现在的位置: 首页 > 综合 > 正文

HTTP代理协议(HTTP CONNECT)

2013年08月20日 ⁄ 综合 ⁄ 共 5209字 ⁄ 字号 评论关闭

Abstract

 

  This memo explains how to usethe Upgrade mechanism in HTTP/1.1 to
   initiate Transport LayerSecurity (TLS) over an existing TCP
   connection. This allowsunsecured and secured HTTP traffic to share
   the same well known port (inthis case, http: at 80 rather than
   https: at 443). It alsoenables "virtual hosting", so a single HTTP +
   TLS server can disambiguatetraffic intended for several hostnames at
   a single IP address.

   Since HTTP/1.1 [1] definesUpgrade as a hop-by-hop mechanism, this
   memo also documents the HTTPCONNECT method for establishing end-to-
   end tunnels across HTTPproxies. Finally, this memo establishes new
   IANA registries for publicHTTP status codes, as well as public or
   private Upgrade producttokens.

   This memo does NOT affect thecurrent definition of the 'https' URI
   scheme, which already definesa separate namespace
   (http://example.org/ andhttps://example.org/ are not equivalent).

1. Motivation
   The historical practice ofdeploying HTTP over SSL3 [3] has
   distinguished the combinationfrom HTTP alone by a unique URI scheme
   and the TCP port number. Thescheme 'http' meant the HTTP protocol
   alone on port 80, while'https' meant the HTTP protocol over SSL on
   port 443. Parallel well-known port numbers have similarly been
   requested -- and in somecases, granted -- to distinguish between
   secured and unsecured use ofother application protocols (e.g.
   snews, ftps). This approacheffectively halves the number of
   available well knownports.

   At the Washington DC IETFmeeting in December 1997, the Applications
   Area Directors and the IESGreaffirmed that the practice of issuing
   parallel "secure" port numbersshould be deprecated. The HTTP/1.1
   Upgrade mechanism can applyTransport Layer Security [6] to an open
   HTTP connection.

   In the nearly two years since,there has been broad acceptance of the
   concept behind this proposal,but little interest in implementing
   alternatives to port 443 forgeneric Web browsing. In fact, nothing
   in this memo affects thecurrent interpretation of https: URIs.
   However, new applicationprotocols built atop HTTP, such as the
   Internet Printing Protocol[7], call for just such a mechanism in
   order to move ahead in theIETF standards process.

   The Upgrade mechanism alsosolves the "virtual hosting" problem.
   Rather than allocatingmultiple IP addresses to a single host, an
   HTTP/1.1 server will use theHost: header to disambiguate the
   intended web service. AsHTTP/1.1 usage has grown more prevalent,
   more ISPs are offeringname-based virtual hosting, thus delaying IP
   address spaceexhaustion.

   TLS (and SSL) have beenhobbled by the same limitation as earlier
   versions of HTTP: the initialhandshake does not specify the intended
   hostname, relying exclusivelyon the IP address. Using a cleartext
   HTTP/1.1 Upgrade: preamble tothe TLS handshake -- choosing the
   certificates based on theinitial Host: header -- will allow ISPs to
   provide secure name-basedvirtual hosting as well.

2. Introduction

   TLS, a.k.a., SSL (SecureSockets Layer), establishes a private end-
   to-end connection, optionallyincluding strong mutual authentication,
   using a variety ofcryptosystems. Initially, a handshake phase uses
   three subprotocols to set up arecord layer, authenticate endpoints,
   set parameters, as well asreport errors.  Then, there is an ongoing
   layered record protocol thathandles encryption, compression, and
   reassembly for the remainderof the connection. The latter is
   intended to be completelytransparent. For example, there is no
   dependency between TLS'srecord markers and or certificates and
   HTTP/1.1's chunked encoding orauthentication.

   Either the client or servercan use the HTTP/1.1 [1] Upgrade
   mechanism (Section 14.42) toindicate that a TLS-secured connection
   is desired or necessary. Thismemo defines the "TLS/1.0" Upgrade
   token, and a new HTTP StatusCode, "426 Upgrade Required".

   Section 3 and Section 4describe the operation of a directly
   connected client and server.Intermediate proxies must establish an
   end-to-end tunnel beforeapplying those operations, as explained in
   Section 5.

3. Client Requested Upgrade to HTTP over TLS

   When the client sends anHTTP/1.1 request with an Upgrade header
   field containing the token"TLS/1.0", it is requesting the server to
   complete the current HTTP/1.1request after switching to TLS/1.0.

3.1 Optional Upgrade

   A client MAY offer to switchto secured operation during any clear
   HTTP request when an unsecuredresponse would be acceptable:

      GET http://example.bank.com/acct_stat.html?749394889300HTTP/1.1
      Host: example.bank.com
      Upgrade: TLS/1.0
      Connection: Upgrade

   In this case, the server MAYrespond to the clear HTTP operation
   normally, OR switch to securedoperation (as detailed in the next
   section).

   Note that HTTP/1.1 [1]specifies "the upgrade keyword MUST be
   supplied within a Connectionheader field (section 14.10) whenever
   Upgrade is present in anHTTP/1.1 message".

3.2 Mandatory Upgrade

   If an unsecured response wouldbe unacceptable, a client MUST send an
   OPTIONS request first tocomplete the switch to TLS/1.0 (if
   possible).

      OPTIONS * HTTP/1.1
      Host: example.bank.com
      Upgrade: TLS/1.0
      Connection: Upgrade

3.3 Server Acceptance of Upgrade Request

   As specified in HTTP/1.1 [1],if the server is prepared to initiate
   the TLS handshake, it MUSTsend the intermediate "101 Switching
   Protocol" and MUST include anUpgrade response header specifying the
   tokens of the protocol stackit is switching to:

      HTTP/1.1 101 Switching Protocols
      Upgrade: TLS/1.0, HTTP/1.1
      Connection: Upgrade

   Note that the protocol tokenslisted in the Upgrade header of a 101
   Switching Protocols responsespecify an ordered 'bottom-up' stack.

   As specifiedin  HTTP/1.1 [1], Section 10.1.2: "The serverwill
   switch protocols to thosedefined by the response's Upgrade header
   field immediately after theempty line which terminates the 101
  

抱歉!评论已关闭.