[clug] Using mod_proxy_connect for imaps

Andrew Over andrew.over at cs.anu.edu.au
Fri Sep 17 05:30:27 GMT 2004

On Fri, Sep 17, 2004 at 03:02:30PM +1000, Edward C. Lang wrote:

> I was horribly confused by section in the HTTP1.1 RFC which describes 
> the CONNECT request method: "This specification reserves the method name 
> CONNECT for use with a proxy that can dynamically switch to being a 
> tunnel". Riiight. That, combined with the apache2 documentation for 
> mod_proxy_connect, made me a sad panda.

It's actually not as scary as you think [1].  The reason they refer to it
"dynamically switch(ing) to being a tunnel" is that CONNECT is (typically)
used exclusively for HTTPS.

With HTTP a proxy will intepret your request, (typically) search for it in
its local cache, fetch is necessary, then forward you the data.

With HTTPS, this is not at all appropriate.  Due to the whole signed
certificate thing (certificate must match domain and be signed by a CA),
and also because you don't want some random proxy reading your bank
balance, when proxying HTTPS, the proxy just connects to the remote end,
responds ok, starts forwarding bytes, then gets out of the way.  An SSL
connection between you and the proxy (with the proxy making another to the
remote server) is identical to a man-in-the-middle attack, and will make
for many more sad pandas.  This is why it tunnels.

So you pretty much have (protocol stuff from from memory):

web browser : connect to proxy
web browser : send "CONNECT www.foo.com 443 HTTP/1.1\r\n\r\n" to proxy
proxy       : connect to www.foo.com:443
proxy       : send "200 OK\r\n" to web browser
proxy       : begin forwarding web browser <-> www.foo.com

Once you reach that final stage, all the proxy is doing is tunnelling data
between two endpoints.

Anyway, hopefully that was somewhat more coherent than an RFC.

[1] At least when dealing with standards compliant proxies...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 185 bytes
Desc: not available
Url : http://lists.samba.org/archive/linux/attachments/20040917/f6387f14/attachment.bin

More information about the linux mailing list