IETF Logo Mail Archive

Re: [hybi] #4: handshake does not work properly with HTTP reverse proxy.

Jamie Lokier <jamie@shareable.org> Mon, 26 July 2010 21:26 UTC

Return-Path: <jamie@shareable.org>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 19A483A69BF for <hybi@core3.amsl.com>; Mon, 26 Jul 2010 14:26:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.455
X-Spam-Level:
X-Spam-Status: No, score=-2.455 tagged_above=-999 required=5 tests=[AWL=0.144, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 11r0sLAUffIy for <hybi@core3.amsl.com>; Mon, 26 Jul 2010 14:26:18 -0700 (PDT)
Received: from mail2.shareable.org (mail2.shareable.org [80.68.89.115]) by core3.amsl.com (Postfix) with ESMTP id 110503A6839 for <hybi@ietf.org>; Mon, 26 Jul 2010 14:26:18 -0700 (PDT)
Received: from jamie by mail2.shareable.org with local (Exim 4.63) (envelope-from <jamie@shareable.org>) id 1OdVBu-0003kg-O6; Mon, 26 Jul 2010 22:26:30 +0100
Date: Mon, 26 Jul 2010 22:26:30 +0100
From: Jamie Lokier <jamie@shareable.org>
To: Willy Tarreau <w@1wt.eu>
Message-ID: <20100726212630.GB23142@shareable.org>
References: <068.da8db0c773647cb0ed73d576f39e93ee@tools.ietf.org> <20100717023749.GA2426@shareable.org> <AANLkTil36SNqlpqq2zNMVSgsA_27kqnuioi0qFTKQR1m@mail.gmail.com> <20100721223010.GB14589@shareable.org> <20100721223947.GD6475@1wt.eu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20100721223947.GD6475@1wt.eu>
User-Agent: Mutt/1.5.13 (2006-08-11)
Cc: hybi@ietf.org, hybi issue tracker <trac@tools.ietf.org>
Subject: Re: [hybi] #4: handshake does not work properly with HTTP reverse proxy.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Jul 2010 21:26:19 -0000

Willy Tarreau wrote:
> On Wed, Jul 21, 2010 at 11:30:10PM +0100, Jamie Lokier wrote:
> > Greg Wilkins wrote:
> > > More importantly, the best way to test if a connection will support
> > > websocket packets, is to just send websocket packets.   Sending 8/16
> > > random bytes immediately after the HTTP handshake may succeed for a
> > > huge variety of implementation reasons that still do not mean that
> > > websocket packets will succeed.   More importantly, to detect the
> > > non-success of sending of the 8/16 random bytes will still involve the
> > > same timeout handling that would be required to check the transmission
> > > of websocket packets.
> > 
> > The argument against just sending WebSocket packets is that some
> > WebSocket packets may be valid HTTP and therefore more likely to be
> > misinterpreted or be used as another attack vector, or simply fail to
> > fail fast.
> 
> Indeed, but even the first 8 random bytes can currently be used as a
> valid HTTP request or beginning of such, as some servers still accept
> HTTP/0.9 requests after a keep-alive request, and basically anything
> terminated with a line feed may constitude an HTTP/0.9 request.

According to RFC1945, a HTTP/0.9 request begins with "GET ".

> So in fact, relying on the server's 101 response to the Upgrade request
> is the most reliable thing to do, as it translates the server's intent
> to switch and to respect the negociated protocol.
> 
> Someone suggested that regularly sending keep-alives in the connection
> would be nice. I second this, especially with long-lived connections
> that will regularly get dropped on firewalls after too long idleness.
> This would also make it possible to ensure that the connection is OK.

Many people have suggested it.
I see three basic purposes for keepalives:

   - To tell the application at one end that it is up to date with
     state from the other end, with a certain amount of slack (the
     keepalive interval).  For example, a site intending to show live
     auction prices might display "information may be out of date" if
     it hasn't had a confirmation in the last 20 seconds.

   - To keep the connection open with numerous types of proxy, router,
     firewall etc.

   - To tell the server not to close the connection.  Servers must
     close connections after a timeout to avoid running out of resources.

Each of these has different timing requirements.

With WebSocket it's possible for an application to perform all the
necessary keepalives.  Strictly speaking, there is no need for them in
WebSocket itself.  However there are potential benefits to generic
assistance.  Applications might not make efficient choices for the
network context; it will be impossible for aggregators to combine
keepalives to reduce traffic because they cannot interfere with
unlabelled application messages, and some applications might (annoying
to some users) choose intervals which are too large for some networks,
or too small for others, and which drain power excessively and continuously.

That said, those are difficult to solve at any level, and it's not
immediately clear that WebSocket implementations would do a
particularly good job either.

-- Jamie

v2.23.0 | Report a Bug | By Email