W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2014

RE: Stuck in a train -- reading HTTP/2 draft.

From: Richard Wheeldon (rwheeldo) <rwheeldo@cisco.com>
Date: Sat, 21 Jun 2014 19:06:56 +0000
To: Poul-Henning Kamp <phk@phk.freebsd.dk>, Martin Nilsson <nilsson@opera.com>
CC: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <0566CA5E9B906D40B6737DD47DA9FB8F1B53D909@xmb-rcd-x04.cisco.com>
 > Could you point me to the place in the HTTP/1.1 RFC that says that proxies must be whitelisted ?

Can you point me to the place in the HTTP/1.1 RFC that says that servers must do DoS prevention? It doesn't - although
the new versions (723*) do acknowledge that it might happen. In practice it's necessary. If you're running a small scale
proxy with a  couple of hundred users behind it then you'll probably never run into the problems it causes. If you're
running something with a few thousand users or more then you probably will. We've run into issues over the past few
years with certain services either blocking us or redirecting to Captcha pages to establish if there's a real user in place.

The workarounds are all pretty ugly:
- Assume that anything with an XFF header (or Forwarded) is a proxy
- Whitelist a bunch of IP addresses on the server-side
- Stop using the proxy for website <X>  (essentially a different form of whitelist)
- Switch everything over to TLS and assume that DoS over TLS is do hard for anyone to do it properly

I'd be happy to collaborate on activity that improved the status-quo in this regard,

Richard
Received on Saturday, 21 June 2014 19:07:25 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:31 UTC