Given that the extension status code 511 is now an official code
(http://www.rfc-editor.org/rfc/rfc6585.txt), how do we all feel about
causing it to be emitted whenever an intercepted request is configured
to require proxy_auth satisfaction for ACLs?
That would be for all TPROXY, NAT, and SSL-bump intercepted requests.
Pros:
* Coupled with our discussed alterations to how and when proxy_auth
operate this would simplify the proxy_auth handling a bit by erasing the
maybe-skip cases.
* as UA software get updated it should allow proxy-auth to operate
better in more situations.
* uses a 5XX so the client does not retry on failures.
Cons:
* user pain as configs which were silently ignoring the auth failures
start to produce 511. (auth_param option to enable/disable?)
Amos
Received on Mon Apr 30 2012 - 22:39:35 MDT
This archive was generated by hypermail 2.2.0 : Tue May 01 2012 - 12:00:09 MDT