HTTP error 511 [Was: Secure (https) proxy authentification]
"Nicolas Mailhot" <nicolas.mailhot@laposte.net> Tue, 21 February 2012 09:00 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72D6421F8602 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 21 Feb 2012 01:00:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pzA3uXO-Ptdu for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 21 Feb 2012 01:00:46 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 0F9BE21F8601 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 21 Feb 2012 01:00:45 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.69) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1RzlZ8-00077l-6Y for ietf-http-wg-dist@listhub.w3.org; Tue, 21 Feb 2012 08:59:18 +0000
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.69) (envelope-from <nicolas.mailhot@laposte.net>) id 1RzlYr-00076f-0e for ietf-http-wg@listhub.w3.org; Tue, 21 Feb 2012 08:59:01 +0000
Received: from smtpout3.laposte.net ([193.253.67.228] helo=smtpout.laposte.net) by maggie.w3.org with esmtp (Exim 4.72) (envelope-from <nicolas.mailhot@laposte.net>) id 1RzlYl-0007B8-4Z for ietf-http-wg@w3.org; Tue, 21 Feb 2012 08:58:59 +0000
Received: from arekh.dyndns.org ([88.174.226.208]) by mwinf8505-out with ME id cYyN1i0044WQcrc03YyNNH; Tue, 21 Feb 2012 09:58:28 +0100
Received: from localhost (localhost.localdomain [127.0.0.1]) by arekh.dyndns.org (Postfix) with ESMTP id 2D3F01D3; Tue, 21 Feb 2012 09:58:22 +0100 (CET)
X-Virus-Scanned: amavisd-new at arekh.dyndns.org
Received: from arekh.dyndns.org ([127.0.0.1]) by localhost (arekh.okg [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zpVJ8M1HQLw2; Tue, 21 Feb 2012 09:58:16 +0100 (CET)
Received: from arekh.dyndns.org (localhost.localdomain [127.0.0.1]) by arekh.dyndns.org (Postfix) with ESMTP; Tue, 21 Feb 2012 09:58:16 +0100 (CET)
Received: from 192.196.142.27 (SquirrelMail authenticated user nim) by arekh.dyndns.org with HTTP; Tue, 21 Feb 2012 09:58:16 +0100
Message-ID: <39d91a07ae0beb19a734e52496ab5700.squirrel@arekh.dyndns.org>
In-Reply-To: <4ec05cf797322715a960743aeec0a48b.squirrel@arekh.dyndns.org>
References: <009e3177ab4b0f3de7ea47fa17118458.squirrel@arekh.dyndns.org> <689660A9-8EAD-4EE6-8B4D-401E73F13941@bblfish.net> <4ec05cf797322715a960743aeec0a48b.squirrel@arekh.dyndns.org>
Date: Tue, 21 Feb 2012 09:58:16 +0100
From: Nicolas Mailhot <nicolas.mailhot@laposte.net>
To: Nicolas Mailhot <nicolas.mailhot@laposte.net>
Cc: squid3@treenet.co.nz, ietf-http-wg@w3.org, Jeff King <peff@peff.net>, git@vger.kernel.org, Daniel Stenberg <daniel@haxx.se>
User-Agent: SquirrelMail/1.4.22-4.fc17
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Received-SPF: pass client-ip=193.253.67.228; envelope-from=nicolas.mailhot@laposte.net; helo=smtpout.laposte.net
X-W3C-Hub-Spam-Status: No, score=-1.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, FREEMAIL_FROM=0.001, FSL_RCVD_USER=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01
X-W3C-Scan-Sig: maggie.w3.org 1RzlYl-0007B8-4Z eda509046d48b9e927ab028ca5f6e4ef
X-Original-To: ietf-http-wg@w3.org
Subject: HTTP error 511 [Was: Secure (https) proxy authentification]
Archived-At: <http://www.w3.org/mid/39d91a07ae0beb19a734e52496ab5700.squirrel@arekh.dyndns.org>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/12484
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Resent-Message-Id: <E1RzlZ8-00077l-6Y@frink.w3.org>
Resent-Date: Tue, 21 Feb 2012 08:59:18 +0000
Le Dim 19 février 2012 11:22, Nicolas Mailhot a écrit : > 511 is exactly what I need. I was not aware of it. Is it simplemented in any > browser yet? Where should I point the browser writers to get it implemented? > > http://tools.ietf.org/id/draft-nottingham-http-new-status-04.txt ? I take that back. 511 is almost exactly what we need. However, when I pointed the authors of some of the tools that pass through our proxy to it (curl, git) they told me they could not parse html code in their tools, so they really need a location (or similar) field containing the address of the authentication portal to communicate it to the user. Without this field, they can only stop with 'Network authentication is needed' instead of 'Please open <url> in your browser to proceed'. http://article.gmane.org/gmane.comp.version-control.git/191085 http://article.gmane.org/gmane.comp.version-control.git/191087 http://article.gmane.org/gmane.comp.version-control.git/191086 (the nearest thing there is in the spec is the url in meta, but it's only in the example, not mandatory, and no one will write code for something they can not be sure will exist) We'd like to support those tools properly as their users' previous clumsy attempts to navigate our current non-standard redirection method resulted in internal security investigations. It is a problem in our setup as we only block some URLs (others are allowed transparently without auth), and we use several proxy farms in different physical sites (to avoid spofs). So just opening any url in a browser won't trigger an authentication request (the url may not be blocked, or the browser may pass through a gateway where the user IP is already authorized, while git/etc tried to access through another one). Could you please revise the error 511 definition to add such a field ? Regards, -- Nicolas Mailhot
- Re: Secure (https) proxy authentification Nicolas Mailhot
- Secure (https) proxy authentification Nicolas Mailhot
- Re: Secure (https) proxy authentification Willy Tarreau
- Re: Secure (https) proxy authentification Amos Jeffries
- Re: Secure (https) proxy authentification Henry Story
- Re: Secure (https) proxy authentification Nicolas Mailhot
- Re: Secure (https) proxy authentification Amos Jeffries
- Re: Secure (https) proxy authentification Nicolas Mailhot
- HTTP error 511 [Was: Secure (https) proxy authent… Nicolas Mailhot
- Re: HTTP error 511 [Was: Secure (https) proxy aut… Julian Reschke
- Re: HTTP error 511 [Was: Secure (https) proxy aut… Nicolas Mailhot