- From: Adrien de Croy <adrien@qbik.com>
- Date: Wed, 17 Jun 2009 12:28:58 +1200
- To: "Roy T. Fielding" <fielding@gbiv.com>
- CC: HTTP Working Group <ietf-http-wg@w3.org>
Hi Roy T. Fielding wrote: > On Jun 16, 2009, at 3:26 PM, Adrien de Croy wrote: > >> I recently updated our proxy to reject all HTTP/1.1 messages from >> clients that lack a Host header. >> >> This has been found to break a number of clients which use the >> CONNECT method. > > What clients? I only have a couple of reports since this wasn't in general release - a mail.ru client and FTP commander using CONNECT. However, on further reading of RFC2616, it appears David Morris is correct, that a Host header is only a MUST requirement if the Request-URI is not an AbsoluteURI, and MUST be ignored if it is. This doesn't cover the case where Request-URI is authority (as per CONNECT)... so a strict interpretation is that CONNECT requires host, although I imagine this wasn't the intent, since authority contains the required information. > >> So it's going to be a necessity to relax this particular requirement >> (in our proxy) at least for CONNECT. > > Unlikely. Apache always responds to such a request with 400. > AFAIK, all the other origin servers do as well, so even if the > request is passed by your proxy it is going to fail on the origin. > we don't have this problem in normal circumstances, since we don't pass the CONNECT method through to the O-S, only an upstream proxy, and we insert a Host header if there is none. I think probably the intention was that in RFC2616 S 5.2 where it reads 1. If Request-URI is an absoluteURI, the host is part of the Request-URI. Any Host header field value in the request MUST be ignored. 2. If the Request-URI is not an absoluteURI, and the request includes a Host header field, the host is determined by the Host header field value. should read 1. If Request-URI is an absoluteURI or authority, the host is part of the Request-URI. Any Host header field value in the request MUST be ignored. 2. If the Request-URI is neither an absoluteURI nor an authority, and the request includes a Host header field, the host is determined by the Host header field value. This leaves the question of the final of the 4 cases for Request-URI, being "*". Is a host header required or not for this? My assumption would be not. although it looks like S5.2 is intended for Origin Servers, rather than proxies. S 9 states clearly "The Host request-header field (section 14.23) MUST accompany all HTTP/1.1 requests" which conflicts with 5.2 (otherwise must be present but must be ignored in case of Request-URI = AbsoluteURI...?) 5.2. implies (by saying "Any host header... ") that the Host header is optional, otherwise it should read "The host header MUST be ignored". S 14.2.3 States "A client MUST include a Host header field in all HTTP/1.1 request messages .If the requested URI does not include an Internet host name for the service being requested, then the Host header field MUST be given with an empty value. An HTTP/1.1 proxy MUST ensure that any request message it forwards does contain an appropriate Host header field that identifies the service being requested by the proxy. All Internet-based HTTP/1.1 servers MUST respond with a 400 (Bad Request) status code to any HTTP/1.1 request message which lacks a Host header field. " I've never seen an empty Host header, so I presume the up-take of that requirement is rare if any. Regards Adrien > ....Roy > -- Adrien de Croy - WinGate Proxy Server - http://www.wingate.com
Received on Wednesday, 17 June 2009 00:26:14 UTC