Re: Yet another trusted proxy suggestion

Le Mar 26 novembre 2013 21:09, Adrien de Croy a écrit :
> I don't see any point in using a CONNECT style of approach if you trust
> the proxy.  What sort of connection is that? If TLS, then why not just
> use a GET https:// approach.
> As for using a mandatory proxy on the server end, I don't really see a
> requirement for that.  People use reverse proxies for sure, but they
> just appear from the outside to be a server.  I think if we allowed
> assertion of mandatory proxy use outside a trusted environment (e.g. the
> user's LAN) then we would have major problems getting it accepted.

I had the case of an entity that used an authenticating proxy to protect
outside access to their internal webapps. So getting access for our users
to their apps would have required chaining two proxies

web client on corp1 lan → corp1 outbound auth proxy → Internet → corp2
inbound auth proxy → webapp on corp2 land

And of course corp1 and corp2 secrets were not shared, only users with
dual affiliation had a login on both proxies.

This is a real and current use-case, not a though experiment.


Nicolas Mailhot

Received on Wednesday, 27 November 2013 20:40:49 UTC