From: "Nicolas Mailhot" <nicolas.mailhot@laposte.net>
To: "Jeff King" <peff@peff.net>
Cc: "Nicolas Mailhot" <nicolas.mailhot@laposte.net>, git@vger.kernel.org
Subject: Re: Handle HTTP error 511 Network Authentication Required (standard secure proxy authentification/captive portal detection)
Date: Mon, 20 Feb 2012 19:27:08 +0100 [thread overview]
Message-ID: <cb81840f853a1d43a7da03ea24c86445.squirrel@arekh.dyndns.org> (raw)
In-Reply-To: <20120220154452.GA27456@sigill.intra.peff.net>
Le Lun 20 février 2012 16:44, Jeff King a écrit :
> In my experience, the captive portal process usually goes like this:
>
> 1. Connect to network.
>
> 2. Try some non-browser command. Wonder why in the world it isn't
> working.
>
> 3. Open a browser and say "Ah, I see. A captive portal".
>
> The 511 proposal makes step 2 a lot better if the protocol is http[1].
> But it pretty much makes it better even without non-browser client
> support, because at least you will get a 511 error instead of having git
> complain that the remote repository is corrupted (which happens if the
> captive portal returns a redirect to an html page).
>
> We should already be doing that. Adding more support could make step 3 a
> little nicer, but like I said, I'd be more interested in seeing a real
> case first. It may even be a feature that would be more appropriate to
> curl (which git builds on for http access).
Step 3 is a quite less obvious on a corporate network, where Internet access
is gated by a filtering proxy, that will let some sites pass transparently but
require credentials to let you access others. Worst case, there are several
load-balanced gateways on different physical sites (to avoid spofs in case of
planes falling on the wrong place), that do not share authentication (because
propagating auth across physical sites is hard). So no, just launching a
browser is not sufficient to find the captive portal, you need to actually
access the URL returned by error 511 in meta information. Git should at
minimum report this URL.
(and no this is not an hypothetical scenario and yes there are git users
trying to pass the gateways there)
--
Nicolas Mailhot
next prev parent reply other threads:[~2012-02-20 18:27 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-19 21:03 Handle HTTP error 511 Network Authentication Required (standard secure proxy authentification/captive portal detection) Nicolas Mailhot
2012-02-20 1:06 ` Jeff King
2012-02-20 5:38 ` Nicolas Mailhot
2012-02-20 13:56 ` Jeff King
2012-02-20 15:34 ` Nicolas Mailhot
2012-02-20 15:44 ` Jeff King
2012-02-20 18:27 ` Nicolas Mailhot [this message]
2012-02-20 19:15 ` Jeff King
2012-02-20 19:24 ` Nicolas Mailhot
2012-02-20 19:30 ` Jeff King
2012-02-20 19:51 ` Nicolas Mailhot
2012-02-20 19:06 ` Daniel Stenberg
2012-02-20 19:09 ` Jeff King
2012-02-20 20:16 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cb81840f853a1d43a7da03ea24c86445.squirrel@arekh.dyndns.org \
--to=nicolas.mailhot@laposte.net \
--cc=git@vger.kernel.org \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).