Re: Question about tunneling, authentication, and connection persistence from Amos Jeffries on 2015-01-22 (ietf-http-wg@w3.org from January to March 2015)

From: Amos Jeffries <squid3@treenet.co.nz>
Date: Thu, 22 Jan 2015 18:10:38 +1300
To: ietf-http-wg@w3.org
Message-ID: <54C0864E.7050505@treenet.co.nz>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 22/01/2015 4:27 p.m., Zhong Yu wrote:
> If a CONNECT request is sent to a tunnel, and tunnel responds with
> a 407 (Proxy Authentication Required), is it usually true that the
> HTTP connection stays persistent?

"It depends".

... on whether any bytes are sent by the client following the CONNECT
message headers, and

... on what the Connection: header contains for both CONNECT request
and 407 reply, and

... on whether the HTTP/1.0 version was sent on either the CONNECT
request or 407 reply, and

... on what type of authentication is being performed, and

... for connection-based auth what stage of the handshake.

> 
> In theory, the tunnel could indicate that the current HTTP
> connection is closed, therefore, a new connection must be
> established to the tunnel for the new CONNECT request with
> authentication information. However, in practice, how likely does
> that happen? Thanks,
> 

That also depends, on how much of your traffic is generated by web
browsers and how much generated by non-browser applications.

The browsers are getting quite insistent about the time it takes to
get to first response and will send initial TLS, HTTP/2 or SPDY
handshake bytes along with the CONNECT message. This breaks the
possibility of keeping the TCP connection alive and increases their
handshake time by ~3 RTT and reduces the proxy new-connection capacity
by 50%. Though despite years of arguing about it with them the browser
folk are also quite insistent that its the proxies fault for causing
all the lag issues, not them.

Amos

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUwIZOAAoJELJo5wb/XPRjc+UH/2ndKTjbzMwO+ERwhin/LqYz
ysO42H4tayqg5adcwTu8Nd5dSN2kvYwa9WTtbuBiVfQ/UJY51yftD0prVFqkmH20
PsVys7S5MBN3sQ/CmAMBnGsYkvC6QQpJBZZH86bJbsF9DDzqN3JCMQHp0hqjs9lX
DvCwQs7QYZ3dHgGjHheb1JlcbmYhsrgLMTYctsphONZeWrxYmDWa+yGHZh7viIaR
NOPNwIfvOYoRPk4Nx78gns/CsqPEljK+XTaprWCu9sXnlyp5UJzwd6lM+nrl+Imv
r+uO6nKQHr6f0qaXkx9iArZ2I3xIfUjP3eXyykvupsK4EgyzjKqLZJefOkGBgUI=
=vV2C
-----END PGP SIGNATURE-----

Received on Thursday, 22 January 2015 05:11:23 UTC