Hi, everyone,
There's been some discussion on this list about refusing to serve
bad OpenPGP keys -- at least as a workaround for the time being.
Andreas Puls has even supplied a configuration snippet for nginx.
Here is my version for the Apache server. It allows you to include
the list of keys in a separate file that can be updated at any time
without restarting/reloading the server.
In particular, I have something like the following in the file
/etc/sks/apache-badkeys:
# /etc/sks/apache-badkeys: Prevent hosts from querying bad keys
# This file contains a list of OpenPGP keys that should NOT be returned
# to clients using the web interface. Each line contains the query
# string followed by a space and a hyphen, as required by the Apache
# RewriteMap directive; keys MUST be in lowercase only.
0x1013d73fecac918a0a25823986ce877469d2ead9 -
0x86ce877469d2ead9 -
0x69d2ead9 -
0x2016349f5bc6f49340fccaf99f9169f4b33b4659 -
0x9f9169f4b33b4659 -
0xb33b4659 -
Then in my Apache configuration file, I have the following rules:
RewriteEngine on
RewriteMap badkeys "txt:/etc/sks/apache-badkeys"
RewriteMap lc int:tolower
RewriteCond "%{REQUEST_URI}" "^/pks/lookup"
RewriteCond "%{QUERY_STRING}"
"op=(get|search|vindex)&?.*search=([^&]+)&?"
RewriteCond "${badkeys:${lc:%2}|ok}" "!=ok"
RewriteRule ^/pks/lookup - [L,G]
This block appears BEFORE any ProxyPass / ProxyPassReverse /
ProxyVia lines. Whenever a matching key is requested, a 410 Gone
message is returned. And I can add to the apache-badkeys file any
time I like...
Yours truly,
John Zaitseff
--
John Zaitseff ,--_|\ The ZAP Group
Telephone: +61 2 9643 7737 / \ Sydney, Australia
Email: j.zaits...@zap.org.au \_,--._* https://www.zap.org.au/
v
_______________________________________________
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel
