Re: [hybi] More on Payload Masking

[Scott Ferguson <ferg@caucho.com>]

Willy Tarreau wrote:
> On Thu, Nov 11, 2010 at 03:13:26PM +1100, Greg Wilkins wrote:
>   
>   
>> Note that some of the proposed changes to
>> the framing mechanism (FIN bit ) are intended to make it even less
>> likely that a WS frame could be mistaken for a HTTP request.
>>     
>
> I'd like to add that it is important to understand that designing a
> keep-alive compatible intermediary involves much stricter protocol
> compliance than just being able to process a first HTTP request in
> a connection, because you are forced to find some required headers
> (connection, content-length, transfer-encoding, ...) and have to always
> remain synced with the data that flow. The slightest approximation in
> the protocol can very quickly get you out of sync and make the component
> totally unreliable, hanging on downloads, randomly spewing errors, etc...
> So while it is possible to design a working intermediary which does not
> support Upgrade nor CONNECT, it's almost not possible to design one that
> magically works through invalid framing.
>   

+1

Repeating Willy's point for emphasis: a keepalive server/proxy must 
parse all framing content for keepalives to work, including http 
headers, chunking, etc. for both the request and the response. It cannot 
skip invalid bytes and continue the keepalive. Because there's no way to 
recover from the framing errors, the server/proxy needs to close the 
connection after the error if the HTTP framing breaks.

For example, in the case of NPH scripts, a server has to close the 
connection when the NPH script completes because the server doesn't know 
if the script responded with Connection: close or if the script even had 
a valid Content-Length/chunking.

-- Scott