W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2016

Re: SETTINGS_MIXED_SCHEME_PERMITTED | Re: I-D Action: draft-ietf-httpbis-http2-encryption-07.txt

From: Kari Hurtta <hurtta-ietf@elmme-mailer.org>
Date: Thu, 6 Oct 2016 06:57:07 +0300 (EEST)
Message-Id: <201610060357.u963v7wV020246@shell.siilo.fmi.fi>
To: Martin Thomson <martin.thomson@gmail.com>
CC: Mike Bishop <Michael.Bishop@microsoft.com>, Kari Hurtta <hurtta-ietf@elmme-mailer.org>, Patrick McManus <mcmanus@ducksong.com>, HTTP working group mailing list <ietf-http-wg@w3.org>, Ilari Liusvaara <ilariliusvaara@welho.com>
Martin Thomson <martin.thomson@gmail.com>: (Thu Oct  6 03:35:09 2016)

> I think that Kari was hinting at a problem where a load balancer
> terminates TLS and then routes based on the Host header alone.  The
> back-end servers aren't all equally capable of distinguishing between
> "secure" and "not-secure".

Yes. Host: -header alone or on case of HTTP/2 also :authority
can be used (if there is it).

SETTINGS_MIXED_SCHEME_PERMITTED RFC may be written that way
that  load balancer MUST NOT send it, if load balancer 
works with Host: / :authority alone. 

It is harder to say when SETTINGS_MIXED_SCHEME_PERMITTED = 1
can be sent.

Effectively there HTTP/2 over TLS requires quite
much new software if SETTINGS_MIXED_SCHEME_PERMITTED
route is used. Perhaps that is good.

Ilari Liusvaara:

| Then there is the problem what to do if client sends a :scheme value
| the server/rproxy does not know anything about, not even how to properly
| reject it.
| 
| In the original proposal, I proposed adding a new stream error type for
| rejecting such streams.

Hypothetical SETTINGS_MIXED_SCHEME_PERMITTED RFC  need specify
that error code.

/ Kari Hurtta
Received on Thursday, 6 October 2016 03:57:44 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 6 October 2016 03:57:46 UTC