Re: [Sks-devel] Keyserver operators with reverse proxies: read this please

On 2013-03-01 at 23:43 +, Daniel Austin wrote: > There's no rprox on .co.uk yet - it's handled directly by sks on there. Ahah! That's why I couldn't reproduce there. Okay, that makes much more sense. > .eu is running apache 2.2.23 mod_proxy - both systems are FreeBSD 9.1 > x64 and sks 1.1.

Re: [Sks-devel] Keyserver operators with reverse proxies: read this please

Hi Phil, On 01/03/2013 23:35, Phil Pennock wrote: On 2013-03-01 at 22:36 +, Daniel Austin wrote: I've added the config to ports 80+11371 for pgpkeys.eu (using Apache mod_proxy) and your example config from the wiki - all tests seem to work for me, but please feel free to test for confidence

Re: [Sks-devel] Keyserver operators with reverse proxies: read this please

On 2013-03-01 at 22:36 +, Daniel Austin wrote: > I've added the config to ports 80+11371 for pgpkeys.eu (using Apache > mod_proxy) and your example config from the wiki - all tests seem to > work for me, but please feel free to test for confidence. > > If all works well, i'll duplicate the c

Re: [Sks-devel] Keyserver operators with reverse proxies: read this please

Hi Phil/List, On 01/03/2013 22:03, Phil Pennock wrote: Apache -- By default, breaks all clients which use a real libcurl, blocking their ability to POST (--send-key) to the server. The clients set an "Expect: 100-continue" HTTP/1.1 header and unfortunately Apache actually implements the pa

Re: [Sks-devel] Keyserver operators with reverse proxies: read this please

On 03/01/2013 02:03 PM, Phil Pennock wrote: > I have updated > already. Thank you for sorting this out, Phil, and for taking it all the way to concrete suggestions. This is really helpful and useful. > nginx > - [...] > proxy

[Sks-devel] Keyserver operators with reverse proxies: read this please

Folks, We now have two separate issues affecting SKS (and GnuKS) keyservers which have nginx or Apache in front of them, affecting interop compatibility with various versions of GnuPG (and other clients) as deployed. Even as changed clients roll out, we can expect to see clients which have issues

Re: [Sks-devel] nginx proxy_ignore_client_abort with kqueue

On 2013-02-28 at 04:34 -0500, Phil Pennock wrote: > So, it appears that nginx is not honouring: > proxy_ignore_client_abort on; > if the server was built with kqueue support (FreeBSD). Turns out, this comes from the still-experimental SPDY patch. Waited a day, got no response, went ahead and po

Re: [Sks-devel] pool.sks-keyservers.net issues

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 03/01/2013 09:04 AM, Phil Pennock wrote: .. > > 417 is not load-related, Kristian's goofed. > > 417 _only_ happens when the client sends "Expect: 100-continue", in > an HTTP/1.1 request, and a reverse proxy (or forward-proxy) knows > that the

Re: [Sks-devel] pool.sks-keyservers.net issues

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 03/01/2013 10:24 AM, Phil Pennock wrote: > [ trimmed CC list, dropped gnupg-users & people not directly > relevant to this post ] > ... > > Kristian: might it be worth nginx.ha.pool.sks-keyservers.net and > apache.ha.pool.sks-keyservers.net

Re: [Sks-devel] pool.sks-keyservers.net issues

-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 [ trimmed CC list, dropped gnupg-users & people not directly relevant to this post ] On 2013-03-01 at 00:46 -0800, Doug Barton wrote: > Wow, what a thorough analysis, thanks Phil. :) FWIW, I did see those > Expect: headers you describe in my d

Re: [Sks-devel] pool.sks-keyservers.net issues

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Wow, what a thorough analysis, thanks Phil. :) FWIW, I did see those Expect: headers you describe in my debug output, and obviously if this issue only affects certain servers it would explain why I was only seeing it intermittently. I should have

Re: [Sks-devel] pool.sks-keyservers.net issues

-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Short version: bad interaction of GnuPG, cURL and Apache. Can probably be worked around in Apache config, can definitely be worked around in GnuPG code, should aim to get both done. On 2013-02-28 at 10:01 -0800, Doug Barton wrote: > 2001:470:1f0