通过以下链接搜索:
ctubio / php-proxy-keyserver
PHP 代理和可扩展的 Web 界面标准,将 HKP 请求转发到本地或远程 SKS OpenPGP 密钥服务器。
v0.3.4
2017-04-02 13:06 UTC
Requires
- php: ~5.6
- dflydev/apache-mime-types: ~1.0
- jenssegers/proxy: 2.*
- monolog/monolog: ~1.13
Requires (Dev)
- phpunit/phpunit: ~5.0
- satooshi/php-coveralls: ~1.0
- dev-master
- v0.3.4
- v0.3.3
- v0.3.2
- v0.3.1
- v0.3.0
- v0.2.1
- v0.2.0
- v0.1.0
- v0.0.32
- v0.0.31
- v0.0.30
- v0.0.29
- v0.0.28
- v0.0.27
- v0.0.26
- v0.0.25
- v0.0.24
- v0.0.23
- v0.0.22
- v0.0.21
- v0.0.20
- v0.0.19
- v0.0.18
- v0.0.17
- v0.0.16
- v0.0.15
- v0.0.14
- v0.0.13
- v0.0.12
- v0.0.11
- v0.0.10
- v0.0.9
- v0.0.8
- v0.0.7
- v0.0.6
- v0.0.5
- v0.0.4
- v0.0.3
- v0.0.3-alpha
- v0.0.2
- v0.0.2-beta
- v0.0.1
- v0.0.1-alpha
This package is not auto-updated.
Last update: 2024-09-27 13:28:30 UTC
README
这些源代码在 https://pgp.key-server.io 上快乐地为公共密钥提供服务(检查 池状态!)。
主要功能
- 简约的 PHP 框架,专注于扩展和美化密钥服务器的默认 Web 界面。
- 将任何端口上的任何请求 PHP 化,但对 gpg/pool 客户端保持原始输出。
- 8 种皮肤(感谢大家!),但您可以制作自己的(使用动态 PHP 块或静态 HTML)。
- 可选:自动添加和验证用户提交的成员行,用于新节点。
- 可选:在输出 HTML 响应之前自动缩进和验证 HTML 页面。
- 开发皮肤/页面时,提供有意义的错误消息(希望您喜欢堆栈跟踪)。
- 为 apache2 或 nginx 准备好的 Web 服务器配置(以及 tor 隐藏服务和 piwik 跟踪器)。
- 为 haproxy 准备好的负载均衡器配置(在 PHP 和 HKP 之间,或平衡 PHP)。
- 为 BOINC 状态 GUI RPC 准备好,以显示您的服务器农场上的当前分配的任务。
- 或者,丢弃所有 现代 功能,坚持使用出色的旧 plain html 前端(出于历史原因)。
如何使用 PHP 和其他工具运行自己的 SKS 密钥服务器
$ # Check the latest sks version: $ curl https://bitbucket.org/skskeyserver/sks-keyserver/raw/default/VERSION $ # Check the available sks versions in your sources: $ apt-cache policy sks $ # Check your current sks version: $ sks version $ # Decide if you wanna download and compile the latest sks version. $ # The README file have examples of configuration files for sks, nginx/apache, haproxy and tor. $ # Check if your keyserver is up and running (in all machines): $ netstat -anp | egrep --color 'sks' tcp 0 0 0.0.0.0:11370 0.0.0.0:* LISTEN 8198/sks tcp 0 0 127.0.0.1:11371 0.0.0.0:* LISTEN 8197/sks tcp6 0 0 :::11370 :::* LISTEN 8198/sks unix 2 [ ACC ] STREAM LISTENING 29826 8197/sks /var/lib/sks/db_com_sock unix 2 [ ACC ] STREAM LISTENING 29835 8198/sks /var/lib/sks/recon_com_sock $ # If you don't see any output, please start the keyserver daemons with similar configs. $ # Optionally, check if your load balancer is up and running (in primary machine): $ netstat -anp | egrep --color 'haproxy' tcp 0 0 0.0.0.0:11369 0.0.0.0:* LISTEN 2438/haproxy unix 2 [ ] DGRAM 11553 2008/rsyslogd /var/lib/haproxy/dev/log unix 2 [ ] DGRAM 12323 2438/haproxy $ # Here port 11369 is used, but you are free to choose any other number if you wish. $ # A load balancer isn't mandatory, unless you plan to generate daily keydumps. $ # Optionally, check if your tor is up and running (in primary machine): $ netstat -anp | egrep --color 'tor' tcp 0 0 127.0.0.1:9050 0.0.0.0:* LISTEN 11655/tor unix 2 [ ACC ] STREAM LISTENING 53139133 11655/tor /var/run/tor/control unix 3 [ ] STREAM CONNECTED 53139131 11655/tor unix 3 [ ] STREAM CONNECTED 53139130 11655/tor $ # Here port 9050 is used, but you are free to choose any other number if you wish. $ # A tor hidden service isn't mandatory, unless you plan to provide anonymity. $ # Check if your webserver is up and running (in primary machine): $ netstat -anp | egrep --color 'apache2|nginx' tcp 0 0 10.10.10.2:11371 0.0.0.0:* LISTEN 3197/apache2 tcp 0 0 10.10.10.2:80 0.0.0.0:* LISTEN 3197/apache2 tcp 0 0 10.10.10.2:443 0.0.0.0:* LISTEN 3197/apache2 tcp6 0 0 2607:f298:6050:6f:11371 :::* LISTEN 9647/apache2 tcp6 0 0 2607:f298:6050:6f81::80 :::* LISTEN 9647/apache2 tcp6 0 0 2607:f298:6050:6f81:443 :::* LISTEN 9647/apache2 $ # The 4th column may be your own public IPs of your virtual machine/server. $ # If you don't see any output, please start the webserver daemon with similar configs. $ # Download and compose the php proxy and the extensible web interface between them: $ cd /var/www $ mkdir your.domain.name $ cd your.domain.name $ composer self-update $ composer create-project ctubio/php-proxy-keyserver . --keep-vcs $ make config $ make help $ # All done, thank you! $ # Validate if your website can search/retrieve/submit pgp public keys. $ # Validate if your keyserver works using the command line tool gpg (or others). $ # Import the most recent database dump, and use the mailing list to find peers. $ # Please, feel free to extend or customize as you need the web interface!
故障排除
常见的安装问题
-bash: composer: command not found
要修复它,请参阅 https://getcomposer.org/doc/00-intro.md#installation-linux-unix-osx
愚蠢的 Winny 问题
'make' is not recognized as an internal or external command
要修复它,请参阅 http://gnuwin32.sourceforge.net/packages/make.htm
如果...
...我想制作一个皮肤?
运行以下命令以创建一个新的皮肤(使用 skin/default 作为基础,或任何其他),如果您想分享它,请阅读 CONTRIBUTING 文件
$ cp -r skin/default skin/new-skin
...我想了解 skin/*.phtml 文件中可用的方法?
是的,先生/女士,请使用任何 phtml 文件中的以下 3 个内置方法 $this
# get any value from etc/php-proxy-keyserver.ini string $this->getConfig(string $option); # (you can add new options to the config file as you need) # for example: echo $this->getConfig('hkp_load_balanced_addr'); # may print 127.0.0.1 echo $this->getConfig('custom_var'); # may print custom_value
# get any block form skin/blocks/* string $this->getBlock(string $block); # (you can get blocks from any depth in the path) # for example: echo $this->getBlock('gnu_inside'); # parse and print skin/block/gnu_inside.phtml echo $this->getBlock('happy/gnu_inside'); # parse and print skin/block/happy/gnu_inside.phtml
# get any page form skin/page/* string $this->getPage([string $page]); # (useful in the layout, or to show some page in the footer of all pages?) # for example: echo $this->getPage(); # parse and print the current page based on http request echo $this->getPage('index'); # parse and print page/index.phtml echo $this->getPage('path/file'); # parse and print path/file.phtml
...我不想使用 PHP?
skin/default 使用一个 PHP 布局来构建给定页面,但如果您只想使用 HTML 文件或任何其他静态格式,请参阅 skin/pgpkeyserver-lite 或 skin/XHTML+ES 的源代码作为示例。
...我想为社区制作皮肤,但不想运行自己的密钥服务器?
请随意使用我的密钥服务器进行您的开发,地址是 pgp.key-server.io(见下面的答案)。
...我的服务器只是一个 Web 服务器?
密钥服务器可能由另一个不同的服务器提供,如果这是您的情况,请编辑 etc/php-proxy-keyserver.ini 并自定义 hkp_load_balanced_addr 的值以匹配密钥服务器的地址。
...我想升级到 php-proxy-keyserver 的新版本?
请运行以下命令(以 v1.2.3 为例)
$ git fetch; # see the available new versions in the output $ git checkout v1.2.3; # upgrade to v1.2.3
或者,您可以回滚到上一个版本
$ git checkout v1.2.2; # downgrade back to v1.2.2
...我的密钥服务器不是 sks 的实例?
