HTTP Proxies

Pēdējais mainījis Administrator 2011-06-06 17:16

HTTP Proxies

This article describes two common approaches to HTTP Proxy configuration - explicit and transparent. It describes some common HTTP proxy characteristics and services it provides to the users, and also gives comparison of the explicit vs. transparent regarding various features. Some illustrative examples of proxies are provided - how to set up and use proxies with the help of some common tools. This article assumes basic familiarity with the HTTP protocol [RFC2616], [W3C], [Gourley2002].

[An HTTP] Proxy is an intermediary program which acts as both a server and a client for the purpose of making requests on behalf of other clients [RFC2616]. It is a forwarding agent, receiving requests for a URI in its absolute form, rewriting all or part of the message, and forwarding the reformatted request toward the server identified by the URI.
If the client specifically identifies a proxy server, that server is called an explicit proxy [RFC2616].
Transparent proxy (depending on the context it is called also HTTP interception or interception caching) usually means intercepting HTTP requests to a proxy server without configuring the user agents for the clients.

There is one more meaning for a 'transparent proxy' A 'transparent proxy' is a proxy that does not modify the request or response beyond what is required for proxy authentication and identification. A 'non-transparent proxy' is a proxy that modifies the request or response in order to provide some added service to the user agent, such as group annotation services, media type transformation, protocol reduction, or anonymity filtering.[RFC2616]

What does the HTTP specs say about proxies

A transparent proxy MUST NOT rewrite the "abs_path" part of the received Request-URI when forwarding it to the next inbound server, except as noted above to replace a null abs_path with "/". Some features of the HTTP/1.1 protocol, such as Digest Authentication, depend on the value of certain end-to-end headers. A transparent proxy SHOULD NOT modify an end-to-end header unless the definition of that header requires or specifically allows that. A transparent proxy MUST NOT modify any of the following fields in a request or response, and it MUST NOT add any of these fields if not already present:

  • Content-Location
  • Content-MD5
  • ETag
  • Last-Modified
A transparent proxy MUST NOT modify any of the following fields in a response:

  • Expires
but it MAY add any of these fields if not already present. If an Expires header is added, it MUST be given a field-value identical to that of the Date header in that response.

Outline of common and different things between Explicit/Transparent proxies

  • Handling the HTTP headers
  • Visibility to the user
  • Proxy interaction with other elements of the HTTP architecture (gateways, tunnels)
  • Anonymity for the User Agents
  • Security considerations - logs and cache.
  • "Cache-Control:no-cache" header --- issue cache validation requests on behalf of client
  • RFC 2267
Possible Proxy Behavior Expl.Transp.
Anonymity Yes Yes
Cache contents Yes Yes
Issue cache validation requests Yes Yes
Filtering of inappopriate content Yes Yes
Can use Proxy Authorization Yes No
Can use with Ident Protocol (RFC 1413) Yes No2
User can force page from server via Refresh button Yes Yes1
Can resolve DNS names on behalf of client Yes No
Prevents IP address spoofing with egress filters Yes No

1 Some browsers may not set the Cache-Control: no-cache header upon refresh, if no proxy is not explicitly configured (i.e. they wrongly assume that they communicate directly with the client).
2 The implicit proxy may not be able to open Ident protocol connection to the 113 port, since browser is not contacting the proxy

Izveidojis Kalvis Apsītis 2008-03-27 10:08
This wiki is licensed under a Creative Commons 2.0 license
XWiki Enterprise 6.4 - Documentation