W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2015

Re: Question about tunneling, authentication, and connection persistence

From: Amos Jeffries <squid3@treenet.co.nz>
Date: Thu, 22 Jan 2015 18:10:38 +1300
Message-ID: <54C0864E.7050505@treenet.co.nz>
To: ietf-http-wg@w3.org
Hash: SHA1

On 22/01/2015 4:27 p.m., Zhong Yu wrote:
> If a CONNECT request is sent to a tunnel, and tunnel responds with
> a 407 (Proxy Authentication Required), is it usually true that the
> HTTP connection stays persistent?

"It depends".

... on whether any bytes are sent by the client following the CONNECT
message headers, and

... on what the Connection: header contains for both CONNECT request
and 407 reply, and

... on whether the HTTP/1.0 version was sent on either the CONNECT
request or 407 reply, and

... on what type of authentication is being performed, and

... for connection-based auth what stage of the handshake.

> In theory, the tunnel could indicate that the current HTTP
> connection is closed, therefore, a new connection must be
> established to the tunnel for the new CONNECT request with
> authentication information. However, in practice, how likely does
> that happen? Thanks,

That also depends, on how much of your traffic is generated by web
browsers and how much generated by non-browser applications.

The browsers are getting quite insistent about the time it takes to
get to first response and will send initial TLS, HTTP/2 or SPDY
handshake bytes along with the CONNECT message. This breaks the
possibility of keeping the TCP connection alive and increases their
handshake time by ~3 RTT and reduces the proxy new-connection capacity
by 50%. Though despite years of arguing about it with them the browser
folk are also quite insistent that its the proxies fault for causing
all the lag issues, not them.


Version: GnuPG v2.0.22 (MingW32)

Received on Thursday, 22 January 2015 05:11:23 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:42 UTC