From: "Nicolas Mailhot" <nicolas.mailhot@laposte.net>
To: "Jeff King" <peff@peff.net>
Cc: "Nicolas Mailhot" <nicolas.mailhot@laposte.net>, git@vger.kernel.org
Subject: Re: Handle HTTP error 511 Network Authentication Required (standard secure proxy authentification/captive portal detection)
Date: Mon, 20 Feb 2012 20:24:15 +0100 [thread overview]
Message-ID: <72fbd4155349723da1c3c503c1c9c620.squirrel@arekh.dyndns.org> (raw)
In-Reply-To: <20120220191500.GA29228@sigill.intra.peff.net>
Le Lun 20 février 2012 20:15, Jeff King a écrit :
> On Mon, Feb 20, 2012 at 07:27:08PM +0100, Nicolas Mailhot wrote:
>
>> Step 3 is a quite less obvious on a corporate network, where Internet access
>> is gated by a filtering proxy, that will let some sites pass transparently
>> but
>> require credentials to let you access others. Worst case, there are several
>> load-balanced gateways on different physical sites (to avoid spofs in case
>> of
>> planes falling on the wrong place), that do not share authentication
>> (because
>> propagating auth across physical sites is hard). So no, just launching a
>> browser is not sufficient to find the captive portal, you need to actually
>> access the URL returned by error 511 in meta information. Git should at
>> minimum report this URL.
>>
>> (and no this is not an hypothetical scenario and yes there are git users
>> trying to pass the gateways there)
>
> This is exactly the sort of information I wanted to get from a
> real-world scenario. From your initial messages, it sounded like a
> purely hypothetical thing.
>
> I think a good first step would be improving the error message for a
> 511, then. Unfortunately, it seems from the rfc draft you sent that
> callers are expected to parse the link out of the HTML given in the body
> of the response. It seems silly that there is not a Location field
> associated with a 511, similar to redirects.
The URL is not lost in the HTML text, it's in the url meta field
<meta http-equiv="refresh"
content="0; url=https://login.example.net/">
As for while there is no Location field, I think it's because otherwise it
could behave like a redirect, and browser people made it plain they didn't
want redirects of https accesses (but I wasn't there when the spec was
written, and only skimmed the workgroup archives, so there may have been other
reasons for this choice. I'm pretty sure it's deliberate anyway).
Regards,
--
Nicolas Mailhot
next prev parent reply other threads:[~2012-02-20 19:24 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-19 21:03 Handle HTTP error 511 Network Authentication Required (standard secure proxy authentification/captive portal detection) Nicolas Mailhot
2012-02-20 1:06 ` Jeff King
2012-02-20 5:38 ` Nicolas Mailhot
2012-02-20 13:56 ` Jeff King
2012-02-20 15:34 ` Nicolas Mailhot
2012-02-20 15:44 ` Jeff King
2012-02-20 18:27 ` Nicolas Mailhot
2012-02-20 19:15 ` Jeff King
2012-02-20 19:24 ` Nicolas Mailhot [this message]
2012-02-20 19:30 ` Jeff King
2012-02-20 19:51 ` Nicolas Mailhot
2012-02-20 19:06 ` Daniel Stenberg
2012-02-20 19:09 ` Jeff King
2012-02-20 20:16 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=72fbd4155349723da1c3c503c1c9c620.squirrel@arekh.dyndns.org \
--to=nicolas.mailhot@laposte.net \
--cc=git@vger.kernel.org \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).