- From: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Date: Fri, 13 Jul 2012 19:50:43 +0000
- To: Brian Pane <brianp@brianp.net>
- cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
In message <CAAbTgTv4QxwyBy5Fp5xg7A_WAQ2BAxrK=Ui932amJrXZ2iA50A@mail.gmail.com> , Brian Pane writes: >>From the perspective of a load balancer, having just those three fields in >cleartext isn't sufficient. Sending a request to the proper upstream >destination may require information from Cookie, X-Forwarded-For, and more. (X-)F-F makes sense. Cookies: not so, whenever people use cookies, they are working around lack of session concept in HTTP. HTTP/2.0 should fix that, so cookies go away. >I'm not too concerned about load balancers having to decrypt messages, >though: SSL termination has been a key selling point for load balancers for >many years. That's not the same as it being a good idea. Hosting providers are often unable to deploy load-balancers and DoS mitigation, exactly because it would require them to have all their hosted clients certificates. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
Received on Friday, 13 July 2012 19:51:06 UTC