Re: Alt-Svc + Proxy Pac from Ryan Hamilton on 2015-04-03 (ietf-http-wg@w3.org from April to June 2015)

From: Ryan Hamilton <rch@google.com>
Date: Fri, 3 Apr 2015 14:17:56 -0700
To: Patrick McManus <mcmanus@ducksong.com>
Cc: Martin Thomson <martin.thomson@gmail.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <CAJ_4DfR-kpiGmdDQXRG85E46jjNtYP82L7NCqWk8gXHy4=wYTw@mail.gmail.com>

On Fri, Apr 3, 2015 at 2:04 PM, Patrick McManus <mcmanus@ducksong.com>
wrote:

>
> On Fri, Apr 3, 2015 at 4:50 PM, Ryan Hamilton <rch@google.com> wrote:
>
>> Consider the following scenario. There are two servers,
>> internal.example.com and external.example.com. Inside the enterprise
>> access to resources outside the firewall must go through a proxy, whereas
>> resource inside the firewall can go direct. That would lead to a .pac file
>> like:
>>
>> function FindProxyForURL(url, host) {
>>
>>   if (host == "internal.example.com") {
>>     return "DIRECT";
>>   }
>>   return "PROXY proxy.example.com";
>> }
>>
>>
>> If Alt-Svc for internal says, "Alt-Svc: h2="external.exmple.com:443",
>> then the proxy will say, "Sure, go direct to
>> http://internal.example.com/" but then the browser will connect to
>> external.example.com:443 and will avoid the proxy and the request will
>> hang. This seems a bit unfortunate, but it's not clear that the alternative
>> is much better, so I'm happy to do this, if that's the consensus of the
>> group.
>>
>
>
> The browser is supposed to validate the alternate service (among other
> things by checking that it has a cert valid for the origin) before using it
> and fall back if it is unavailable. So it seems that
> external.example.com:443 could not be validated in your example and if
> perhaps that validation were stale, it should get automagically cleaned up.
>

Agreed! When I said, "the request will hang", I meant to say, "the
connection will hang". You're totally right that this won't be a user
facing problem.

We won't use the alternative-service but it's not the end of the world.


I would be very cautious about ever changing url based on alt-svc.. alt-svc
> does not change origins or urls. If it did, it would get very hard to
> reason about. but supplying the alt information explicitly seems a lot more
> interesting.
>

Agreed.


> Somebody should really write up a I-D for a modern PAC (that could be me,
> but realistically a lot of other things would have to come off the todo
> list first.)
>

SGTM. Especially the part about you doing the work :>

Received on Friday, 3 April 2015 21:18:24 UTC