhost:11371/
        SetEnv proxy-nokeepalive 1
	ProxyVia Full
</VirtualHost>
<VirtualHost *:443>
        ServerAdmin sysadmin-keys-members@fedoraproject.org
        ServerName pool.sks-keyservers.net
        ServerAlias sks-keyservers.net
	ServerAlias *.sks-keyservers.net

        SSLEngine on
        SSLCertificateFile /etc/pki/tls/keys_fedoraproject_org.crt.pem
        SSLCertificateKeyFile /etc/pki/tls/keys_fedoraproject_org.key
	SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
	SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

        ProxyPass / http://localhost:11371/
        ProxyPassReverse / http://localhost:11371/
        SetEnv proxy-nokeepalive 1
	ProxyVia Full
</VirtualHost>
<VirtualHost *:11371>
	ServerAdmin sysadmin-keys-members@fedoraproject.org
	ServerName keys.fedoraproject.org
	ProxyPass / http://127.0.0.1:11371/
	ProxyPassReverse / http://127.0.0.1:11371/
	SetEnv proxy-nokeepalive 1
	ProxyVia Full
</VirtualHost>
Move keyserver to a role. Thanks misc! 2014-04-24 20:37:51 +00:00			`ServerName keys.fedoraproject.org`
Some keyserver fixes. 2014-10-15 04:19:48 +00:00			`Listen 140.211.169.202:11371`
Move keyserver to a role. Thanks misc! 2014-04-24 20:37:51 +00:00			`NameVirtualHost *:443`

			`<ifModule !mod_proxy.c>`
			`LoadModule proxy_module modules/mod_proxy.so`
			`</IfModule>`

			`<IfModule !mod_proxy_http.c>`
			`LoadModule proxy_http_module modules/mod_proxy_http.so`
			`</IfModule>`

			`<IfModule !mod_proxy_balancer.c>`
			`LoadModule proxy_balancer_module modules/mod_proxy_balancer.so`
			`</IfModule>`

			`<IfModule !mod_headers.c>`
			`LoadModule headers_module modules/mod_headers.so`
			`</IfModule>`

			`<IfModule !mod_authz_host.c>`
			`LoadModule authz_host_module modules/mod_authz_host.so`
			`</IfModule>`

			`<IfModule !mod_log_config.c>`
			`LoadModule log_config_module modules/mod_log_config.so`
			`</IfModule>`

			`<IfModule !mod_env.c>`
			`LoadModule env_module modules/mod_env.so`
			`</IfModule>`

			`<Directory />`
			`Options FollowSymLinks`
			`AllowOverride None`
			`Order deny,allow`
			`Deny from all`
			`</Directory>`

			`<VirtualHost *:80>`
			`ServerAdmin sysadmin-keys-members@fedoraproject.org`
			`ServerName keys.fedoraproject.org`
Add hsts and redirect to https for keys. Ticket 4960 2015-12-01 17:58:02 +00:00			`RewriteEngine On`
			`RewriteCond %{HTTPS} off`
			`RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [NE]`
			`Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"`
Move keyserver to a role. Thanks misc! 2014-04-24 20:37:51 +00:00			`</VirtualHost>`
Add hsts and redirect to https for keys. Ticket 4960 2015-12-01 17:58:02 +00:00
Move keyserver to a role. Thanks misc! 2014-04-24 20:37:51 +00:00			`<VirtualHost *:443>`
			`ServerAdmin sysadmin-keys-members@fedoraproject.org`
			`ServerName keys.fedoraproject.org`
Finish SSL changes for sks 2014-10-21 00:07:37 +00:00			`ServerAlias keys02.fedoraproject.org`
Does ordering matter here? 2015-12-01 18:40:25 +00:00			`Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"`
Move keyserver to a role. Thanks misc! 2014-04-24 20:37:51 +00:00
			`SSLEngine on`
Use correct key here too 2014-04-24 21:48:05 +00:00			`SSLCertificateFile /etc/pki/tls/wildcard-2014.fedoraproject.org.cert`
			`SSLCertificateChainFile /etc/pki/tls/wildcard-2014.fedoraproject.org.intermediate.cert`
			`SSLCertificateKeyFile /etc/pki/tls/wildcard-2014.fedoraproject.org.key`
Try disabling SSLv3 in the individual SKS virtualhost bloks 2014-10-21 00:00:38 +00:00			`SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2`
Finish SSL changes for sks 2014-10-21 00:07:37 +00:00			SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

Move keyserver to a role. Thanks misc! 2014-04-24 20:37:51 +00:00			`ProxyPass / http://localhost:11371/`
			`ProxyPassReverse / http://localhost:11371/`
			`SetEnv proxy-nokeepalive 1`
			`ProxyVia Full`
			`</VirtualHost>`
			`<VirtualHost *:443>`
			`ServerAdmin sysadmin-keys-members@fedoraproject.org`
			`ServerName pool.sks-keyservers.net`
			`ServerAlias sks-keyservers.net`
			`ServerAlias *.sks-keyservers.net`

			`SSLEngine on`
			`SSLCertificateFile /etc/pki/tls/keys_fedoraproject_org.crt.pem`
			`SSLCertificateKeyFile /etc/pki/tls/keys_fedoraproject_org.key`
Try disabling SSLv3 in the individual SKS virtualhost bloks 2014-10-21 00:00:38 +00:00			`SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2`
Finish SSL changes for sks 2014-10-21 00:07:37 +00:00			SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

Move keyserver to a role. Thanks misc! 2014-04-24 20:37:51 +00:00			`ProxyPass / http://localhost:11371/`
			`ProxyPassReverse / http://localhost:11371/`
			`SetEnv proxy-nokeepalive 1`
			`ProxyVia Full`
			`</VirtualHost>`
			`<VirtualHost *:11371>`
			`ServerAdmin sysadmin-keys-members@fedoraproject.org`
			`ServerName keys.fedoraproject.org`
			`ProxyPass / http://127.0.0.1:11371/`
			`ProxyPassReverse / http://127.0.0.1:11371/`
			`SetEnv proxy-nokeepalive 1`
			`ProxyVia Full`
			`</VirtualHost>`