[Sks-devel] Keyserver operators with Apache reverse proxy: read this please

[Phil Pennock]

Reposting the important information for Apache, without all the
diagnostics from the other part of the previous thread.

On 2013-03-01 at 17:03 -0500, Phil Pennock wrote:
> We now have two separate issues affecting SKS (and GnuKS) keyservers
> which have nginx or Apache in front of them, affecting interop
> compatibility with various versions of GnuPG (and other clients) as
> deployed.

> Apache
> ------
> 
>             breaks all clients which use a real libcurl, blocking their
> ability to POST (--send-key) to the server.  The clients set an "Expect:
> 100-continue" HTTP/1.1 header and unfortunately Apache actually
> implements the part of the HTTP specification (RFC2616) which says that
> a HTTP/1.1 proxy should issue a "417 Expectation Failed" response if it
> would pass onto an HTTP/1.0 server.

By default, Apache does not break these clients.

*IF* you have set:

    SetEnv force-proxy-request-1.0  1

*THEN* you have broken interop with clients trying to post keys to you.
If you do not set this environment variable, whether in Apache config or
Apache's own environ at startup or however else you manage these things,
then you do not need to make any change.

If you encounter problems which lead you to set that variable, then you
also need to strip off the Expect: header, early in the request
handling.

At present, Apache does not auto-detect when a backend is HTTP/1.0
(although RFC 2616 unfortunately advocates such behaviour).


So the correct way to force HTTP/1.0 for this backend but not break
existing clients is believed to be:

    SetEnv force-proxy-request-1.0  1
    RequestHeader unset Expect early

Regards,
-Phil

pgpzGKsHISazy.pgp
Description: PGP signature