Re: Question about tunneling, authentication, and connection persistence from Zhong Yu on 2015-01-22 (ietf-http-wg@w3.org from January to March 2015)

From: Zhong Yu <zhong.j.yu@gmail.com>
Date: Thu, 22 Jan 2015 15:05:36 -0600
To: Amos Jeffries <squid3@treenet.co.nz>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CACuKZqE2mejzUGgBko8aWPFJ96PTsX5Bgc1TxEN4T_n11rns5A@mail.gmail.com>

On Wed, Jan 21, 2015 at 11:10 PM, Amos Jeffries <squid3@treenet.co.nz> wrote:
>
> On 22/01/2015 4:27 p.m., Zhong Yu wrote:
>> If a CONNECT request is sent to a tunnel, and tunnel responds with
>> a 407 (Proxy Authentication Required), is it usually true that the
>> HTTP connection stays persistent?
>
> "It depends".
>
> ... on whether any bytes are sent by the client following the CONNECT
> message headers, and
>
> ... on what the Connection: header contains for both CONNECT request
> and 407 reply, and
>
> ... on whether the HTTP/1.0 version was sent on either the CONNECT
> request or 407 reply, and
>
> ... on what type of authentication is being performed, and
>
> ... for connection-based auth what stage of the handshake.
>
>
>>
>> In theory, the tunnel could indicate that the current HTTP
>> connection is closed, therefore, a new connection must be
>> established to the tunnel for the new CONNECT request with
>> authentication information. However, in practice, how likely does
>> that happen? Thanks,
>>
>
> That also depends, on how much of your traffic is generated by web
> browsers and how much generated by non-browser applications.
>
> The browsers are getting quite insistent about the time it takes to
> get to first response and will send initial TLS, HTTP/2 or SPDY
> handshake bytes along with the CONNECT message. This breaks the
> possibility of keeping the TCP connection alive and increases their
> handshake time by ~3 RTT and reduces the proxy new-connection capacity
> by 50%. Though despite years of arguing about it with them the browser
> folk are also quite insistent that its the proxies fault for causing
> all the lag issues, not them.
>

Yes, if the client presumed that the CONNECT would succeed, and sent
tunneling payload ahead of the expected 2xx response, the connection
is corrupt if the actual response is not 2xx.

But I'm curious whether the tunnel/proxy makes best effort to keep the
connection persistent if it sends a 407 response. I imagine that it
does, considering that the task is to establish a tunnel on that
particular connection.

Zhong Yu
bayou.io

Received on Thursday, 22 January 2015 21:06:03 UTC