IETF Logo Mail Archive

[hybi] Proposal for a clean way to detect non-HTTP compliant transparent proxies

Willy Tarreau <w@1wt.eu> Wed, 21 July 2010 22:51 UTC

Return-Path: <w@1wt.eu>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B8F573A680F for <hybi@core3.amsl.com>; Wed, 21 Jul 2010 15:51:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.529
X-Spam-Level:
X-Spam-Status: No, score=-3.529 tagged_above=-999 required=5 tests=[AWL=-1.486, BAYES_00=-2.599, HELO_IS_SMALL6=0.556]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9s5JPdjCou1o for <hybi@core3.amsl.com>; Wed, 21 Jul 2010 15:51:56 -0700 (PDT)
Received: from 1wt.eu (1wt.eu [62.212.114.60]) by core3.amsl.com (Postfix) with ESMTP id 7E0493A659C for <hybi@ietf.org>; Wed, 21 Jul 2010 15:51:55 -0700 (PDT)
Received: (from willy@localhost) by mail.home.local (8.14.4/8.14.4/Submit) id o6LMqAIX007093 for hybi@ietf.org; Thu, 22 Jul 2010 00:52:10 +0200
Date: Thu, 22 Jul 2010 00:52:10 +0200
From: Willy Tarreau <w@1wt.eu>
To: hybi@ietf.org
Message-ID: <20100721225210.GE6475@1wt.eu>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.4.2.3i
Subject: [hybi] Proposal for a clean way to detect non-HTTP compliant transparent proxies
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Jul 2010 22:51:56 -0000

I've just thought about a way to fix the initial handshake so that it
works with proper HTTP-compliant implementations but still fails through
non-compliant transparent proxies.

Let's have the client send the initial handshake request to the server.
This handshake is only made of HTTP headers. The client completes the
request with "Connection: close" so that a transparent intermediate
does not wait for a possible second request in case it does not understand
the upgrade response :

   GET /xxxx HTTP/1.1
   Upgrade: WebSocket
   Connection: close
   ... ws headers ...
   ...
   \r\n

The server will send :

   HTTP/1.1 101 Swithing protocols
   Upgrade: WebSocket
   Content-length: 0
   Connection: close
   ... ws headers ...
   ...
   \r\n
   any-form-of-hello-message (eg: the server's protocol version)

That way, if a transparent proxy does not have explicit support for 101,
it will only forward the headers with an empty body (CL: 0) and close the
connection towards the client.

The client then gets an empty response without the in-protocol HELLO
message and knows that an intermediate is in the way and is not compatible.

The only way for such a response to pass unmolested to the client is
for intermediates to have a proper understanding of the 101/Upgrade
mechanism which implies that any data after the empty line is to be
tunnelled, despite Content-length: 0.

It also has the nice advantage of being compatible with HTTP, which
means that ISPs making use of transparent proxies will have no problem
adding reliable cache-bypass rule which relies on the Upgrade: header.

Any thoughts ?

Willy

v2.23.0 | Report a Bug | By Email