httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaspar Brand <httpd-dev.2...@velox.ch>
Subject Re: Behavior of Host: vs. SNI Hostname in proxy CONNECT requests
Date Sat, 14 Dec 2013 09:25:00 GMT
On 14.12.2013 09:36, William A. Rowe Jr. wrote:
> I beg to differ.  We are left with a question of whether you are
> responsible to defend the current behavior, or whether I can simply
> rely on RFC2817 to document that you are wrong,

RFC 2817 is irrelevant in the context of https: URIs (see its abstract
and section 8.1).

> or whether I'm 
> instead responsible to identify user-agent by user-agent those which
> comply with RFC2817's examples.

I don't think that any remotely common browser is doing RFC2817-style
requests these days (neither is mod_ssl doing in client mode, when
proxying SSL requests). See also section 8.1 for the can of worms this
potentially opens up when "'http' [were used] to identify both secure
and non-secure resources").

> So how do you want to do this, or
> would you like to return to a discussion of ProxyPass in the forward
> proxy context?

ProxyPass is not involved in the SSL forward proxy case at all, as I
already tried to point out. Just unload mod_proxy_http and mod_ssl from
the configuration, and you'll find that forward proxying https://
requests continues to work perfectly, i.e. is completely unaffected by
any code in these two modules (mod_proxy_connect is all it takes).

Kaspar

Mime
View raw message