Haven't read the full thread, just 2 cents on this specific paragraph. On Mar 4, 2010, at 7:29 PM, Damjan Jovanovic wrote:
> Hi Chris > > ... > * pidgin (www.pidgin.im), an instant messaging app, has very good > proxy support including NTLM authentication for HTTP proxies. It only > uses a single socket and requires the proxy to use a persistent > connection. proxytunnel (proxytunnel.sourceforge.net) does the same. > > I like pidgin's solution the best, and since it even works with NTLM, > the other authentication types should be easy. Most HTTP 1.1 proxies > should support persistent connections - after all, that feature > benefits proxies the most. So we should be able to get away with one > socket in most cases, maybe even for all commonly used HTTP proxies. > I'll try to do some tests this weekend. I remember somewhere in the HTTP RFC says that the client must close the connection when the initial 401/407 response is received. Hence, my understanding of web auth inside proxy auth should look like this: . Connect proxy, see 407 . Disconnect/reconnect to proxy, authenticate to proxy, succeed . Proxy connect to web server, see 401 . Tell proxy to disconnect/reconnect web server, authenticate to web server, see 200 This way an NTLM/web inside NTLM/proxy can be implemented, even if MS has explicitly said this is not supported. --Max
