Skip to content

Commit dae2b8a

Browse files
goerzgoerz
committed
Add firewall instructions to README
1 parent c761256 commit dae2b8a

File tree

1 file changed

+19
-6
lines changed

1 file changed

+19
-6
lines changed

README.md

Lines changed: 19 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -47,10 +47,12 @@ served (e.g. a private SSH key)
4747
* Python >= 3.5
4848
* [click package][2]
4949
* A server that is accessible through a public hostname, with GPG installed
50-
and the private key for the KEYID that is to be exported in its keychain
50+
and the private key for the KEYID that is to be exported in its keychain.
51+
Check available private keys with `gpg2 -K`.
5152
* SSL certificates for the public hostname. It is recommended to use
5253
[Let's Encrypt][3]. You may use an existing certificate for a webserver
53-
running on the host
54+
running on the host. Since `gpg-serve-key` will run on a non-standard port,
55+
it will not be necessary to temporarily suspend the web server.
5456

5557

5658
## Usage ##
@@ -62,15 +64,26 @@ Run the script directly as e.g.
6264
--key-file=/etc/letsencrypt/live/michaelgoerz.net/privkey.pem \
6365
--host=michaelgoerz.net 57A6CAA6
6466

65-
See `./gpg-serve-key --help` for more details.
67+
See `./gpg-serve-key --help` for more details. You may use either the short
68+
8-digit key KEYID, or the full length KEYID as shown by `gpg -K`.
6669

67-
This will start temporary webserver at a random port and serve both the public
68-
and the private key at URLs such as
70+
The command will start a temporary webserver at a random port and serve both
71+
the public and the private key at URLs such as
6972

7073
https://michaelgoerz.net:47409/v1f4Y7XixMQ/57A6CAA6-public.key
7174
https://michaelgoerz.net:47409/v1f4Y7XixMQ/57A6CAA6-secret.key
7275

73-
After importing the keys from these URLs, stop the server by hitting `ctrl+c`.
76+
If using a Cloudflare proxy for the domain, it must be temporarily disabled.
77+
Make sure any firewall running on the server is set up allow access to the
78+
port. On Ubuntu, to allow access to, e.g., port `47409`, run
79+
80+
sudo ufw allow 47409
81+
82+
After importing the keys from the above URLs, stop the server by hitting
83+
`ctrl+c`.
84+
85+
If applicable, remove the firewall rule (`sudo ufw delete allow 47409`), and
86+
re-enable the Cloudflare proxy.
7487

7588
[1]: https://mssun.github.io/passforios/
7689
[2]: http://click.pocoo.org/5/

0 commit comments

Comments
 (0)