cnrting / httplib2

Automatically exported from code.google.com/p/httplib2
0 stars 0 forks source link

Use PROXY_TYPE_HTTP_NO_TUNNEL for HTTP connections #228

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
With ProxyInfo.from_environment() we use PROXY_TYPE_HTTP for all connection 
types

This proxy type uses CONNECT to tunnel a connection through the proxy

In the case of a plain HTTP connection, this isn't necessary and just issuing 
the requests against the proxy is sufficient

However, in the case of HTTPS, tunnelling is need

The use of CONNECT tunnelling is problematic for HTTP because many proxy 
servers are configured to reject tunnelling requests to ports other than 443 - 
e.g. on Fedora, squid has the following default configuration:

     acl SSL_ports port 443

     # Deny CONNECT to other than secure SSL ports
     http_access deny CONNECT !SSL_ports

So, it seems pretty clear that we should use PROXY_TYPE_HTTP_NO_TUNNEL for 
http_proxy and PROXY_TYPE_HTTP for https_proxy - i.e. in ProxyInfo.from_url() 
do:

        if method == 'http':
        proxy_type = 4 # socks.PROXY_TYPE_HTTP_NO_TUNNEL                    
        else:
            proxy_type = 3 # socks.PROXY_TYPE_HTTP                              

Original issue reported on code.google.com by mark...@gmail.com on 14 Sep 2012 at 4:57

GoogleCodeExporter commented 8 years ago
Oh, to clarify the particular problem this is causing ...

I'm using OpenStack's nova client (from python-novaclient) to access an 
OpenStack installation over a corporate squid proxy

It's a plain old HTTP connection, novaclient is using httplib2 and I'm getting 
a 403 Forbidden from the proxy because it's using the default config for 
rejecting CONNECT to ports other than 443

Original comment by mark...@gmail.com on 14 Sep 2012 at 4:59