Re: [Sks-devel] Configuring the reverse proxy to support large keys - HTTP error 413

Mon, 28 Apr 2014 11:53:25 -0700 

Dear all,

On Mon, Apr 28, 2014 at 06:25:45PM +0200, Kristian Fiskerstrand wrote:

I've received reports that uploading some (large) keys to some of the
keyservers in the pool (my test shows failure on 30 servers after
trying to run against 115: These are listed in [A]) results in a
gpgkeys: HTTP post error 22: The requested URL returned error: 413
Request Entity Too Large

[...]

keys2.alderwick.co.uk
keys.alderwick.co.uk



Good catch, Kristian, and thanks for scanning my servers. I've fixed 
their config now.


On Mon, Apr 28, 2014 at 07:05:00PM +0200, Gabor Kiss wrote:

I have not yet implemented an automated check for this in the pool
(and a bit unsure how I'd do it without actually sending large amount
of data to the server during the check, something I generally want to
avoid), but might run a semi-manual / scripted check and add affected
servers to the blacklist if the issue persists after some time.


My 2 cents:
It is not necessary to thest this attribute more than once a week.
And servers passing the test need no more examination.



I was wondering if, separately to the automated checks, a script on the 
wiki would be helpful for new admins to test a server. I could have a 
bash at it, unless anyone knows of a testing script that already exists.


Example output:

$ ./sks-lint keys.alderwick.co.uk
Testing keys.alderwick.co.uk...
[ OK ] SKS version is 1.1.4
[ OK ] 3608500 keys in database
[ OK ] lookup via port 80 supported
[FAIL] lookup via hkps failed
       - SSL certificate is invalid
           - common name is ssl.alderwick.co.uk - see http://example.com/sni
[FAIL] large key upload failed
       - server returned HTTP error 413 - see http://example.com/upload_size


Such a script could come with switches for the admin to indicate if 
they're interested in being in all the pools, some of them, or merely 
checking that their config doesn't have any obvious flaws.


Thanks,
Andy



Attachment:
signature.asc

Description: Digital signature


_______________________________________________
Sks-devel mailing list
[email protected]
https://lists.nongnu.org/mailman/listinfo/sks-devel






















					Reply via email to