Re: Secure (https) proxy authentification

On 18/02/2012 9:20 a.m., Nicolas Mailhot wrote:
> Le Jeu 16 février 2012 18:44, Willy Tarreau a écrit :
>> On Thu, Feb 16, 2012 at 03:36:47PM +0100, Nicolas Mailhot wrote:
>>> The 407 error must be extended to indicate the https proxy authentication
>>> portal location to handle the cases where it is not desirable to have proxy
>>> auth transmitted in clear, and clients are too dumb to support anything more
>>> complex than basic auth over http or https.

The counter side of that is whether such clients likely to be smart 
enough to do TLS to the proxy anyway?

You mention some recent change in browser behviour on redirect to 
CONNECT. Can you point me at some reference material for that change?


>> Well, this is one more reason for urging all browser vendors to support
>> proxying over https. This will put an end to this redirection madness
>> which prevents most HTTP agents from working in such environments (eg:
>> firefox cannot even update itself at a customer's due to such proxies,
>> so everyone uses outdated versions until they decide to download the full
>> image again).
> Thank you for your support
> I believe fixing this hole in the spec is also needed to get working captive
> portals (instead of the current half-working piles of bandaids that never
> quite work correctly)

IME you will find all of us proxy folk in support of the idea. The 
browser folk seem strangely quite whenever it comes up.

AYJ

Received on Saturday, 18 February 2012 17:18:23 UTC