[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] sks behind lighttpd reverse proxy

From: Phil Pennock
Subject: Re: [Sks-devel] sks behind lighttpd reverse proxy
Date: Mon, 2 Dec 2013 17:17:21 -0500

Hash: SHA256

On 2013-12-02 at 22:49 +0100, Simon Lange wrote:
> however. gpg does not send any header and therefore THAT was the
> problem. so if you use some kind of aggressive antidos mechanism like
> sorting out not compliant http clients (like gpg) you run into the problem.

For clarity: RFC2616 merely classes User-Agent: as a "SHOULD", not a
"MUST".  See section 14.43.  It would be nice if it were more common,
and for normal HTTP traffic I agree it's not unreasonable to filter
based upon it.

I believe that the GnuPG developers are concerned around leaking
information which can be used to fingerprint a client and causing even
more privacy problems.

> 11370 has a connection throttle and of course is not reverse proxied. it
> was only for one day after a sks pool admin did wrote us we have to put
> everything behind reverse proxy. we did and ran into problems.  ;)

For clarity, once more: Kristian's intent was to let you know that _if_
you care about your server being present in the pool set which he
maintains, _then_ you would need to set up a reverse proxy; this is a
topic which has come up a few times on this list in the past few months.

You run your server, others don't run it for you.  You are under no
obligation to provide a public service: as long as you can find people
happy to peer with you and donate their own bandwidth to keeping you
up-to-date, even if you're not providing a public service, then you'll
be fine.

But providing something back to the public good should make it easier
for you to maintain enough peerings for resiliency, and thank you for
doing so!

- -Phil


reply via email to

[Prev in Thread] Current Thread [Next in Thread]