- From: Willy Tarreau <w@1wt.eu>
- Date: Sat, 20 Apr 2019 07:53:49 +0200
- To: Alex Rousskov <rousskov@measurement-factory.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
Hi Alex, On Fri, Apr 19, 2019 at 02:20:30PM -0600, Alex Rousskov wrote: > The correct answer probably depends on whether the CONNECT is a > hop-by-hop mechanism. Mozilla got it right if the CONNECT request is > meant specifically for the proxy at the next hop. HTTP/1 got it right if > CONNECT is meant for all proxies in the chain. > > Should a compliant HTTP proxy forward regular end-to-end CONNECT headers > to the next proxy? I have a different view on this. In my opinion CONNECT is indeed hop by hop, but if it ends on proxy which itself is configured to use another forward proxy instead of connecting directly to the net, then this second proxy will likely emit another CONNECT request to that proxy. Of course both requests might end up being the same, but if you look at authentication headers, the ones from the first request are there to authenticate on the first proxy. The second proxy might need a hard-coded authentication in order to pass through the second proxy, and will likely use its own auth headers, unless it is configured to pass credentials verbatim. I find that it's easier to see it as a demand by the client to establish a clear data path to the TCP endpoint mentioned in the authority. The client doesn't care how intermediaries split the work, if they use other CONNECT between them, if one relies on SOCKS, or even use RFC1149, provided the last element in the chain reaches this endpoint. Regards, Willy
Received on Saturday, 20 April 2019 05:54:17 UTC