IETF Logo Mail Archive

Re: HTTPS, proxy environment variables and non-CONNECT access

Robert Collins <robertc@squid-cache.org> Tue, 16 July 2013 09:55 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2950221E81D9 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 16 Jul 2013 02:55:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.977
X-Spam-Level:
X-Spam-Status: No, score=-9.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IKqi05E2ZTCR for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 16 Jul 2013 02:55:15 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 921BD11E827D for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 16 Jul 2013 02:55:04 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Uz1wW-0002yw-FC for ietf-http-wg-dist@listhub.w3.org; Tue, 16 Jul 2013 09:53:12 +0000
Resent-Date: Tue, 16 Jul 2013 09:53:12 +0000
Resent-Message-Id: <E1Uz1wW-0002yw-FC@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <robertc@robertcollins.net>) id 1Uz1wN-0002y5-UY for ietf-http-wg@listhub.w3.org; Tue, 16 Jul 2013 09:53:03 +0000
Received: from mail-oa0-f44.google.com ([209.85.219.44]) by maggie.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <robertc@robertcollins.net>) id 1Uz1wM-0000T7-Mr for ietf-http-wg@w3.org; Tue, 16 Jul 2013 09:53:03 +0000
Received: by mail-oa0-f44.google.com with SMTP id l10so551255oag.31 for <ietf-http-wg@w3.org>; Tue, 16 Jul 2013 02:52:36 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:x-originating-ip:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding:x-gm-message-state; bh=lpJRVBavvQgC9n06/dL+DT8xt64qF2HArLiXrE8DP8U=; b=FskZrFojca/ADFW9Ot+rzsRIzq7d8C+hdbLa7Ow2bdL1qJb1qGMl+PZ/uNPtPShcEp aoLcPgzO/RZk9Mc6gcVdpLX4QSFnnieEP9wGztbk12n+VQVxpHKH52n74xUhGiGoFfx8 syzmP+822iN6tCKwZwyXn/6BtTCE6BjVmTINkaNidm1iJuj0whQZhP1J9urFVK+++0+d SHPgbpCuvEWgTg0LDSwHkvCouHT9BzVFmeZfKayrnuU+4xombQ4Ii4CAXyAcV0u8xH4z QQPTWq2ezRxH+Jf03ncPyO+vst56a2ktb93vORy+ZeJOPwvzChtyhdMB/iCJtsDSgMdJ 4hhg==
MIME-Version: 1.0
X-Received: by 10.60.103.115 with SMTP id fv19mr849096oeb.74.1373968356833; Tue, 16 Jul 2013 02:52:36 -0700 (PDT)
Sender: robertc@robertcollins.net
Received: by 10.76.13.138 with HTTP; Tue, 16 Jul 2013 02:52:36 -0700 (PDT)
X-Originating-IP: [122.58.129.196]
In-Reply-To: <d7ed4bf5bf3c9aa0cad0f9bb2296dc53.squirrel@arekh.dyndns.org>
References: <CAJ3HoZ3ZuBwAZWrsgrZkoBejeH0t0uJRWAdiy1eKKbQwM3xx5g@mail.gmail.com> <d7ed4bf5bf3c9aa0cad0f9bb2296dc53.squirrel@arekh.dyndns.org>
Date: Tue, 16 Jul 2013 21:52:36 +1200
X-Google-Sender-Auth: 0sEEIe62Qf8DXa4U_wwAI_T2ClA
Message-ID: <CAJ3HoZ3SwimFfcWS4VfMyHmcMv619dcAOcXpi2=14=u+802Z5w@mail.gmail.com>
From: Robert Collins <robertc@squid-cache.org>
To: Nicolas Mailhot <nicolas.mailhot@laposte.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Gm-Message-State: ALoCoQnkrQbLzxWFh6RJas+XJ3c7PsWi1r5Vbp/Cd7xIRP21X6LH0HE1vWdZC242z0JupN9HyHUa
Received-SPF: none client-ip=209.85.219.44; envelope-from=robertc@robertcollins.net; helo=mail-oa0-f44.google.com
X-W3C-Hub-Spam-Status: No, score=-3.8
X-W3C-Hub-Spam-Report: AWL=-3.100, RCVD_IN_DNSWL_LOW=-0.7
X-W3C-Scan-Sig: maggie.w3.org 1Uz1wM-0000T7-Mr 7207a1778cf3983327e80edc72734c7f
X-Original-To: ietf-http-wg@w3.org
Subject: Re: HTTPS, proxy environment variables and non-CONNECT access
Archived-At: <http://www.w3.org/mid/CAJ3HoZ3SwimFfcWS4VfMyHmcMv619dcAOcXpi2=14=u+802Z5w@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/18801
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 16 July 2013 20:35, Nicolas Mailhot <nicolas.mailhot@laposte.net> wrote:
>
> Le Mar 16 juillet 2013 08:08, Robert Collins a écrit :
>> So [fairly recently] squid and other proxies can retrieve resources
>> over HTTPS. However user agents generally don't take advantage of
>> this, instead using CONNECT, to do end to end encryption.
>
> Is there a spec somewhere on how it's supposed to work ?

