Re: [hybi] Proposal for a clean way to detect non-HTTP compliant transparent proxies
Jamie Lokier <jamie@shareable.org> Thu, 22 July 2010 00:37 UTC
Return-Path: <jamie@shareable.org>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3C1FF3A6972 for <hybi@core3.amsl.com>; Wed, 21 Jul 2010 17:37:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.508
X-Spam-Level:
X-Spam-Status: No, score=-2.508 tagged_above=-999 required=5 tests=[AWL=0.091, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jBqYZo80H2Hw for <hybi@core3.amsl.com>; Wed, 21 Jul 2010 17:37:45 -0700 (PDT)
Received: from mail2.shareable.org (mail2.shareable.org [80.68.89.115]) by core3.amsl.com (Postfix) with ESMTP id D73BC3A68F5 for <hybi@ietf.org>; Wed, 21 Jul 2010 17:37:44 -0700 (PDT)
Received: from jamie by mail2.shareable.org with local (Exim 4.63) (envelope-from <jamie@shareable.org>) id 1ObjnV-0001U6-Dq; Thu, 22 Jul 2010 01:38:01 +0100
Date: Thu, 22 Jul 2010 01:38:01 +0100
From: Jamie Lokier <jamie@shareable.org>
To: Willy Tarreau <w@1wt.eu>
Message-ID: <20100722003801.GJ14589@shareable.org>
References: <20100721225210.GE6475@1wt.eu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20100721225210.GE6475@1wt.eu>
User-Agent: Mutt/1.5.13 (2006-08-11)
Cc: hybi@ietf.org
Subject: Re: [hybi] Proposal for a clean way to detect non-HTTP compliant transparent proxies
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Jul 2010 00:37:46 -0000
Willy Tarreau wrote:
>
> I've just thought about a way to fix the initial handshake so that it
> works with proper HTTP-compliant implementations but still fails through
> non-compliant transparent proxies.
>
> Let's have the client send the initial handshake request to the server.
> This handshake is only made of HTTP headers. The client completes the
> request with "Connection: close" so that a transparent intermediate
> does not wait for a possible second request in case it does not understand
> the upgrade response :
>
> GET /xxxx HTTP/1.1
> Upgrade: WebSocket
> Connection: close
> ... ws headers ...
> ...
> \r\n
>
> The server will send :
>
> HTTP/1.1 101 Swithing protocols
> Upgrade: WebSocket
> Content-length: 0
> Connection: close
> ... ws headers ...
> ...
> \r\n
> any-form-of-hello-message (eg: the server's protocol version)
>
> That way, if a transparent proxy does not have explicit support for 101,
> it will only forward the headers with an empty body (CL: 0) and close the
> connection towards the client.
I think this won't work. RFC2616 (HTTP 1.1):
"Proxies MUST forward 1xx responses, unless the connection between the
proxy and its client has been closed, or unless the proxy itself
requested the generation of the 1xx response."
It's not spelled out explicitly, but the expectation is that proxies
forward 1xx responses generically, and then forward the next response.
If the proxy doesn't know how to handle 101 responses, then it may
simply forward the 101 as a generic 1xx, and then try to forward the
*following* bytes as a HTTP response.
I would expect proxies to ignore Content-Length in 1xx:
"1. Any response message which "MUST NOT" include a message-body (such
as the 1xx, 204, and 304 responses and any response to a HEAD
request) is always terminated by the first empty line after the
header fields, regardless of the entity-header fields present in
the message."
In other words, a relatively stupid proxy, but which is aware of the
1xx rule, will not close the connection, and will treat the hello
text and subsequent bytes as a HTTP response to modify and forward.
There's some discussion on another list about using a 1xx response to
indicate "request is being processed", for when the processing is slow
to produce a response. The fact that is being taken seriously
suggests that at least some deployments do forward 1xx messages in the
way the standard requires.
-- Jamie
- [hybi] Proposal for a clean way to detect non-HTT… Willy Tarreau
- Re: [hybi] Proposal for a clean way to detect non… Willy Tarreau
- Re: [hybi] Proposal for a clean way to detect non… Greg Wilkins
- Re: [hybi] Proposal for a clean way to detect non… Willy Tarreau
- Re: [hybi] Proposal for a clean way to detect non… Jamie Lokier
- Re: [hybi] Proposal for a clean way to detect non… Willy Tarreau
- Re: [hybi] Proposal for a clean way to detect non… Greg Wilkins
- Re: [hybi] Proposal for a clean way to detect non… Roy T. Fielding
- Re: [hybi] Proposal for a clean way to detect non… Willy Tarreau
- Re: [hybi] Proposal for a clean way to detect non… Willy Tarreau