Separate listen(2)ed and advertized port numbers

Create issue
Issue #19 new
jhcloos created an issue

The typical recomendation when using a proxy such as nginx in front of sks it to have sks listen on something like and the proxy listen on and/or [::1]:11371 (and :11372 for hkps).

But op=stats and recon then advertize the internal port number, which blocks key exchange with errors like:

Requesting 100 missing keys from <ADDR_INET [2607:fcd0💯101:0:1:4a2c:3b61]:11373>, starting with 00A5BA1DA13C116D775D9CFE0EF04298 Error getting missing keys: Unix error: Connection refused - connect()

Having sks listen(2) on and the proxy listen on the list of public address(es) would work around this, but is fragile in the face of renumbering. (I would note here than ipv6 was designed to facilitate potentially frequent renumbering of the /64s; resiliance in the face of such renumbering is important.)

Were sksconf to support separate directives for the listen(2) port and the port advertized in stats and by recon, things would Just Work™.

Comments (2)

  1. Kristian Fiskerstrand

    For servers not updated to 1.1.2 this behavior enable server operators to allow access to the port directly (firewall protected) for its peers. Otherwise recon attempts would fail for these servers. I fail to see how this is a bug, and even more so how it can be major, as listening on a local address is typical behavior. I'm changing this to a feature request.

  2. Log in to comment