PHP代理可以与任何基于OpenPGP HTTP Keyserver Protocol (HKP)的服务器协同工作。
...我想看看一些SKS配置
请以此为例
# debuglevel 3 is default (max. debuglevel is 10)
basedir: /var/lib/sks
debuglevel: 3
hostname: your.domain.name
nodename: your.node.name
hkp_port: 11371
hkp_address: 127.0.0.1
recon_port: 11370
#recon_address: 127.0.0.1
#
server_contact: 0xYOUR64BITKEYID
from_addr: pgp-public-keys@hostname
sendmail_cmd: /usr/sbin/sendmail -t -oi
initial_stat:
disable_mailsync:
membership_reload_interval: 21
stat_hour: 21
#
# set DB file pagesize as recommended by db_tuner
# pagesize is (n * 512) bytes
# NOTE: These must be set _BEFORE_ [fast]build & pbuild and remain set
# for the life of the database files. To change a value requires recreating
# the database from a dump
#
# KDB/key 65536
pagesize: 1 28
#
# KDB/keyid 32768
keyid_pagesize: 64
#
# KDB/meta 512
meta_pagesize: 1
# KDB/subkeyid 65536
subkeyid_pagesize: 128
#
# KDB/time 65536
time_pagesize: 128
#
# KDB/tqueue 512
tqueue_pagesize: 1
#
# KDB/word - db_tuner suggests 512 bytes. This locked the build process
# Better to use a default of 8 (4096 bytes) for now
word_pagesize: 8
#
# PTree/ptree 4096
ptree_pagesize: 8
...我想看看一些Tor配置
请以此为例,其中应将关键字YOUR.PUBLIC.IPv4替换。
为SKS启用Tor隐藏服务
DataDirectory /var/lib/tor
HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 11371 YOUR.PUBLIC.IPv4:11371
HiddenServicePort 80 YOUR.PUBLIC.IPv4:80
HiddenServicePort 443 YOUR.PUBLIC.IPv4:443
...我想看看一些HAProxy配置
这是一个基本的网络设置示例(请参阅README文件顶部的netstat命令输出),其中单个apache2运行单个php-proxy-keyserver,将hkp请求转发到单个haproxy以平衡多个冗余的sks密钥服务器的负载(这里的目的是在执行每日密钥转储时避免停机时间,当然,您还可以将Web服务器放在另一个负载均衡设置之后)
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
maxconn 4096
user haproxy
group haproxy
daemon
defaults
log global
mode http
option httplog
option dontlognull
option http-server-close
option forwardfor
timeout connect 5000
timeout client 50000
timeout server 50000
retries 2
option redispatch
stats enable
stats hide-version
stats uri /haproxy
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
listen php-proxy-keyserver *:11369
balance leastconn
server carles.tubio.sks-database_0 127.0.0.1:11371 check
server carles.tubio.sks-database_1 10.10.10.21:11371 check
server carles.tubio.sks-database_2 10.10.10.22:11371 check
server carles.tubio.sks-database_3 10.10.10.23:11371 check
...我想看看一些Nginx配置
请以此文件为例,其中应将关键字YOUR.PUBLIC.IPv4、YOUR.PUBLIC.IPv6和YOUR.DOMAIN.NAME替换。
启用对标准HKP、HTTP和HTTPS请求的支持
server {
listen YOUR.PUBLIC.IPv4:80;
listen [YOUR.PUBLIC.IPv6]:80;
listen YOUR.PUBLIC.IPv4:443 ssl;
listen [YOUR.PUBLIC.IPv6]:443 ssl;
server_name www.YOUR.DOMAIN.NAME;
rewrite ^ $scheme://YOUR.DOMAIN.NAME$uri permanent;
ssl_certificate /etc/nginx/keys/YOUR.DOMAIN.NAME.crt;
ssl_certificate_key /etc/nginx/keys/YOUR.DOMAIN.NAME.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1.2;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers on;
}
server {
listen YOUR.PUBLIC.IPv4:80;
listen [YOUR.PUBLIC.IPv6]:80;
listen YOUR.PUBLIC.IPv4:11371;
listen [YOUR.PUBLIC.IPv6]:11371;
listen YOUR.PUBLIC.IPv4:443 ssl;
listen [YOUR.PUBLIC.IPv6]:443 ssl;
root /var/www/YOUR.DOMAIN.NAME/pub;
index php-proxy-keyserver.php;
disable_symlinks off;
server_name YOUR.DOMAIN.NAME pool.sks-keyservers.net *.pool.sks-keyservers.net;
location /dump {
autoindex on;
add_before_body /dump/.css;
}
location / {