Just HTTP/1.1 - http://www.apps.ietf.org/rfc/rfc2616.html#sec-5.1.2
-  The absoluteURI form is REQUIRED when the request is being made to
a proxy. The proxy is requested to forward the request or service it
from a valid cache, and return the response. Note that the proxy MAY
forward the request on to another proxy or directly to the server

ask for an HTTPS URI and the proxy should get the HTTPS URI for you;
early HTTP proxies couldn't make requests to HTTPS sites, nor could
they listen on HTTPS, both issues have been fixed some time ago.

>> I'm sure that implementing this will start to raise issues like 'how
>> do we signal client certificates indirectly' and so on, which *will*
>> be HTTP protocol issues, but one step at a time.
>
> Some more questions:
> 1. How do you protect the client <-> proxy link?

It's up to the client I think. Some obvious options:
 - use an HTTPS connection to the proxy.
 - use mandatory IPSEC within your network
 - have the proxy be on your local machine

> 2. how do you send auth from the client to the proxy in a secure way
> without it leaking them outside?

I think you mean 'If the origin is an HTTPS origin which uses
replayable (e.g. basic) auth, how do you prevent that leaking [vs e.g.
how do you authenticate to the proxy itself]. So for that you'd want
to have the client switch to CONNECT if the client -> proxy link is
subject to observation and any of the following are true:
 - there are HTTPS only cookies
 - it wants to try a replayable auth mechanism

But the response might deliver an HTTPS only cookie, which suggests
that we should mandate only doing this when either a) the client
doesn't care about having some traffic observed or b) the client ->
proxy link is secured (either at transport level of IPSEC etc).

> (some http_proxy users just add proxy
> auth headers everywhere even when the proxy didn't ask for them, in basic
> auth, so they are leaking secrets to the outside like sieves)

Basic auth is terrible in so many ways :).

> 3. more generally how are the client and proxy supposed to distinguish
> between client <-> proxy signaling and client <-> web site signaling ?

Thats covered by HTTP already.

> 4. Is proxy chaining possible? (I've seen proxy used both to authorize
> connexions to the outside, and as gateway for connexions inside. So how
> can a poor user that needs access to a resource protected by and
> Internet-to-inside proxy traverse his own inside-to-Internet gateway to
> reach it?)

There's no facility for tunnelling *auth* from a client through
multiple proxies in HTTP today. It might be interesting to contemplate
but I think it's orthogonal.

Remember that I proposing an optional thing folk can opt into, when it
makes sense for their environment.

For instance - I have a proxy on my laptop, traffic to it is entire
unobservable by other people, and it would make an excellent shared
cache for the growing number of sites (e.g. pypi) that are https-only.

-Rob

v2.23.0 | Report a Bug | By Email