IETF Logo Mail Archive

Re: [hybi] Proposal for a clean way to detect non-HTTP compliant transparent proxies

Greg Wilkins <gregw@webtide.com> Wed, 21 July 2010 23:23 UTC

Return-Path: <gregw@webtide.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 40D763A6863 for <hybi@core3.amsl.com>; Wed, 21 Jul 2010 16:23:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.741
X-Spam-Level:
X-Spam-Status: No, score=-1.741 tagged_above=-999 required=5 tests=[AWL=0.235, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KimCmPP0tetG for <hybi@core3.amsl.com>; Wed, 21 Jul 2010 16:23:21 -0700 (PDT)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by core3.amsl.com (Postfix) with ESMTP id 838083A6824 for <hybi@ietf.org>; Wed, 21 Jul 2010 16:23:20 -0700 (PDT)
Received: by fxm1 with SMTP id 1so4348593fxm.31 for <hybi@ietf.org>; Wed, 21 Jul 2010 16:23:36 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.86.59.12 with SMTP id h12mr945800fga.67.1279754616703; Wed, 21 Jul 2010 16:23:36 -0700 (PDT)
Received: by 10.223.112.129 with HTTP; Wed, 21 Jul 2010 16:23:36 -0700 (PDT)
In-Reply-To: <20100721225210.GE6475@1wt.eu>
References: <20100721225210.GE6475@1wt.eu>
Date: Thu, 22 Jul 2010 09:23:36 +1000
Message-ID: <AANLkTimL42j5dOysvKwqjoXgwqISLN4_Sd6cvHz7DQcd@mail.gmail.com>
From: Greg Wilkins <gregw@webtide.com>
To: Willy Tarreau <w@1wt.eu>
Content-Type: multipart/alternative; boundary="000e0cd2983a540d6d048bee17c0"
Cc: hybi@ietf.org
Subject: Re: [hybi] Proposal for a clean way to detect non-HTTP compliant transparent proxies
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Jul 2010 23:23:22 -0000

Willy,

if we insist on trying to fail on infrastructure that might work (even if it
doesn't understand
websocket), then I think this is indeed an good proposal.

But I fundamentally do not agree with the premise that we should try to fail
simply
because our infrastructure is working, but not the way we want it to work.

I don't see what this buys us - say we do establish that every bit of
infrastructure between UA and server has been replaced with something shiny
and new that understands websocket - does this mean that we no longer need
to monitor the health of the connection and just assume that everything will
magically work?

No!

Networks can and do fail - even shiny new ones that understand websocket.
And they can fail in all sorts of nasty ways - black holes, repeated frames,
horrible latencies etc etc.

No matter what, any reasonable websocket based application is going to need
something to monitor the health of the connection and to make a continual
assessment of "it's working" vs "it's not working".     Even if we could
knowing that all intermediaries are websocket aware does not help this in
any way, shape or form.  And we can't know if all intermediaries are
websocket aware: your suggestion will indeed detect a class of non-ws
intermediaries, but there will also be other ones that are semi-HTTP away
but don't respect Connection:close or that operate at TCP/IP level etc.

Currently the protocol is designed to try to fail and only work if
everything is perfect.
I think we should instead make it try to work and fail only if there is a
problem.

regards











On 22 July 2010 08:52, Willy Tarreau <w@1wt.eu> wrote:

>
> I've just thought about a way to fix the initial handshake so that it
> works with proper HTTP-compliant implementations but still fails through
> non-compliant transparent proxies.
>
> Let's have the client send the initial handshake request to the server.
> This handshake is only made of HTTP headers. The client completes the
> request with "Connection: close" so that a transparent intermediate
> does not wait for a possible second request in case it does not understand
> the upgrade response :
>
>   GET /xxxx HTTP/1.1
>   Upgrade: WebSocket
>   Connection: close
>   ... ws headers ...
>   ...
>   \r\n
>
> The server will send :
>
>   HTTP/1.1 101 Swithing protocols
>   Upgrade: WebSocket
>   Content-length: 0
>   Connection: close
>   ... ws headers ...
>   ...
>   \r\n
>   any-form-of-hello-message (eg: the server's protocol version)
>
> That way, if a transparent proxy does not have explicit support for 101,
> it will only forward the headers with an empty body (CL: 0) and close the
> connection towards the client.
>
> The client then gets an empty response without the in-protocol HELLO
> message and knows that an intermediate is in the way and is not compatible.
>
> The only way for such a response to pass unmolested to the client is
> for intermediates to have a proper understanding of the 101/Upgrade
> mechanism which implies that any data after the empty line is to be
> tunnelled, despite Content-length: 0.
>
> It also has the nice advantage of being compatible with HTTP, which
> means that ISPs making use of transparent proxies will have no problem
> adding reliable cache-bypass rule which relies on the Upgrade: header.
>
> Any thoughts ?
>
> Willy
>
> _______________________________________________
> hybi mailing list
> hybi@ietf.org
> https://www.ietf.org/mailman/listinfo/hybi
>

v2.23.0 | Report a Bug | By Email