Tcl Library Source Code

Documentation
Login
EuroTcl/OpenACS 11 - 12 JULY 2024, VIENNA


[ Main Table Of Contents | Table Of Contents | Keyword Index | Categories | Modules | Applications ]

NAME

autoproxy - Automatic HTTP proxy usage and authentication

Table Of Contents

SYNOPSIS

package require Tcl 8.5 9
package require http ?2.0?
package require autoproxy ?1.8.1?

::autoproxy::init
::autoproxy::cget -option
::autoproxy::configure ?-option value?
::autoproxy::tls_connect args
::autoproxy::tunnel_connect args
::autoproxy::tls_socket args

DESCRIPTION

This package attempts to automate the use of HTTP proxy servers in Tcl HTTP client code. It tries to initialize the web access settings from system standard locations and can be configured to negotiate authentication with the proxy if required.

On Unix the standard for identifying the local HTTP proxy server seems to be to use the environment variable http_proxy or ftp_proxy and no_proxy to list those domains to be excluded from proxying. On Windows we can retrieve the Internet Settings values from the registry to obtain pretty much the same information. With this information we can setup a suitable filter procedure for the Tcl http package and arrange for automatic use of the proxy.

There seem to be a number of ways that the http_proxy environment variable may be set up. Either a plain host:port or more commonly a URL and sometimes the URL may contain authentication parameters or these may be requested from the user or provided via http_proxy_user and http_proxy_pass. This package attempts to deal with all these schemes. It will do it's best to get the required parameters from the environment or registry and if it fails can be reconfigured.

TLS Security Considerations

Note This section only applies if TLS support is provided by the TLS package. It does not apply when autoproxy was configured to use some other package which can provide the same (i.e twapi), via the -tls_package configuration option.

This package uses the TLS package to handle the security for https urls and other socket connections.

Policy decisions like the set of protocols to support and what ciphers to use are not the responsibility of TLS, nor of this package itself however. Such decisions are the responsibility of whichever application is using the package, and are likely influenced by the set of servers the application will talk to as well.

For example, in light of the recent POODLE attack discovered by Google many servers will disable support for the SSLv3 protocol. To handle this change the applications using TLS must be patched, and not this package, nor TLS itself. Such a patch may be as simple as generally activating tls1 support, as shown in the example below.

package require tls
tls::init -tls1 1 ;# forcibly activate support for the TLS1 protocol

... your own application code ...

COMMANDS

OPTIONS

Basic Authentication

Basic is the simplest and most commonly use HTTP proxy authentication scheme. It is described in (1 section 11) and also in (2). It offers no privacy whatsoever and its use should be discouraged in favour of more secure alternatives like Digest. To perform Basic authentication the client base64 encodes the username and plaintext password separated by a colon. This encoded text is prefixed with the word "Basic" and a space.

The following options exists for this scheme:

EXAMPLES

package require autoproxy
autoproxy::init
autoproxy::configure -basic -username ME -password SEKRET
set tok [http::geturl http://wiki.tcl.tk/]
http::data $tok

package require http
package require tls
package require autoproxy
autoproxy::init
http::register https 443 autoproxy::tls_socket
set tok [http::geturl https://www.example.com/]

REFERENCES

  1. Berners-Lee, T., Fielding R. and Frystyk, H. "Hypertext Transfer Protocol -- HTTP/1.0", RFC 1945, May 1996, (http://www.rfc-editor.org/rfc/rfc1945.txt)

  2. Franks, J. et al. "HTTP Authentication: Basic and Digest Access Authentication", RFC 2617, June 1999 (http://www.rfc-editor.org/rfc/rfc2617.txt)

BUGS

At this time only Basic authentication (1) (2) is supported. It is planned to add support for Digest (2) and NTLM in the future.

AUTHORS

Pat Thoyts

Bugs, Ideas, Feedback

This document, and the package it describes, will undoubtedly contain bugs and other problems. Please report such in the category http :: autoproxy of the Tcllib Trackers. Please also report any ideas for enhancements you may have for either package and/or documentation.

When proposing code changes, please provide unified diffs, i.e the output of diff -u.

Note further that attachments are strongly preferred over inlined patches. Attachments can be made by going to the Edit form of the ticket immediately after its creation, and then using the left-most button in the secondary navigation bar.

SEE ALSO

http(n)

KEYWORDS

authentication, http, proxy

CATEGORY

Networking