W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Yet another trusted proxy suggestion

From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Wed, 27 Nov 2013 20:58:31 +0000
Message-ID: <52965CF7.2080303@cs.tcd.ie>
To: Nicolas Mailhot <nicolas.mailhot@laposte.net>, Adrien de Croy <adrien@qbik.com>
CC: Yoav Nir <synp71@live.com>, HTTP Group <ietf-http-wg@w3.org>


On 11/27/2013 08:40 PM, Nicolas Mailhot wrote:
> 
> Le Mar 26 novembre 2013 21:09, Adrien de Croy a écrit :
>>
>> I don't see any point in using a CONNECT style of approach if you trust
>> the proxy.  What sort of connection is that? If TLS, then why not just
>> use a GET https:// approach.
>>
>> As for using a mandatory proxy on the server end, I don't really see a
>> requirement for that.  People use reverse proxies for sure, but they
>> just appear from the outside to be a server.  I think if we allowed
>> assertion of mandatory proxy use outside a trusted environment (e.g. the
>> user's LAN) then we would have major problems getting it accepted.
> 
> I had the case of an entity that used an authenticating proxy to protect
> outside access to their internal webapps. So getting access for our users
> to their apps would have required chaining two proxies
> 
> web client on corp1 lan → corp1 outbound auth proxy → Internet → corp2
> inbound auth proxy → webapp on corp2 land
> 
> And of course corp1 and corp2 secrets were not shared, only users with
> dual affiliation had a login on both proxies.

I'm not sure how that actually works with http/1.1 - does it
really?

> 
> This is a real and current use-case, not a though experiment.

Anyway, I'm not sure if you mean HTTP Proxy-Authorization there
or if it can be done another way, but if a side-effect of this
work on proxies is that that header field gets protected by a
TLS session between the client and proxy then that'd be a good
thing since sending Basic or Digest credentials in clear is not
a good thing for sure. (So maybe there will be one thing about
this proxy stuff that I do like:-)

I've never heard of that two-proxies-in-a-row wanting to use
Proxy-Authorization though and didn't think it could work.

S.


> 
> Regards,
> 
Received on Wednesday, 27 November 2013 20:59:06 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:20 UTC