Re: [Sks-devel] sks behind lighttpd reverse proxy

sks-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] sks behind lighttpd reverse proxy

From:	Phil Pennock
Subject:	Re: [Sks-devel] sks behind lighttpd reverse proxy
Date:	Mon, 2 Dec 2013 17:17:21 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 2013-12-02 at 22:49 +0100, Simon Lange wrote:
> however. gpg does not send any header and therefore THAT was the
> problem. so if you use some kind of aggressive antidos mechanism like
> sorting out not compliant http clients (like gpg) you run into the problem.

For clarity: RFC2616 merely classes User-Agent: as a "SHOULD", not a
"MUST".  See section 14.43.  It would be nice if it were more common,
and for normal HTTP traffic I agree it's not unreasonable to filter
based upon it.

I believe that the GnuPG developers are concerned around leaking
information which can be used to fingerprint a client and causing even
more privacy problems.

> 11370 has a connection throttle and of course is not reverse proxied. it
> was only for one day after a sks pool admin did wrote us we have to put
> everything behind reverse proxy. we did and ran into problems.  ;)

For clarity, once more: Kristian's intent was to let you know that _if_
you care about your server being present in the pool set which he
maintains, _then_ you would need to set up a reverse proxy; this is a
topic which has come up a few times on this list in the past few months.

You run your server, others don't run it for you.  You are under no
obligation to provide a public service: as long as you can find people
happy to peer with you and donate their own bandwidth to keeping you
up-to-date, even if you're not providing a public service, then you'll
be fine.

But providing something back to the public good should make it easier
for you to maintain enough peerings for resiliency, and thank you for
doing so!

- -Phil
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCAAGBQJSnQboAAoJEKBsj+IM0duFmnEIAJjUJtdsHxAq1Kw4UN3IPsvZ
lG+ftmWaLZe19R4UkBTpFU50zxTlyodn7rHfFzI/G7O95ZPFVaHSecuEkfB+1YwD
AEa2xVAKCJWWMMJ2dn4t5iXj6DP2b4Sgm6K5TJmKCuJzRTIh/czNGZVqQSLaObMe
1hTIFYNhR/id1s4jKhX6C2OI9MKhRFagW4+X7wcaG+5ZiZnGXLsEcN2Ew1G+dq04
JAsAt6rHlbFXXWEOPRAqO4Y9ZJtxFhUSJ2mx2N3Ztbbwqyf76VPLpCmU+G1SHxd4
IifGRbZeN/4dCA3XFSGJyjpcEnHJ/FZL82vjW3DfpBPA0uCTBFJEvAk/B3/QkA0=
=C42x
-----END PGP SIGNATURE-----

[Prev in Thread]

Current Thread

[Next in Thread]

[Sks-devel] sks behind lighttpd reverse proxy, Simon Lange, 2013/12/02
- Re: [Sks-devel] sks behind lighttpd reverse proxy, Roman Pavlik, 2013/12/02
  - Re: [Sks-devel] sks behind lighttpd reverse proxy, Simon Lange, 2013/12/02
- Re: [Sks-devel] sks behind lighttpd reverse proxy, Karl Schmitz, 2013/12/02
  - Re: [Sks-devel] sks behind lighttpd reverse proxy, Simon Lange, 2013/12/02
- Message not available
  - Re: [Sks-devel] sks behind lighttpd reverse proxy, Simon Lange, 2013/12/02
- Re: [Sks-devel] sks behind lighttpd reverse proxy, Phil Pennock, 2013/12/02
  - Re: [Sks-devel] sks behind lighttpd reverse proxy, Simon Lange, 2013/12/02
    - Re: [Sks-devel] sks behind lighttpd reverse proxy, Phil Pennock <=

Prev by Date: Re: [Sks-devel] sks behind lighttpd reverse proxy
Next by Date: Re: [Sks-devel] IPv4 vs. IPv6? -- Reconciliation attempt from unauthorized host, but host is authorized
Previous by thread: Re: [Sks-devel] sks behind lighttpd reverse proxy
Next by thread: Re: [Sks-devel] New server asking for peers (keyserver.vi-di.fr)
Index(es):
- Date
- Thread