Should the RPKI tools ship with a mod_proxy configuration?

[sraustein]

Given that we pretty much assume the presence of Apache these days, and given that we have HTTP servers on a bunch of port numbers we picked out of the air rather than getting from IANA, perhaps our Apache configuration should include mod_proxy config such that the public URLs of rpkid and pubd are on port 80 (or perhaps even HTTPS on port 443, although that was a real mess the last time we tried it).

General idea would be to keep the whacky TCP ports for internal use but have our daemons only listen on localhost: Apache's reverse proxy would provide the public listeners.

Most likely the hardest piece of this would be getting the config stuff right for the OOB setup dance.

Minor modification to this idea would be the same kind of setup but with Apache running in a DMZ and the real servers running inside a firewall (ie, not on localhost, instead on addresses not reachable from outside).

Trac ticket #833 component rpkid priority minor, owner None, created by sra on 2016-06-27T14:19:32Z, last modified 2016-06-27T14:58:00Z

[sraustein]

other than qualms that -rp running in a rack should be minimal, i have no problem with this. as we have no other 'high level' way to look at how the -rp is doing, i think the web page is what we live with this cycle.

Trac comment by randy on 2016-06-27T14:45:27Z

[sraustein]

This is more about the CA side in any case.

RP side has nothing to reverse-proxy; currently the only only web-accessible thing it has is the status report, which is static content (in the web server sense), maintained in background by rcynic-html running under rcynic-cron.

Trac comment by sra on 2016-06-27T14:58:00Z