try_files $uri $uri/ /php-proxy-keyserver.php?$query_string;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~ /\.ht {
deny all;
}
ssl_certificate /etc/nginx/keys/YOUR.DOMAIN.NAME.crt;
ssl_certificate_key /etc/nginx/keys/YOUR.DOMAIN.NAME.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1.2;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers on;
}
...我想看看一些Apache2配置
请以此文件为例,其中应将关键字YOUR.PUBLIC.IPv4、YOUR.PUBLIC.IPv6和YOUR.DOMAIN.NAME替换。
启用对标准HKP请求的支持
Listen YOUR.PUBLIC.IPv4:11371
NameVirtualHost YOUR.PUBLIC.IPv4:11371
Listen [YOUR.PUBLIC.IPv6]:11371
NameVirtualHost [YOUR.PUBLIC.IPv6]:11371
<VirtualHost YOUR.PUBLIC.IPv4:11371 [YOUR.PUBLIC.IPv6]:11371>
ServerAdmin webmaster@localhost
ServerName www.YOUR.DOMAIN.NAME
ServerAlias YOUR.DOMAIN.NAME
DocumentRoot /var/www/YOUR.DOMAIN.NAME/pub
RewriteEngine on
RewriteCond %{HTTP_HOST} =www.YOUR.DOMAIN.NAME [NC]
RewriteRule ^(.*) http://YOUR.DOMAIN.NAME$1 [R=301,NE]
RewriteRule ^(.*)$ /php-proxy-keyserver.php?$1 [QSA,L]
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/YOUR.DOMAIN.NAME/pub>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
启用对HTTP请求的支持
Listen YOUR.PUBLIC.IPv4:80
NameVirtualHost YOUR.PUBLIC.IPv4:80
Listen [YOUR.PUBLIC.IPv6]:80
NameVirtualHost [YOUR.PUBLIC.IPv6]:80
<VirtualHost YOUR.PUBLIC.IPv4:80 [YOUR.PUBLIC.IPv6]:80>
ServerAdmin webmaster@localhost
ServerName www.YOUR.DOMAIN.NAME
ServerAlias YOUR.DOMAIN.NAME pool.sks-keyservers.net *.pool.sks-keyservers.net
DocumentRoot /var/www/YOUR.DOMAIN.NAME/pub
RewriteEngine on
RewriteCond %{HTTP_HOST} =www.YOUR.DOMAIN.NAME [NC]
RewriteRule ^(.*) http://YOUR.DOMAIN.NAME$1 [R=301,NE]
RewriteRule ^(.*)$ /php-proxy-keyserver.php?$1 [QSA,L]
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/YOUR.DOMAIN.NAME/pub>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
启用对HTTPS请求的支持
<IfModule mod_ssl.c>
Listen YOUR.PUBLIC.IPv4:443
NameVirtualHost YOUR.PUBLIC.IPv4:443
Listen [YOUR.PUBLIC.IPv6]:443
NameVirtualHost [YOUR.PUBLIC.IPv6]:443
<VirtualHost YOUR.PUBLIC.IPv4:443 [YOUR.PUBLIC.IPv6]:443>
ServerAdmin webmaster@localhost
ServerName www.YOUR.DOMAIN.NAME
ServerAlias YOUR.DOMAIN.NAME
RewriteEngine on
RewriteCond %{HTTP_HOST} =www.YOUR.DOMAIN.NAME [NC]
RewriteRule ^(.*) https://YOUR.DOMAIN.NAME$1 [R=301,NE]
RewriteRule ^(.*)$ /php-proxy-keyserver.php?$1 [QSA,L]
DocumentRoot /var/www/YOUR.DOMAIN.NAME/pub
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/YOUR.DOMAIN.NAME/pub>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
SSLCertificateFile /etc/apache2/keys/YOUR.DOMAIN.NAME.crt
SSLCertificateKeyFile /etc/apache2/keys/YOUR.DOMAIN.NAME.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
SSLCertificateChainFile /etc/apache2/keys/YOUR.DOMAIN.NAME.int
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath /etc/ssl/certs/
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
# Certificate Revocation Lists (CRL):
# Set the CA revocation path where to find CA CRLs for client
# authentication or alternatively one huge file containing all
# of them (file must be PEM encoded)
# Note: Inside SSLCARevocationPath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCARevocationPath /etc/apache2/ssl.crl/
#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
...我真的不想使用密钥服务器,而是一个使用本地gpg来回答请求的Web服务器?
嘿,前几天我发现https://github.com/remko/phkp,希望它能帮到你!