Re: New Version Notification for draft-nottingham-proxy-explanation-00.txt
"Thomas Mangin" <thomas.mangin@exa-networks.co.uk> Mon, 29 February 2016 19:37 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 288F81B3A7A for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 29 Feb 2016 11:37:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.208
X-Spam-Level:
X-Spam-Status: No, score=-4.208 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.006, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FdSWoRv5hR3f for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 29 Feb 2016 11:37:14 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D8C61B3A71 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 29 Feb 2016 11:37:14 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1aaTYa-0006xa-3V for ietf-http-wg-dist@listhub.w3.org; Mon, 29 Feb 2016 19:32:36 +0000
Resent-Date: Mon, 29 Feb 2016 19:32:36 +0000
Resent-Message-Id: <E1aaTYa-0006xa-3V@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <thomas.mangin@exa-networks.co.uk>) id 1aaTYT-0006wt-LD for ietf-http-wg@listhub.w3.org; Mon, 29 Feb 2016 19:32:29 +0000
Received: from out-1.mail.exa.net.uk ([82.219.4.129]) by lisa.w3.org with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from <thomas.mangin@exa-networks.co.uk>) id 1aaTYR-0006wK-W3 for ietf-http-wg@w3.org; Mon, 29 Feb 2016 19:32:29 +0000
Received: from smtp-1.mail.exa.net.uk (smtp-1.mail.exa.net.uk [82.219.5.1]) by out-1.mail.exa.net.uk (ExaSMTPD) with ESMTP id 9FCC31C016D for <ietf-http-wg@w3.org>; Mon, 29 Feb 2016 19:32:03 +0000 (GMT)
Received: from smtp-1.mail.exa.net.uk (localhost [127.0.0.1]) by smtp-1.mail.exa.net.uk (ExaSMTPD) with ESMTP id 8AFAF221213 for <ietf-http-wg@w3.org>; Mon, 29 Feb 2016 19:32:03 +0000 (GMT)
Received: from [82.219.212.34] (ptr-34.212.219.82.rev.exa.net.uk [82.219.212.34]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: thomas@mangin.com) by smtp-1.mail.exa.net.uk (ExaSMTPD) with ESMTPSA for <ietf-http-wg@w3.org>; Mon, 29 Feb 2016 19:32:03 +0000 (GMT)
From: Thomas Mangin <thomas.mangin@exa-networks.co.uk>
To: HTTP WG <ietf-http-wg@w3.org>
Date: Mon, 29 Feb 2016 19:32:00 +0000
Message-ID: <BA2DAF1B-723D-47B0-94D1-7913BD1CA5F8@exa-networks.co.uk>
In-Reply-To: <56F7C2DF-06AA-477C-8515-C152CC3A56A4@mnot.net>
References: <20160217003812.7831.6278.idtracker@ietfa.amsl.com> <56F7C2DF-06AA-477C-8515-C152CC3A56A4@mnot.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Mailer: MailMate (1.9.4r5226)
X-Virus-Scanned: clamav-milter 0.98.7 at out-2-2.mail.exa.net.uk
X-Virus-Status: Clean
Received-SPF: pass client-ip=82.219.4.129; envelope-from=thomas.mangin@exa-networks.co.uk; helo=out-1.mail.exa.net.uk
X-W3C-Hub-Spam-Status: No, score=-2.7
X-W3C-Hub-Spam-Report: BAYES_40=-0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1aaTYR-0006wK-W3 8f4f16e148f5b35a21cb74a6706a6da3
X-Original-To: ietf-http-wg@w3.org
Subject: Re: New Version Notification for draft-nottingham-proxy-explanation-00.txt
Archived-At: <http://www.w3.org/mid/BA2DAF1B-723D-47B0-94D1-7913BD1CA5F8@exa-networks.co.uk>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/31117
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
> FYI - would be interested in what people thought, as I know some folks > have this problem. Hi Mark, I am interested. To explain our predicament: My business provides content filtering for schools. In the UK, Schools have a legal obligation to protect children from ‘harmful’ content, so content filtering is not going to go away. Historically DNAT’ing port 80 to a filtering proxy farm and blocking port 443 was enough: the primary concern of schools is to stop children to accessing adult material, games and social media sites. Nowadays most of the educational content is under HTTPS and the main worry is radicalisation. In order to do so, a school can decide to perform SSL decapsulation. We offer this solution through the installation of a local firewall/proxy which is fine for secondary schools but quite expensive for primaries who prefer to use ‘cloud’ services ( primary teachers are not very IT literate and do not have an IT department ). Therefore many schools do block port 80/443 and only allow traffic to our our proxies servers or use AD to force the use of the proxy. While it does not allow some of the most advanced feature we provide (like for example, checking search queries for self-harm terms as the full URL is not available), we can still block pages on a per host basis. ( I am happy to debate elsewhere why we decided to not offer SSL decapsulation ‘in the cloud’ at this point, and therefore why we rely on a ‘CONNECT’ based solution - just bring your lawyer to it :p ) So currently when a site is identified as ‘not for educational use’ (what is or is not deemed educational is under the control of the school), our only way to prevent the page to load is to completely kill the TCP connection after the inspection of the Host field in the CONNECT message. However, on a regular basis a site will be blocked due to an over-zealous policy or simply a wrong categorisation for a site. Currently, our customers have no way to know if the ‘network error’ the browser is reporting is due to a genuine issue or a policy enforcement. Browser implementation of this draft would end this user confusion. Our own proxy (you could call it a ‘software defined http gateway’) is already capable of using it. A modified version of our code (which is open source) implements the draft (returning new response). You can have a look :-) # git clone git@github.com:thomas-mangin/exaproxy.git # cd exaproxy # env exaproxy.http.connections=100 exaproxy.tls.enable=false exaproxy.security.connect=80 exaproxy.redirector.enable=true exaproxy.redirector.program=etc/exaproxy/redirector/icap-deny-proxy-explanation exaproxy.redirector.protocol='icap://' ./sbin/exaproxy This instance will refuse ANY connection to any site returning a 403 page with an application/proxy-explanation+json payload. You can test it running the following test script # ./QA/test/connect-http-google-proxy-explanation Sincerely, Thomas
- Fwd: New Version Notification for draft-nottingha… Mark Nottingham
- Re: New Version Notification for draft-nottingham… Thomas Mangin
- Re: New Version Notification for draft-nottingham… Ted Hardie
- Re: New Version Notification for draft-nottingham… Mark Nottingham
- Re: New Version Notification for draft-nottingham… Ted Hardie
- Re: New Version Notification for draft-nottingham… Mark Nottingham
- Re: New Version Notification for draft-nottingham… Amos Jeffries
- Re: New Version Notification for draft-nottingham… Mark Nottingham
- Re: New Version Notification for draft-nottingham… Kari Hurtta
- Re: New Version Notification for draft-nottingham… Kari Hurtta
- Re: New Version Notification for draft-nottingham… Thomas Mangin
- Re: New Version Notification for draft-nottingham… Thomas Mangin
- Re: New Version Notification for draft-nottingham… Thomas Mangin
- Re: New Version Notification for draft-nottingham… Kari Hurtta
- Re: New Version Notification for draft-nottingham… Kari Hurtta