Re: HTTP/2.0 Magic from Willy Tarreau on 2013-02-21 (ietf-http-wg@w3.org from January to March 2013)

From: Willy Tarreau <w@1wt.eu>
Date: Thu, 21 Feb 2013 09:24:24 +0100
To: Mark Nottingham <mnot@mnot.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20130221082424.GF6463@1wt.eu>

On Thu, Feb 21, 2013 at 06:37:30PM +1100, Mark Nottingham wrote:
> Oh, and of the 3589 attempts to get a Server header, fully 1099 got some sort
> of HTTP (or lower layer) error; haven't dug into that yet, though.

OK, so most likely IDS/IPS are making fun of your script, which also explains
why so many server strings are valid despite the timeouts (mostly Apache and
IIS).

> I did, however, see some SMTP servers listening on port 80 in earlier testing...

Interesting! We must be in the small percentage of the totally non-
compliant servers and intermediaries!

The problem I'm seeing is that if we craft too ugly a pattern, we can
hope for early failures on transparent intercepting devices, but we can
have some dirty servers timeout, and if we craft too valid a request, we
can have the intercepting devices hang because they're not aware of the
syntax, while end servers would happily reject them.

For instance, sending "HEAD /.upgrade HTTP/1.1" with the appropriate Host
should lead to various responses from 404 to 301, 302 etc on origin servers,
but nothing there allows an intermediary to upgrade. If we send the same
thing with a "Connection: upgrade", we'll have a number of of them comply
but not all. If we send "FOO\r\n", most intermediaries will block (or
rewrite as "FOO / HTTP/1.0\r\n\r\n") but origin servers have trouble with
this.

BTW, one thing I like with the Connection Upgrade is that the new protocol
is used over the longest path, which is where it is supposed to reduce
latency. If we try to terminate the protocol on the first intercepting
proxy, it is very likely that this proxy will be located at the end user's
ISP and will rewrite as HTTP/1.1 to access the whole world, removing most
of the new protocol's value. This is not bad in 3G, but 3G operators can
already do whatever they want.

And I think it is important that we focus on achieving the longest possible
path with 2.0 (ideally, 1.1 should only be between the server-side LBs and
the servers themselves).

Regards,
Willy

Received on Thursday, 21 February 2013 08:24:58 UTC