From: Julian Reschke <julian.reschke@gmx.de>
To: Nicolas Mailhot <nicolas.mailhot@laposte.net>
Cc: squid3@treenet.co.nz, ietf-http-wg@w3.org,
Jeff King <peff@peff.net>,
git@vger.kernel.org, Daniel Stenberg <daniel@haxx.se>
Subject: Re: HTTP error 511 [Was: Secure (https) proxy authentification]
Date: Tue, 21 Feb 2012 10:28:33 +0100 [thread overview]
Message-ID: <4F4363C1.90902@gmx.de> (raw)
In-Reply-To: <39d91a07ae0beb19a734e52496ab5700.squirrel@arekh.dyndns.org>
On 2012-02-21 09:58, Nicolas Mailhot wrote:
>
> Le Dim 19 février 2012 11:22, Nicolas Mailhot a écrit :
>
>> 511 is exactly what I need. I was not aware of it. Is it simplemented in any
>> browser yet? Where should I point the browser writers to get it implemented?
>>
>> http://tools.ietf.org/id/draft-nottingham-http-new-status-04.txt ?
>
> I take that back. 511 is almost exactly what we need. However, when I pointed
> the authors of some of the tools that pass through our proxy to it (curl, git)
> they told me they could not parse html code in their tools, so they really
> need a location (or similar) field containing the address of the
> authentication portal to communicate it to the user. Without this field, they
> can only stop with 'Network authentication is needed' instead of 'Please open
> <url> in your browser to proceed'.
Yes. The definition of status code 511 did not attempt to solve more
problems than that.
> http://article.gmane.org/gmane.comp.version-control.git/191085
> http://article.gmane.org/gmane.comp.version-control.git/191087
> http://article.gmane.org/gmane.comp.version-control.git/191086
>
> (the nearest thing there is in the spec is the url in meta, but it's only in
> the example, not mandatory, and no one will write code for something they can
> not be sure will exist)
>
> We'd like to support those tools properly as their users' previous clumsy
> attempts to navigate our current non-standard redirection method resulted in
> internal security investigations.
>
> It is a problem in our setup as we only block some URLs (others are allowed
> transparently without auth), and we use several proxy farms in different
> physical sites (to avoid spofs). So just opening any url in a browser won't
> trigger an authentication request (the url may not be blocked, or the browser
> may pass through a gateway where the user IP is already authorized, while
> git/etc tried to access through another one).
>
> Could you please revise the error 511 definition to add such a field ?
The specification has already been approved, so it's too late to make
more than editorial changes.
Best regards, Julian
next prev parent reply other threads:[~2012-02-21 9:28 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <009e3177ab4b0f3de7ea47fa17118458.squirrel@arekh.dyndns.org>
[not found] ` <689660A9-8EAD-4EE6-8B4D-401E73F13941@bblfish.net>
[not found] ` <4ec05cf797322715a960743aeec0a48b.squirrel@arekh.dyndns.org>
2012-02-21 8:58 ` HTTP error 511 [Was: Secure (https) proxy authentification] Nicolas Mailhot
2012-02-21 9:28 ` Julian Reschke [this message]
2012-02-21 9:44 ` Nicolas Mailhot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F4363C1.90902@gmx.de \
--to=julian.reschke@gmx.de \
--cc=daniel@haxx.se \
--cc=git@vger.kernel.org \
--cc=ietf-http-wg@w3.org \
--cc=nicolas.mailhot@laposte.net \
--cc=peff@peff.net \
--cc=squid3@treenet.co.nz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.