- From: Richard Wheeldon (rwheeldo) <rwheeldo@cisco.com>
- Date: Sat, 21 Jun 2014 19:06:56 +0000
- To: Poul-Henning Kamp <phk@phk.freebsd.dk>, Martin Nilsson <nilsson@opera.com>
- CC: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
> Could you point me to the place in the HTTP/1.1 RFC that says that proxies must be whitelisted ? Can you point me to the place in the HTTP/1.1 RFC that says that servers must do DoS prevention? It doesn't - although the new versions (723*) do acknowledge that it might happen. In practice it's necessary. If you're running a small scale proxy with a couple of hundred users behind it then you'll probably never run into the problems it causes. If you're running something with a few thousand users or more then you probably will. We've run into issues over the past few years with certain services either blocking us or redirecting to Captcha pages to establish if there's a real user in place. The workarounds are all pretty ugly: - Assume that anything with an XFF header (or Forwarded) is a proxy - Whitelist a bunch of IP addresses on the server-side - Stop using the proxy for website <X> (essentially a different form of whitelist) - Switch everything over to TLS and assume that DoS over TLS is do hard for anyone to do it properly I'd be happy to collaborate on activity that improved the status-quo in this regard, Richard
Received on Saturday, 21 June 2014 19:07:25 UTC