Re: [hybi] Proposal for a clean way to detect non-HTTP compliant transparent proxies
Willy Tarreau <w@1wt.eu> Thu, 22 July 2010 00:58 UTC
Return-Path: <w@1wt.eu>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CE3423A6976 for <hybi@core3.amsl.com>; Wed, 21 Jul 2010 17:58:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.292
X-Spam-Level:
X-Spam-Status: No, score=-3.292 tagged_above=-999 required=5 tests=[AWL=-1.249, BAYES_00=-2.599, HELO_IS_SMALL6=0.556]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sQRMh7vDmr6c for <hybi@core3.amsl.com>; Wed, 21 Jul 2010 17:58:30 -0700 (PDT)
Received: from 1wt.eu (1wt.eu [62.212.114.60]) by core3.amsl.com (Postfix) with ESMTP id 7F3F93A6970 for <hybi@ietf.org>; Wed, 21 Jul 2010 17:58:29 -0700 (PDT)
Received: (from willy@localhost) by mail.home.local (8.14.4/8.14.4/Submit) id o6M0wjg9007798; Thu, 22 Jul 2010 02:58:45 +0200
Date: Thu, 22 Jul 2010 02:58:45 +0200
From: Willy Tarreau <w@1wt.eu>
To: Jamie Lokier <jamie@shareable.org>
Message-ID: <20100722005845.GF7174@1wt.eu>
References: <20100721225210.GE6475@1wt.eu> <20100722003801.GJ14589@shareable.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20100722003801.GJ14589@shareable.org>
User-Agent: Mutt/1.4.2.3i
Cc: hybi@ietf.org
Subject: Re: [hybi] Proposal for a clean way to detect non-HTTP compliant transparent proxies
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Jul 2010 00:58:30 -0000
Hi Jamie,
first, thanks for taking the time to review the proposal in depth and
to match it with standards.
On Thu, Jul 22, 2010 at 01:38:01AM +0100, Jamie Lokier wrote:
> > That way, if a transparent proxy does not have explicit support for 101,
> > it will only forward the headers with an empty body (CL: 0) and close the
> > connection towards the client.
>
> I think this won't work. RFC2616 (HTTP 1.1):
>
> "Proxies MUST forward 1xx responses, unless the connection between the
> proxy and its client has been closed, or unless the proxy itself
> requested the generation of the 1xx response."
>
> It's not spelled out explicitly, but the expectation is that proxies
> forward 1xx responses generically, and then forward the next response.
>
> If the proxy doesn't know how to handle 101 responses, then it may
> simply forward the 101 as a generic 1xx, and then try to forward the
> *following* bytes as a HTTP response.
Yes but those will fail as the following bytes won't start with "HTTP/1.1",
and the proxy will close the connection.
> I would expect proxies to ignore Content-Length in 1xx:
>
> "1. Any response message which "MUST NOT" include a message-body (such
> as the 1xx, 204, and 304 responses and any response to a HEAD
> request) is always terminated by the first empty line after the
> header fields, regardless of the entity-header fields present in
> the message."
The content-length I proposed was precisely for those which are not
even aware of 1xx, nothing more.
> In other words, a relatively stupid proxy, but which is aware of the
> 1xx rule, will not close the connection, and will treat the hello
> text and subsequent bytes as a HTTP response to modify and forward.
Due to the next non-HTTP data, they must close with a "502 Bad Gateway"
upon receiving the first data following the 101 message that does not
look like "HTTP/1.1 XXX reason".
> There's some discussion on another list about using a 1xx response to
> indicate "request is being processed", for when the processing is slow
> to produce a response.
Nice idea, I was not aware of this discussion, I only initiated the one
about 101 not working like the general 1xx case ;-)
> The fact that is being taken seriously
> suggests that at least some deployments do forward 1xx messages in the
> way the standard requires.
Yes, at least the 100 are forwarded and heavily used with POST requests
("Expect: 100-continue").
But I agree with what you said in your other mail, the best way to know
is precisely to test !
As of now I have just tested via a Squid 2.6, Bluecoat proxy-sg v4 and
netcache (I don't remember the version), and all failed cleanly on the
101 by closing the connection. Apache 2.2.15 remains open after the 101
but immediately closes once it gets the first following byte. Also, none
of them sent the "Upgrade: WebSocket" in response, which is another good
reason to declare a failure ;-)
I'm not pretending the scheme covers every case (and I've not tested them),
but I think it addresses various generations of simplified implementations.
Regards,
Willy
- [hybi] Proposal for a clean way to detect non-HTT… Willy Tarreau
- Re: [hybi] Proposal for a clean way to detect non… Willy Tarreau
- Re: [hybi] Proposal for a clean way to detect non… Greg Wilkins
- Re: [hybi] Proposal for a clean way to detect non… Willy Tarreau
- Re: [hybi] Proposal for a clean way to detect non… Jamie Lokier
- Re: [hybi] Proposal for a clean way to detect non… Willy Tarreau
- Re: [hybi] Proposal for a clean way to detect non… Greg Wilkins
- Re: [hybi] Proposal for a clean way to detect non… Roy T. Fielding
- Re: [hybi] Proposal for a clean way to detect non… Willy Tarreau
- Re: [hybi] Proposal for a clean way to detect non… Willy Tarreau