Name:
Network Transparent Proxies Prevent Introduction of New HTTP Methods
Classification:
Architecture
Description:
A proxy that receives a request with a method unknown to it is
required to generate an HTTP 501 Error as a response. HTTP methods
are designed to be extensible so there may be applications
deployed with initial support just for the user agent and origin
server. A transparent proxy that hijacks requests with new methods
destined for servers that have implemented that method creates a
de-facto firewall where none may be intended.
Significance:
Medium within network transparent proxy environments.
Implications:
Renders new compliant applications useless unless modifications
are made to proxy software. Because new methods are not required
to be globally standardized it is impossible to keep up to date in
the general case.
Solution(s):
Eliminate the need for network transparent proxies. A client
receiving a 501 in a traditional HTTP environment may either
choose to repeat the request to the origin server directly, or
perhaps be configured to use a different cache.
Workaround:
Level 5 switches (sometimes called Level 7 or application layer
switches) can be used to keep HTTP traffic with unknown methods
out of the proxy. However, these devices have heavy buffering
responsibilities, still require TCP sequence number spoofing, and
do not interact well with persistent connections.
Contact:
Patrick McManus <mcmanus@AppliedTheory.com>
[Not part of problem report.. this has been seen a few times.. most
recently with WEBDAV introduction in some microsoft client.. Outlook
perhaps.]
This archive was generated by hypermail 2b29 : Thu Nov 18 2004 - 11:21:26 MST