On 2 Nov 2015, at 22:29, Christophe Jaillet wrote: > > Severals places in httpd seems to deal with RFC2616 13.5.1 End-to-end and > Hop-by-hop Headers. > Line 1211 of cache_util.c [1] > Line 1311 and 1562 of mod_proxy_http.c [2] > Line 3567 of proxy_util.c [3] > > > 1) [1] is an exact copy of what is said in RFC2616 13.5.1 > However, I wonder if the Trailers here, should not be a Trailer (without s) > Trailers (with a s) does not seem to a header field, just a keyword for TE. > Is this a typo in the RFC?
With [1], I think you're right that this is a typo in RFC2616 which has been copied into httpd. As for [2] and [3], the Connection: header seems to be handled in mod_proxy_http.c (circa line 970). Transfer-Encoding: is likewise given special case handling (circa line 795). I can see a case for adding a comment to proxy_util.c explaining this. That leaves Proxy-Authenticate: and Proxy-Authorisation: headers. Are these hop-by-hop? It makes sense for a shared cache to delete Proxy-Authenticate: from a response, unconditionally. Similarly Proxy-Authorisation: from a request. The shared nature of cacheing brings obvious security issues. https://tools.ietf.org/html/rfc7235 says “when multiple proxies are used within the same administrative domain, such as office and regional caching proxies within a large corporate network, it is common for credentials to be generated by the user agent and passed through the hierarchy until consumed” and “A proxy MAY relay the credentials from the client request to the next proxy if that is the mechanism by which the proxies cooperatively authenticate a given request.” So maybe there's an opportunity (enhancement request?) to make the forwarding of these headers configurable. I'm not sure what the default should be. I think the safe option, at least for trunk, is to remove those headers in the proxy code as well. -- Tim Bannister – is...@c8h10n4o2.org.uk
