W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Yet another trusted proxy suggestion

From: Nicolas Mailhot <nicolas.mailhot@laposte.net>
Date: Wed, 27 Nov 2013 21:40:19 +0100
Message-ID: <f8e89f6fe7011bb9a1d0833d7463cd94.squirrel@arekh.dyndns.org>
To: "Adrien de Croy" <adrien@qbik.com>
Cc: "Yoav Nir" <synp71@live.com>, "HTTP Group" <ietf-http-wg@w3.org>

Le Mar 26 novembre 2013 21:09, Adrien de Croy a écrit :
>
> I don't see any point in using a CONNECT style of approach if you trust
> the proxy.  What sort of connection is that? If TLS, then why not just
> use a GET https:// approach.
>
> As for using a mandatory proxy on the server end, I don't really see a
> requirement for that.  People use reverse proxies for sure, but they
> just appear from the outside to be a server.  I think if we allowed
> assertion of mandatory proxy use outside a trusted environment (e.g. the
> user's LAN) then we would have major problems getting it accepted.

I had the case of an entity that used an authenticating proxy to protect
outside access to their internal webapps. So getting access for our users
to their apps would have required chaining two proxies

web client on corp1 lan → corp1 outbound auth proxy → Internet → corp2
inbound auth proxy → webapp on corp2 land

And of course corp1 and corp2 secrets were not shared, only users with
dual affiliation had a login on both proxies.

This is a real and current use-case, not a though experiment.

Regards,

-- 
Nicolas Mailhot
Received on Wednesday, 27 November 2013 20:40:49 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:20 UTC