- From: Patrick McManus <mcmanus@ducksong.com>
- Date: Fri, 3 Apr 2015 17:04:16 -0400
- To: Ryan Hamilton <rch@google.com>
- Cc: Martin Thomson <martin.thomson@gmail.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
- Message-ID: <CAOdDvNq9cp_bAYy_F_1nA0cHNKfxWVEi5uqmDoZiGoyxjtnvZA@mail.gmail.com>
On Fri, Apr 3, 2015 at 4:50 PM, Ryan Hamilton <rch@google.com> wrote:
> Consider the following scenario. There are two servers,
> internal.example.com and external.example.com. Inside the enterprise
> access to resources outside the firewall must go through a proxy, whereas
> resource inside the firewall can go direct. That would lead to a .pac file
> like:
>
> function FindProxyForURL(url, host) {β
>
> β if (host == "internal.example.com") {
> return "DIRECT";
> }
> return "PROXY proxy.example.com";
> }β
>
>
> If Alt-Svc for internal says, "Alt-Svc: h2="external.exmple.com:443",
> then βthe proxy will say, "Sure, go direct to http://internal.example.com/"
> but then the browser will connect to external.example.com:443 and will
> avoid the proxy and the request will hang. This seems a bit unfortunate,
> but it's not clear that the alternative is much better, so I'm happy to do
> this, if that's the consensus of the group.
>
The browser is supposed to validate the alternate service (among other
things by checking that it has a cert valid for the origin) before using it
and fall back if it is unavailable. So it seems that
external.example.com:443 could not be validated in your example and if
perhaps that validation were stale, it should get automagically cleaned up.
I would be very cautious about ever changing url based on alt-svc.. alt-svc
does not change origins or urls. If it did, it would get very hard to
reason about. but supplying the alt information explicitly seems a lot more
interesting. Somebody should really write up a I-D for a modern PAC (that
could be me, but realistically a lot of other things would have to come off
the todo list first.)
Received on Friday, 3 April 2015 21:04:40 UTC