Re: [RFC] 511 on auth for intercepted traffic

From: Alex Rousskov <rousskov_at_measurement-factory.com>
Date: Tue, 01 May 2012 09:18:00 -0600

On 04/30/2012 04:39 PM, Amos Jeffries wrote:
> Given that the extension status code 511 is now an official code
> (http://www.rfc-editor.org/rfc/rfc6585.txt), how do we all feel about
> causing it to be emitted whenever an intercepted request is configured
> to require proxy_auth satisfaction for ACLs?
> That would be for all TPROXY, NAT, and SSL-bump intercepted requests.
>
>
> Pros:
> * Coupled with our discussed alterations to how and when proxy_auth
> operate this would simplify the proxy_auth handling a bit by erasing the
> maybe-skip cases.
> * as UA software get updated it should allow proxy-auth to operate
> better in more situations.
> * uses a 5XX so the client does not retry on failures.
>
> Cons:
> * user pain as configs which were silently ignoring the auth failures
> start to produce 511. (auth_param option to enable/disable?)

Hi Amos,

    I am not an expert on this, but if incorrect configurations can be
fixed, we should not add one more option, but should explain how a
correct configuration should be written.

If incorrect configurations cannot be fixed or correct configurations
are not supported (due to authentication problems discussed elsewhere),
we should focus on that before causing user pains.

HTH,

Alex.
Received on Tue May 01 2012 - 15:18:04 MDT

This archive was generated by hypermail 2.2.0 : Wed May 02 2012 - 12:00:11 MDT