Ignore:
Timestamp:
Oct 26, 2010, 5:13:12 PM (9 years ago)
Author:
mnot@…
Message:

Move CONNECT text from RFC2817; fixes #239.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • draft-ietf-httpbis/latest/p2-semantics.xml

    r1058 r1061  
    377377<figure><!--Part1--><artwork type="abnf2616">
    378378  <x:ref>absolute-URI</x:ref>  = &lt;absolute-URI, defined in &uri;&gt;
     379  <x:ref>authority</x:ref>     = &lt;authority, defined in &uri;&gt;
    379380  <x:ref>comment</x:ref>       = &lt;comment, defined in &header-fields;&gt;
    380381  <x:ref>Host</x:ref>          = &lt;Host, defined in &uri;&gt;
     
    11431144  <iref primary="true" item="Methods" subitem="CONNECT" x:for-anchor=""/>
    11441145<t>
    1145    This specification reserves the method name CONNECT for use with a
    1146    proxy that can dynamically switch to being a tunnel (e.g., SSL
    1147    tunneling <xref target="RFC2817"/>).
    1148 </t>
     1146   The CONNECT method is used with a proxy to dynamically switch
     1147   the connection to a tunnel.
     1148</t>
     1149<t>
     1150   When using CONNECT, the request-target &MUST; be an authority; i.e.,
     1151   the host name and port number destination of the requested connection
     1152   separated by a colon:
     1153</t>
     1154
     1155<figure><artwork type="example">
     1156    CONNECT server.example.com:80 HTTP/1.1
     1157    Host: server.example.com:80
     1158</artwork></figure>
     1159
     1160<t>
     1161   Other HTTP mechanisms can be used normally with the CONNECT method --
     1162   except end-to-end protocol Upgrade requests, since the
     1163   tunnel must be established first.
     1164</t>
     1165<t>
     1166   For example, proxy authentication might be used to establish the
     1167   authority to create a tunnel:
     1168</t>
     1169
     1170<figure><artwork type="example">
     1171    CONNECT server.example.com:80 HTTP/1.1
     1172    Host: server.example.com:80
     1173    Proxy-Authorization: basic aGVsbG86d29ybGQ=
     1174</artwork></figure>
     1175
     1176<t>
     1177   Like any other pipelined HTTP/1.1 request, data to be tunnel may be
     1178   sent immediately after the blank line. The usual caveats also apply:
     1179   data may be discarded if the eventual response is negative, and the
     1180   connection may be reset with no response if more than one TCP segment
     1181   is outstanding.
     1182</t>
     1183
     1184<section title="Establishing a Tunnel with CONNECT">
     1185<t>
     1186   Any successful (2xx) response to a CONNECT request indicates that the
     1187   proxy has established a connection to the requested host and port,
     1188   and has switched to tunneling the current connection to that server
     1189   connection.
     1190</t>
     1191<t>
     1192   It may be the case that the proxy itself can only reach the requested
     1193   origin server through another proxy.  In this case, the first proxy
     1194   &SHOULD; make a CONNECT request of that next proxy, requesting a tunnel
     1195   to the authority.  A proxy &MUST-NOT; respond with any 2xx status code
     1196   unless it has either a direct or tunnel connection established to the
     1197   authority.
     1198</t>
     1199<t>
     1200   An origin server which receives a CONNECT request for itself &MAY;
     1201   respond with a 2xx status code to indicate that a connection is
     1202   established.
     1203</t>
     1204<t>
     1205   If at any point either one of the peers gets disconnected, any
     1206   outstanding data that came from that peer will be passed to the other
     1207   one, and after that also the other connection will be terminated by
     1208   the proxy. If there is outstanding data to that peer undelivered,
     1209   that data will be discarded.
     1210</t>
     1211
     1212</section>
    11491213</section>
    11501214</section>
     
    28442908   said organizations to make sure that they do not attempt to
    28452909   invalidate resources over which they have no authority.
     2910</t>
     2911</section>
     2912
     2913<section title="Security Considerations for CONNECT">
     2914<t>
     2915   Since tunneled data is opaque to the proxy, there are additional
     2916   risks to tunneling to other well-known or reserved ports.
     2917   A HTTP client CONNECTing to port 25 could relay spam
     2918   via SMTP, for example. As such, proxies &SHOULD; restrict CONNECT
     2919   access to a small number of known ports.
    28462920</t>
    28472921</section>
     
    39153989      "205 Bodies"
    39163990    </t>
     3991    <t>
     3992      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/239"/>:
     3993      "Migrate CONNECT from RFC2817 to p2"
     3994    </t>
    39173995  </list>
    39183996</t>
Note: See TracChangeset for help on using the changeset viewer.