sks-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Sks-devel] Privacy/logging: change to HKP logging for spodhuis.org keys


From: Phil Pennock
Subject: [Sks-devel] Privacy/logging: change to HKP logging for spodhuis.org keyservers
Date: Tue, 22 May 2018 19:29:16 -0400

Folks,

Previously, sks.spodhuis.org did not log anything at the nginx level for
HKP requests, and logged from SKS at a level which only included errors,
not existing keys.

While privacy protecting, that makes it sufficiently hard to diagnose
problems that I decided I can't stick with it.  Rather than silently
change something, this is my public notice.

-----------------------8< nginx logging format >8-----------------------
log_format  hkp-minimal escape=json
                        's=$connection t="$time_iso8601" '
                        'tls_p="$ssl_protocol" tls_c="$ssl_cipher" 
tls_sni="$ssl_server_name" '
                        'host="$host" '
                        'status=$status rep_len=$body_bytes_sent '
                        'req_len=$request_length req_durms=$request_time';
-----------------------8< nginx logging format >8-----------------------

Two example log-lines, real data:

s=3330 t="2018-05-22T23:17:05+00:00" tls_p="" tls_c="" tls_sni="" 
host="pool.sks-keyservers.net" status=200 rep_len=2914 req_len=176 
req_durms=0.102
s=3329 t="2018-05-22T23:17:05+00:00" tls_p="TLSv1.2" 
tls_c="ECDHE-RSA-CHACHA20-POLY1305" tls_sni="hkps.pool.sks-keyservers.net" 
host="hkps.pool.sks-keyservers.net" status=200 rep_len=13462 req_len=175 
req_durms=0.075

I feel that this is a reasonable balance of privacy vs operational
requirements.  If there were a sane way (not embedding JS into nginx) to
log the $remote_addr at IPv4/16 or IPv6/56 level, I might consider that.

Regards,
-Phil

Attachment: signature.asc
Description: Digital signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]