[squid-users] FW: Encrypted browser-Squid connection errors
squid3 at treenet.co.nz
squid3 at treenet.co.nz
Wed Nov 2 00:27:02 UTC 2022
On 2022-11-02 09:03, Grant Taylor wrote:
> On 11/1/22 1:24 PM, squid3 wrote:
>> No I meant W3C. Back in the before times things were a bit messy.
>
> Hum. I have more questions than answers. I'm not aware of W3C ever
> assigning ports. I thought it was /always/ IANA.
>
>> Indeed, thus we cannot register it with IEFT/IANA now. The IANA
>> http-alt port would probably be best if we did go official.
>
> ACK
>
>> You see my point I hope. A gateway proxy that returns an error to
>> *every* request is not very good.
>
> Except it's not "/ever/ /request/" It's "/every/ /request/ /of/ /a/
> /specific/ /type/" where type is an HTTP version.
>
No, you cropped my use-case description. It specified a client which was
*unaware* that it was talking to a forward-proxy. Such a client will
send requests that only a reverse-proxy or origin server can handle
properly - because they have explicit special configuration to do so.
In all proxying cases there is special configuration somewhere. For
forward-proxy it is in the client (or its OS so-called "default"), for
reverse-proxy it is in the proxy, for interception-proxy it is in both
the network and the proxy.
> What does CloudFlare or any of the other big proxy services or even
> other proxy applications do if you send them an HTTP/1.0 or even
> HTTP/0.9 request without the associated Host: header?
>
The working ones deliver an HTTP/1.1 302 redirect to their companies
homepage if the request came from outside the company LAN. If the
request came from an administrators machine it may respond with stats
data about the node being probed.
>> There is no "configured proxy" for this use-case.
>>
>> Those are the two most/extremely common instances of the problematic
>> use-cases. All implicit use of proxy (or gateway) have the same issue.
>
> How common is the (network) transparent / intercepting / implicit use
> of Squid (or any proxy for that matter)?
>
> All of the installs that I've worked on (both as a user and as an
> administrator) have been explicit / non-transparent.
>
Almost all the installs I have worked on had interception as part of
their configuration. It is officially recommended to include
interception as a backup to explicit forward-proxy for networks needing
full traffic control and/or monitoring.
I take it from your statement you have not worked on networks like
web-cafes, airports, schools, hospitals, public shopping malls who all
use captive portal systems, or high-security institutions capturing
traffic for personnel activity audits.
There are also at least a half dozen nation states with national
firewalls doing traffic monitoring and censorship. At least 3 of the
ones I know of use Squid's for the HTTP portion.
>> I think you are getting stuck with the subtle difference between "use
>> for case X" and "use by default".
>>
>> ANY port number can be used for *some* use-case(s).
>
> Sure.
>
>> "by default" has to work for *all* use-cases.
>
> I disagree.
>
ACK. That is you. I am coming at this from the maintainer viewpoint
where the entire community's needs have to be balanced.
>> Note that you are now having to add a non-default port "8080" and path
>> "/" to the URL to make it valid/accepted by the Browser.
>
> You were already specifying the non-default-http port via the
> "http-alt://" scheme in your example.
>
And you were specifying the non-default-'http-alt' port via the
"http://" scheme in yours.
Either way these are two different HTTP syntax with different "default
port" values.
An agent supporting the http:// URL treats it as a request for some
resource at the HTTP origin server indicated by the URL authority part
or Host header.
An agent supporting the http-alt:// URL treats it as a request to
forward-proxy the request-target specified in the URL query segment,
using the upstream proxy indicated by the URL authority part or Host
header.
>> Clients speaking HTTP origin-form (the http:// scheme) are not
>> permitted to request tunnels or equivalent gateway services. They can
>> only ask for resource representations.
>
> I question the veracity of that. Mostly around said client's use of an
> explicit proxy.
>
It is clear side-effect of the fact that tunnels cannot be opened by
requesting an origin-form URL (eg "/index.html"). They require an
authority-form URI (eg "example.com:80").
See https://www.rfc-editor.org/rfc/rfc9110.html#name-intermediaries for
definitions of intermediary and role scopes.
Note that it explicitly says (requires) absolute-URI for "proxy" (aka
forward-proxy) intermediaries. Clients do not speak origin-form to
explicit proxies.
[yes I know the first paragraph says an intermediary may switch
behaviour based on just the request, that is for HTTP/2+. Squid being
1.1 is more restricted by the legacy issues].
>> Port is just a number, it can be anything *IF* it is made explicit.
>> The scheme determines what protocol syntax is being spoken and thus
>> what restrictions and/or requirements are.
>>
>> ... and so the protocol for talking to a webcache service is
>> http-alt://.
>> Whose default port is not 80 nor 443 for all the same reasons why
>> Squid default listening port is 3128.
>>
>> If we wanted to we could easily switch Squid default port to
>> http-alt/8080 without causing technical issues. But it would be
>> annoying to update all the existing documentation around the Internet,
>> so not worth the effort changing now.
>>
>> Ditto. Though the legacy install base has a long long long tail. 26
>> years after HTTP/1.0 came out and HTTP/0.9 still has use-cases alive.
>
> Where is HTTP/0.9 still being used?
The ones I am aware of are:
* HTTP software testing and development
* IoT sensor polling
* printer network bootstrapping
* manufacturing controller management
* network stability monitoring systems
>
>> Decreasing, but still a potentially significant amount of traffic seen
>> by Squid in general.
>
> Can you, or anyone else, quantify what "a potentially significant
> amount of traffic" is?
>
I doubt anyone can quantify it accurately. But worldwide use of HTTP/1.1
is also dropping, and at a faster rate than 0.9/1.0 right now as the
more efficient HTTP/2+ expand.
> Do these cases *really* /need/ to be covered by the /default/
> configuration? Or can they be addressed by a variation from the
> default configuration?
HTTP/1.1 specification requires semantic compatibility. So long as 1.1
is still a thing the older versions are likely to remain as well.
Undesirable as that may be.
Cheers
Amos
More information about the squid-users
mailing list