Re: [hybi] Proposal for a clean way to detect non-HTTP compliant transparent proxies
Willy Tarreau <w@1wt.eu> Thu, 22 July 2010 01:27 UTC
Return-Path: <w@1wt.eu>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0BD433A6838 for <hybi@core3.amsl.com>; Wed, 21 Jul 2010 18:27:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.203
X-Spam-Level:
X-Spam-Status: No, score=-3.203 tagged_above=-999 required=5 tests=[AWL=-1.160, BAYES_00=-2.599, HELO_IS_SMALL6=0.556]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZFnBipxI4TTR for <hybi@core3.amsl.com>; Wed, 21 Jul 2010 18:27:31 -0700 (PDT)
Received: from 1wt.eu (1wt.eu [62.212.114.60]) by core3.amsl.com (Postfix) with ESMTP id 6CA463A69A2 for <hybi@ietf.org>; Wed, 21 Jul 2010 18:27:30 -0700 (PDT)
Received: (from willy@localhost) by mail.home.local (8.14.4/8.14.4/Submit) id o6M1Rkxt007996; Thu, 22 Jul 2010 03:27:46 +0200
Date: Thu, 22 Jul 2010 03:27:46 +0200
From: Willy Tarreau <w@1wt.eu>
To: Jamie Lokier <jamie@shareable.org>
Message-ID: <20100722012746.GK7174@1wt.eu>
References: <20100721225210.GE6475@1wt.eu> <20100722003801.GJ14589@shareable.org> <20100722005845.GF7174@1wt.eu>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20100722005845.GF7174@1wt.eu>
User-Agent: Mutt/1.4.2.3i
Cc: hybi@ietf.org
Subject: Re: [hybi] Proposal for a clean way to detect non-HTTP compliant transparent proxies
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Jul 2010 01:27:32 -0000
I don't like to reply to myself, but I'm just realizing that using a POST instead of a GET as was already suggested in the past would most likely match most of the already in-place cache-bypass rules in front of transparent proxies, precisely because those proxies have no business processing such POST requests. I have a feeling that doing just that should already improve the success rate. It may also unlock the client-to-server direction on very low-level devices that would otherwise fail, allowing them to work. Willy On Thu, Jul 22, 2010 at 02:58:45AM +0200, Willy Tarreau wrote: > Hi Jamie, > > first, thanks for taking the time to review the proposal in depth and > to match it with standards. > > On Thu, Jul 22, 2010 at 01:38:01AM +0100, Jamie Lokier wrote: > > > That way, if a transparent proxy does not have explicit support for 101, > > > it will only forward the headers with an empty body (CL: 0) and close the > > > connection towards the client. > > > > I think this won't work. RFC2616 (HTTP 1.1): > > > > "Proxies MUST forward 1xx responses, unless the connection between the > > proxy and its client has been closed, or unless the proxy itself > > requested the generation of the 1xx response." > > > > It's not spelled out explicitly, but the expectation is that proxies > > forward 1xx responses generically, and then forward the next response. > > > > If the proxy doesn't know how to handle 101 responses, then it may > > simply forward the 101 as a generic 1xx, and then try to forward the > > *following* bytes as a HTTP response. > > Yes but those will fail as the following bytes won't start with "HTTP/1.1", > and the proxy will close the connection. > > > I would expect proxies to ignore Content-Length in 1xx: > > > > "1. Any response message which "MUST NOT" include a message-body (such > > as the 1xx, 204, and 304 responses and any response to a HEAD > > request) is always terminated by the first empty line after the > > header fields, regardless of the entity-header fields present in > > the message." > > The content-length I proposed was precisely for those which are not > even aware of 1xx, nothing more. > > > In other words, a relatively stupid proxy, but which is aware of the > > 1xx rule, will not close the connection, and will treat the hello > > text and subsequent bytes as a HTTP response to modify and forward. > > Due to the next non-HTTP data, they must close with a "502 Bad Gateway" > upon receiving the first data following the 101 message that does not > look like "HTTP/1.1 XXX reason". > > > There's some discussion on another list about using a 1xx response to > > indicate "request is being processed", for when the processing is slow > > to produce a response. > > Nice idea, I was not aware of this discussion, I only initiated the one > about 101 not working like the general 1xx case ;-) > > > The fact that is being taken seriously > > suggests that at least some deployments do forward 1xx messages in the > > way the standard requires. > > Yes, at least the 100 are forwarded and heavily used with POST requests > ("Expect: 100-continue"). > > But I agree with what you said in your other mail, the best way to know > is precisely to test ! > > As of now I have just tested via a Squid 2.6, Bluecoat proxy-sg v4 and > netcache (I don't remember the version), and all failed cleanly on the > 101 by closing the connection. Apache 2.2.15 remains open after the 101 > but immediately closes once it gets the first following byte. Also, none > of them sent the "Upgrade: WebSocket" in response, which is another good > reason to declare a failure ;-) > > I'm not pretending the scheme covers every case (and I've not tested them), > but I think it addresses various generations of simplified implementations. > > Regards, > Willy > > _______________________________________________ > hybi mailing list > hybi@ietf.org > https://www.ietf.org/mailman/listinfo/hybi
- [hybi] Proposal for a clean way to detect non-HTT… Willy Tarreau
- Re: [hybi] Proposal for a clean way to detect non… Willy Tarreau
- Re: [hybi] Proposal for a clean way to detect non… Greg Wilkins
- Re: [hybi] Proposal for a clean way to detect non… Willy Tarreau
- Re: [hybi] Proposal for a clean way to detect non… Jamie Lokier
- Re: [hybi] Proposal for a clean way to detect non… Willy Tarreau
- Re: [hybi] Proposal for a clean way to detect non… Greg Wilkins
- Re: [hybi] Proposal for a clean way to detect non… Roy T. Fielding
- Re: [hybi] Proposal for a clean way to detect non… Willy Tarreau
- Re: [hybi] Proposal for a clean way to detect non… Willy Tarreau