Re: [Sks-devel] Keyserver operators with reverse proxies: read this please

[Eric Benoit]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2013-03-01 17:03, Phil Pennock wrote:
> Folks,
> 
> We now have two separate issues affecting SKS (and GnuKS)
> keyservers which have nginx or Apache in front of them, affecting
> interop compatibility with various versions of GnuPG (and other
> clients) as deployed.

It was pointed out that sks.ecks.ca was dropped from the pool due to
exactly the above issue. I recently implemented a reverse proxy in
front of sks, and failed to test key submissions. I also made the
mistake of assuming I was immune from this particular issue due to the
fact I'm using lighttpd. Nope.

Lighttpd has rather limited header manipulation facilities, at least
in 1.4.x. I was just about ready to add this feature when I came
across a not very well documented option:

server.reject-expect-100-with-417 = "disable"

Which when added to lighttpd.conf seems to do the trick.

Somewhat related, the keyserver pool listing doesn't show sks.ecks.ca
as using a reverse proxy, nor being available on port 80. It is in
both cases. Are these updated manually?

Thanks
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJRN9aLAAoJEANgkrdp5l0sM+YH/3NC+mO/LExK9TASdPPXg+3C
rmCWpV1Qp7mMAxxJS+YfAu2vvxGFsBtLJSZ3mOgj1pKu5SafkbeaiJ179uU3T5tw
YV9mJEh0+1faOxO5IWnSvsga/XBLrW2wJ5pYQtKj0UVPJ02YCaLTaaiStt2L/LQe
Z16YU5emrpP/HhcrARt+TdY5r/9xGAr5dj6Bw6VFmHEqXO+DeISCB5plTKSaT5p8
VzV2zN6fHPeehb0YpV7/f1IoDecEZchZTpmfsSkKjpV2Ty6wnMLcDquCU4n4fzlO
CNvThF0/9zrPOw3btwGTGhAMl92sEyKnrATAXkUqr0qD5k8977ITlrcBfQGq9Rw=
=vEws
-----END PGP SIGNATURE-----