IETF Logo Mail Archive

Re: RFC 9113 and :authority header field

Willy Tarreau <w@1wt.eu> Thu, 30 June 2022 09:06 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D97E6C147920 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 30 Jun 2022 02:06:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.661
X-Spam-Level:
X-Spam-Status: No, score=-2.661 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zcQGGQtte3yv for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 30 Jun 2022 02:06:33 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B535CC157B49 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 30 Jun 2022 02:06:33 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1o6q4d-00HIVB-Ob for ietf-http-wg-dist@listhub.w3.org; Thu, 30 Jun 2022 09:02:55 +0000
Resent-Date: Thu, 30 Jun 2022 09:02:55 +0000
Resent-Message-Id: <E1o6q4d-00HIVB-Ob@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <w@1wt.eu>) id 1o6q4c-00HIUD-NX for ietf-http-wg@listhub.w3.org; Thu, 30 Jun 2022 09:02:54 +0000
Received: from wtarreau.pck.nerim.net ([62.212.114.60] helo=1wt.eu) by mimas.w3.org with esmtp (Exim 4.94.2) (envelope-from <w@1wt.eu>) id 1o6q4X-007j3q-9u for ietf-http-wg@w3.org; Thu, 30 Jun 2022 09:02:53 +0000
Received: (from willy@localhost) by pcw.home.local (8.15.2/8.15.2/Submit) id 25U92X9g020751; Thu, 30 Jun 2022 11:02:33 +0200
Date: Thu, 30 Jun 2022 11:02:33 +0200
From: Willy Tarreau <w@1wt.eu>
To: "Roy T. Fielding" <fielding@gbiv.com>
Cc: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>, HTTP <ietf-http-wg@w3.org>
Message-ID: <20220630090233.GA20747@1wt.eu>
References: <CAPyZ6=+q+MoOOwoCxbtFjt+gqsjHBqTzz9KXNVcs3EP-4VFp=Q@mail.gmail.com> <D7142A8A-5B80-46F5-A653-2307EE2DC5D8@gbiv.com> <CAPyZ6=LCSDAsPoFCQ2cRO-i+dpo5vnp2L5A7ZLw8dvRtDs6HUg@mail.gmail.com> <20220629055254.GA18881@1wt.eu> <34B74169-9A07-4003-8F76-1B518DE3A3A0@gbiv.com> <20220630070123.GA20552@1wt.eu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20220630070123.GA20552@1wt.eu>
User-Agent: Mutt/1.10.1 (2018-07-13)
Received-SPF: pass client-ip=62.212.114.60; envelope-from=w@1wt.eu; helo=1wt.eu
X-W3C-Hub-Spam-Status: No, score=-4.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, W3C_AA=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1o6q4X-007j3q-9u 206f78c372a10bba6d216868ced9f3db
X-Original-To: ietf-http-wg@w3.org
Subject: Re: RFC 9113 and :authority header field
Archived-At: <https://www.w3.org/mid/20220630090233.GA20747@1wt.eu>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/40225
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Thu, Jun 30, 2022 at 09:01:23AM +0200, Willy Tarreau wrote:
> > > What we're
> > > doing in haproxy is that both Host and :authority are used interchangeably
> > > after having been checked for proper matching, and are modified at the
> > > same time if needed, and we have a flag indicating if an authority was
> > > present in the incoming request to know if we have to produce one on
> > > output or not. That's in the end what seems to preserve the most accurate
> > > representation along a chain of multiple versions. This allows us to emit
> > > a Host field only if one was present, and an authority only if one was
> > > present, regardless of the HTTP version. I don't think that RFC9113 brings
> > > any changes regarding this, it might only be a matter of what constitutes
> > > "control data".
> > 
> > Sorry, that is a broken implementation. You need to send Host regardless
> > of the original request version.
> 
> I can guarantee you that each time we accidently failed to do this because
> of a tiny change or some strengthening of the checks of host vs authority,
> we got instant reports of various 1.0 applications getting broken. And
> actually I did verify carefully that the updated set of RFCs continued to
> cover that compatibility requirement with these old components, i.e. Host
> remains Host and :authority remains :authority along all the chain, and
> only when both are set, they must match and we can simplify (e.g. drop
> authority when passing to an HTTP/1.x server).

BTW, I think I just understood the case that concerned you and I was
partially incorrect above, as we do *always* create a Host header on
output since it's obviously always valid, we only make the difference
on the authority to decide whether to rebuild and absolute or origin
form for the URI.

Sorry for this confusion.

Willy

v2.23.0 | Report a Bug | By Email