W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2019

Re: Is CONNECT hop-by-hop?

From: Willy Tarreau <w@1wt.eu>
Date: Sat, 20 Apr 2019 07:53:49 +0200
To: Alex Rousskov <rousskov@measurement-factory.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20190420055349.GB2369@1wt.eu>
Hi Alex,

On Fri, Apr 19, 2019 at 02:20:30PM -0600, Alex Rousskov wrote:
> The correct answer probably depends on whether the CONNECT is a
> hop-by-hop mechanism. Mozilla got it right if the CONNECT request is
> meant specifically for the proxy at the next hop. HTTP/1 got it right if
> CONNECT is meant for all proxies in the chain.
> 
> Should a compliant HTTP proxy forward regular end-to-end CONNECT headers
> to the next proxy?

I have a different view on this. In my opinion CONNECT is indeed hop by
hop, but if it ends on proxy which itself is configured to use another
forward proxy instead of connecting directly to the net, then this second
proxy will likely emit another CONNECT request to that proxy. Of course
both requests might end up being the same, but if you look at authentication
headers, the ones from the first request are there to authenticate on the
first proxy. The second proxy might need a hard-coded authentication in
order to pass through the second proxy, and will likely use its own auth
headers, unless it is configured to pass credentials verbatim.

I find that it's easier to see it as a demand by the client to establish
a clear data path to the TCP endpoint mentioned in the authority. The
client doesn't care how intermediaries split the work, if they use other
CONNECT between them, if one relies on SOCKS, or even use RFC1149, provided
the last element in the chain reaches this endpoint.

Regards,
Willy
Received on Saturday, 20 April 2019 05:54:17 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:15:34 UTC