Hi Hendrik

Me again.
I do.
Nothing unusual on the router/firewall, it gets complicated on the host
itself.

External IPv4 does port-forwarding to 80,443,11370,11371 to the internal
IPv4 of the host. IPv6 just the same as access rules instead of NAT.

But then on the internal host:

sks-recon listens on 11370.

sslh listens on port 11371 checks if TLS is in use and then
forwards HTTP to port 80 to nginx on the same host
forwards HTTPS to port 443 to nginx on the same host
It does this for IPv4 and IPv6

nginx listens on 80 for HTTP and on 443 for HTTPS

It then uses one of 3 virtual servers according to the HTTP requested
host name.

1. HTTP for my own pgpkeys.urown.net.
2. HTTP for all the SKS pool names.
3. HTTPS for for pgpkeys.urown.net with LE cert
4. Is inactive but ready to do HTTPS ready for the hkps-pool with some
day ;)
5. HTTP for the Tor onion service.

They all proxy to port 11371 on localhost.
Since I have different servers running and only one global IPv4, this
wouldn't work for me.
Recon is the easier part. No proxy, no TLS, just a port who listens on
the internal IP.
I wrote all this down a while ago.
If not look here:
https://roll.urown.net/server/pgp-keyserver.html#firewall-rules

Its not very fresh but should still be valid for the most part. Main
difference is that nowadays I just manually download the latest deb
package from a future Linux-dist for installation instead of all the
building from source.

For hkp, I think it's quite clear since it's just HTTP, you can do
whaterver you have done for other HTTP services.

For recon, I think you need to use SNAT. Your sks instance will only
response to ip resolved from the domains you set in your membership file.
With SNAT, your sks will know the real ip of your peer.

Best regards,
Shengjing