Changeset 1061 for draft-ietf-httpbis/latest/p2-semantics.xml
- Timestamp:
- 27/10/10 00:13:12 (12 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
draft-ietf-httpbis/latest/p2-semantics.xml
r1058 r1061 377 377 <figure><!--Part1--><artwork type="abnf2616"> 378 378 <x:ref>absolute-URI</x:ref> = <absolute-URI, defined in &uri;> 379 <x:ref>authority</x:ref> = <authority, defined in &uri;> 379 380 <x:ref>comment</x:ref> = <comment, defined in &header-fields;> 380 381 <x:ref>Host</x:ref> = <Host, defined in &uri;> … … 1143 1144 <iref primary="true" item="Methods" subitem="CONNECT" x:for-anchor=""/> 1144 1145 <t> 1145 This specification reserves the method name CONNECT for use with a 1146 proxy that can dynamically switch to being a tunnel (e.g., SSL 1147 tunneling <xref target="RFC2817"/>). 1148 </t> 1146 The CONNECT method is used with a proxy to dynamically switch 1147 the connection to a tunnel. 1148 </t> 1149 <t> 1150 When using CONNECT, the request-target &MUST; be an authority; i.e., 1151 the host name and port number destination of the requested connection 1152 separated by a colon: 1153 </t> 1154 1155 <figure><artwork type="example"> 1156 CONNECT server.example.com:80 HTTP/1.1 1157 Host: server.example.com:80 1158 </artwork></figure> 1159 1160 <t> 1161 Other HTTP mechanisms can be used normally with the CONNECT method -- 1162 except end-to-end protocol Upgrade requests, since the 1163 tunnel must be established first. 1164 </t> 1165 <t> 1166 For example, proxy authentication might be used to establish the 1167 authority to create a tunnel: 1168 </t> 1169 1170 <figure><artwork type="example"> 1171 CONNECT server.example.com:80 HTTP/1.1 1172 Host: server.example.com:80 1173 Proxy-Authorization: basic aGVsbG86d29ybGQ= 1174 </artwork></figure> 1175 1176 <t> 1177 Like any other pipelined HTTP/1.1 request, data to be tunnel may be 1178 sent immediately after the blank line. The usual caveats also apply: 1179 data may be discarded if the eventual response is negative, and the 1180 connection may be reset with no response if more than one TCP segment 1181 is outstanding. 1182 </t> 1183 1184 <section title="Establishing a Tunnel with CONNECT"> 1185 <t> 1186 Any successful (2xx) response to a CONNECT request indicates that the 1187 proxy has established a connection to the requested host and port, 1188 and has switched to tunneling the current connection to that server 1189 connection. 1190 </t> 1191 <t> 1192 It may be the case that the proxy itself can only reach the requested 1193 origin server through another proxy. In this case, the first proxy 1194 &SHOULD; make a CONNECT request of that next proxy, requesting a tunnel 1195 to the authority. A proxy &MUST-NOT; respond with any 2xx status code 1196 unless it has either a direct or tunnel connection established to the 1197 authority. 1198 </t> 1199 <t> 1200 An origin server which receives a CONNECT request for itself &MAY; 1201 respond with a 2xx status code to indicate that a connection is 1202 established. 1203 </t> 1204 <t> 1205 If at any point either one of the peers gets disconnected, any 1206 outstanding data that came from that peer will be passed to the other 1207 one, and after that also the other connection will be terminated by 1208 the proxy. If there is outstanding data to that peer undelivered, 1209 that data will be discarded. 1210 </t> 1211 1212 </section> 1149 1213 </section> 1150 1214 </section> … … 2844 2908 said organizations to make sure that they do not attempt to 2845 2909 invalidate resources over which they have no authority. 2910 </t> 2911 </section> 2912 2913 <section title="Security Considerations for CONNECT"> 2914 <t> 2915 Since tunneled data is opaque to the proxy, there are additional 2916 risks to tunneling to other well-known or reserved ports. 2917 A HTTP client CONNECTing to port 25 could relay spam 2918 via SMTP, for example. As such, proxies &SHOULD; restrict CONNECT 2919 access to a small number of known ports. 2846 2920 </t> 2847 2921 </section> … … 3915 3989 "205 Bodies" 3916 3990 </t> 3991 <t> 3992 <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/239"/>: 3993 "Migrate CONNECT from RFC2817 to p2" 3994 </t> 3917 3995 </list> 3918 3996 </t>
Note: See TracChangeset
for help on using the changeset viewer.