Re: Alt-Svc + Proxy Pac

Ryan Hamilton <rch@google.com> Fri, 03 April 2015 20:53 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF42E1A0AF7 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 3 Apr 2015 13:53:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.389
X-Spam-Level:
X-Spam-Status: No, score=-6.389 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jos8ef7gHJKk for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 3 Apr 2015 13:53:45 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2CDD1A066C for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 3 Apr 2015 13:53:45 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Ye8Y5-00011j-Oy for ietf-http-wg-dist@listhub.w3.org; Fri, 03 Apr 2015 20:50:41 +0000
Resent-Date: Fri, 03 Apr 2015 20:50:41 +0000
Resent-Message-Id: <E1Ye8Y5-00011j-Oy@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.80) (envelope-from <rch@google.com>) id 1Ye8Y1-00010m-IL for ietf-http-wg@listhub.w3.org; Fri, 03 Apr 2015 20:50:37 +0000
Received: from mail-yk0-f178.google.com ([209.85.160.178]) by lisa.w3.org with esmtps (TLS1.2:RSA_ARCFOUR_SHA1:128) (Exim 4.80) (envelope-from <rch@google.com>) id 1Ye8Y0-00044g-6g for ietf-http-wg@w3.org; Fri, 03 Apr 2015 20:50:37 +0000
Received: by ykcn8 with SMTP id n8so31526960ykc.3 for <ietf-http-wg@w3.org>; Fri, 03 Apr 2015 13:50:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=YbhAGbjwb+udU3BzA7idc9Eb7a/HpMCf3+AMsD2il7g=; b=Wpdkh+Yr+R7VWWmxFQawdGoIttPAJMrRUss2EG3LAKzDqhk6f0nQBR3HPQXZecXJAx m2RBzq15zKQ8o9cIZ81f3bu7DrZvWXvgEpWjtcYt5lPGDaz4x9dDb9ur2SyJsGx1kpx1 u5MrJqaHgSGObHSjKfVcPHzFawZwpCbo6hzAU5X01CZ4EaL6OStZPQ5Ifn5ZBhGr83Zz 5Lu5weM7zZGiGq6cAqddIqP/bYiC93tPyKi4NSPXuKUugJx6KHovBPnX/+A08YPeSywo Qt+m84m29uuPo6m7Aaf1tgVB1n1Q7NKXvEpy6W19eRzZ8oHZxPYUQL0lKd7UWBE3XImP lrsg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=YbhAGbjwb+udU3BzA7idc9Eb7a/HpMCf3+AMsD2il7g=; b=BoIL7WrhH+p3OFn3pdVAZCe3etXDWRcCjoYDY6llgrEHZWu/+QGKpliTeOK3MX95iM Sn3Vlex/bS0sTLDElc02ux75vcn0nlCtmbyZZpszpXKLDIUH+myi1tZYjgUM/cZ/am05 coKEGrJRYY+ehgQxdDtpRvZlwUUtko8j5/Q4vogz7kXIiUBGnnpIXbmD6EIozSCt/SSJ X3NHx7elNj7yQVoAg6lMp1hp2FZJ5D77LhFYqM2dD5PNB2uBso2AKtJa03QvOeaT7A0/ SlaJYHorrQePo9HOXIyRml9ggzi/patfwf42IoP5Bft0PYSpsYfOs8PEGKwN90wLMPU7 NSnw==
X-Gm-Message-State: ALoCoQn9moF2GtRRF9xNa86zqlgLZtufbrGTF0wOO5FFIEwbP8h8mzTd74JYVCMjrWRrYu67ZBx2
MIME-Version: 1.0
X-Received: by 10.52.94.6 with SMTP id cy6mr2366220vdb.48.1428094208801; Fri, 03 Apr 2015 13:50:08 -0700 (PDT)
Received: by 10.52.169.202 with HTTP; Fri, 3 Apr 2015 13:50:08 -0700 (PDT)
In-Reply-To: <CABkgnnWXR7H1oZWLLT7ZhoOtPZjVVDnYaqTYACBkoVQ2scrKJA@mail.gmail.com>
References: <CAJ_4DfS5J0k-G_fY46R=8jJDbppC8EfvAmLCaeccPFudOfFM0g@mail.gmail.com> <CABkgnnWXR7H1oZWLLT7ZhoOtPZjVVDnYaqTYACBkoVQ2scrKJA@mail.gmail.com>
Date: Fri, 03 Apr 2015 13:50:08 -0700
Message-ID: <CAJ_4DfTBn=QZy=219FDsT-+bHyK-9qfcUfgdxAJFZwN=-JUpNQ@mail.gmail.com>
From: Ryan Hamilton <rch@google.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="20cf307abe9f0596590512d81855"
Received-SPF: pass client-ip=209.85.160.178; envelope-from=rch@google.com; helo=mail-yk0-f178.google.com
X-W3C-Hub-Spam-Status: No, score=-4.4
X-W3C-Hub-Spam-Report: AWL=-1.583, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1Ye8Y0-00044g-6g 4f6e4ef3b5eb7b0d141c411a60f086e2
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Alt-Svc + Proxy Pac
Archived-At: <http://www.w3.org/mid/CAJ_4DfTBn=QZy=219FDsT-+bHyK-9qfcUfgdxAJFZwN=-JUpNQ@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/29242
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Fri, Apr 3, 2015 at 9:50 AM, Martin Thomson <martin.thomson@gmail.com>
wrote:

> Good question.
>
> I think that you put the original requested URL in and let the proxy
> worry about alt-svc compliance.
>
> The proxy is your overriding alternative.  That matches the logic in
> the case where the proxy.pac isn't present and you just have a
> hard-coded proxy that you send all requests to.
>
> Now, if the proxy.pac suggests that direct is acceptable, I think that
> makes it OK to (try to) use the alternative.  If you think of
> proxy.pac as a first level alternative selector, and alt-svc as a
> second-level one, I think that works.


​I'm happy to do this, but I fear it's going to have problems. Let me lay
out an example and if everyone agrees to send in the request URL, I'm fine
with that.

Consider the following scenario. There are two servers, internal.example.com
and external.example.com. Inside the enterprise access to resources outside
the firewall must go through a proxy, whereas resource inside the firewall
can go direct. That would lead to a .pac file like:

function FindProxyForURL(url, host) {​

​  if (host == "internal.example.com") {
    return "DIRECT";
  }
  return "PROXY proxy.example.com";
}​


If Alt-Svc for internal says, "Alt-Svc: h2="external.exmple.com:443", then
​the proxy will say, "Sure, go direct to http://internal.example.com/" but
then the browser will connect to external.example.com:443 and will avoid
the proxy and the request will hang. This seems a bit unfortunate, but it's
not clear that the alternative is much better, so I'm happy to do this, if
that's the consensus of the group.

Cheers,

Ryan