IETF Logo Mail Archive

HTTPS, proxy environment variables and non-CONNECT access

Robert Collins <robertc@squid-cache.org> Tue, 16 July 2013 06:10 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 173C421E81AB for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 15 Jul 2013 23:10:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.977
X-Spam-Level:
X-Spam-Status: No, score=-9.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A1f4a4lQ9Oyn for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 15 Jul 2013 23:10:42 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 7F55921E81A8 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 15 Jul 2013 23:10:42 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UyyRi-00031c-VU for ietf-http-wg-dist@listhub.w3.org; Tue, 16 Jul 2013 06:09:11 +0000
Resent-Date: Tue, 16 Jul 2013 06:09:10 +0000
Resent-Message-Id: <E1UyyRi-00031c-VU@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <robertc@robertcollins.net>) id 1UyyRX-0002z3-EM for ietf-http-wg@listhub.w3.org; Tue, 16 Jul 2013 06:08:59 +0000
Received: from mail-oa0-f44.google.com ([209.85.219.44]) by maggie.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <robertc@robertcollins.net>) id 1UyyRW-0000de-MX for ietf-http-wg@w3.org; Tue, 16 Jul 2013 06:08:59 +0000
Received: by mail-oa0-f44.google.com with SMTP id l10so351898oag.3 for <ietf-http-wg@w3.org>; Mon, 15 Jul 2013 23:08:31 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:x-originating-ip:date:x-google-sender-auth :message-id:subject:from:to:content-type:x-gm-message-state; bh=YQyQWRQ1bnixlUvp8cwT/3K8Nmc2jW/XeGQY4EBML3Y=; b=lHe48FM+bIaN0glp7vG3dbUo9iTDyGFmnv3rb1qihR8AShk9I6nwVP2egK9LiambAl uhKmfa6bxdbZGmrmEmN9yRNL0pgp7eycRGiTbttE/fsKtqjJ34GweYFTDHI4RvOYyVRq B5v16OkBrVo2B78XqeEWs7Vmo4T5WnOWpmkRF1OQOsA0sNi6IYCxOuNI22Nlohlm4IcH JU0TDwYfGFi0/XK+OI3SVWR0WLWi5qjngGqiYHeGwlodbgyUAKdU8vPIoO3Or6ZUK6sX U7d2b6gLRMCSt5teHCi0aPi6eWILJ6aw8k0p2R3kmFzRcgBXTulkWkVUcsVVLT1oYmTT YsbQ==
MIME-Version: 1.0
X-Received: by 10.60.99.101 with SMTP id ep5mr46642674oeb.98.1373954911266; Mon, 15 Jul 2013 23:08:31 -0700 (PDT)
Sender: robertc@robertcollins.net
Received: by 10.76.13.138 with HTTP; Mon, 15 Jul 2013 23:08:31 -0700 (PDT)
X-Originating-IP: [122.58.129.196]
Date: Tue, 16 Jul 2013 18:08:31 +1200
X-Google-Sender-Auth: bM3A6LdWyc_dl1Pq5pPQZ6aQaDU
Message-ID: <CAJ3HoZ3ZuBwAZWrsgrZkoBejeH0t0uJRWAdiy1eKKbQwM3xx5g@mail.gmail.com>
From: Robert Collins <robertc@squid-cache.org>
To: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: text/plain; charset="ISO-8859-1"
X-Gm-Message-State: ALoCoQmP8nm/QXy+DosxR3P0DhpZZdWt2Ze8b2v5LMRqfGBRjd3Re+WwUmjmIjKiVj54JKCbtX+p
Received-SPF: none client-ip=209.85.219.44; envelope-from=robertc@robertcollins.net; helo=mail-oa0-f44.google.com
X-W3C-Hub-Spam-Status: No, score=-3.8
X-W3C-Hub-Spam-Report: AWL=-3.100, RCVD_IN_DNSWL_LOW=-0.7
X-W3C-Scan-Sig: maggie.w3.org 1UyyRW-0000de-MX 3b248fc3a643dd57fbd78bd535dac8a2
X-Original-To: ietf-http-wg@w3.org
Subject: HTTPS, proxy environment variables and non-CONNECT access
Archived-At: <http://www.w3.org/mid/CAJ3HoZ3ZuBwAZWrsgrZkoBejeH0t0uJRWAdiy1eKKbQwM3xx5g@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/18796
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

So [fairly recently] squid and other proxies can retrieve resources
over HTTPS. However user agents generally don't take advantage of
this, instead using CONNECT, to do end to end encryption.

One of the ramifications of saying we'd like to be able to do explicit
recommendations for a proxy [which I know is a longer term thing] is
that clients need to be /able/ to do HTTPS via their proxy - e.g.
client <- https -> proxy <- https -> origin, and/or client <- http ->
proxy <- https -> origin.

Today, for unix UAs, https_proxy when set results in a connection to
the named proxy and then a CONNECT verb.

I'd like to start getting UAs to stop doing the CONNECT verb. but
redefining the behaviour of https_proxy seems super risky. So -
looking for input (and here is as good a place as any, so please
excuse the technically off-topic thread) on how to signal that.

We could add a new variable to control the behaviour of https_proxy :
e.g. https_proxy_mode=[connect|native] with unrecognised or absent
values treated as 'connect'.

Or we could add a new variable e.g. https_trusted_proxy=<URI> and have
that take priority.

Does anyone have:
 - a better place to raise this
 - or thoughts on this?

I'm sure that implementing this will start to raise issues like 'how
do we signal client certificates indirectly' and so on, which *will*
be HTTP protocol issues, but one step at a time.

-Rob

v2.23.0 | Report a Bug | By Email