Re: HTTP/1.1 CONNECT request without Host header

Hi


Roy T. Fielding wrote:
> On Jun 16, 2009, at 3:26 PM, Adrien de Croy wrote:
>
>> I recently updated our proxy to reject all HTTP/1.1 messages from 
>> clients that lack a Host header.
>>
>> This has been found to break a number of clients which use the 
>> CONNECT method.
>
> What clients?
I only have a couple of reports since this wasn't in general release - a 
mail.ru client and FTP commander using CONNECT.

However, on further reading of RFC2616, it appears David Morris is 
correct, that a Host header is only a MUST requirement if the 
Request-URI is not an AbsoluteURI, and MUST be ignored if it is.  This 
doesn't cover the case where Request-URI is authority (as per 
CONNECT)... so a strict interpretation is that CONNECT requires host, 
although I imagine this wasn't the intent, since authority contains the 
required information.

>
>> So it's going to be a necessity to relax this particular requirement 
>> (in our proxy) at least for CONNECT.
>
> Unlikely.  Apache always responds to such a request with 400.
> AFAIK, all the other origin servers do as well, so even if the
> request is passed by your proxy it is going to fail on the origin.
>
we don't have this problem in normal circumstances, since we don't pass 
the CONNECT method through to the O-S, only an upstream proxy, and we 
insert a Host header if there is none.

I think probably the intention was that in RFC2616 S 5.2 where it reads

1. If Request-URI is an absoluteURI, the host is part of the 
Request-URI. Any Host header field value in the request MUST be ignored.

2. If the Request-URI is not an absoluteURI, and the request includes a 
Host header field, the host is determined by the Host header field value.

should read

1. If Request-URI is an absoluteURI or authority, the host is part of 
the Request-URI. Any Host header field value in the request MUST be 
ignored.

2. If the Request-URI is neither an absoluteURI nor an authority, and 
the request includes a Host header field, the host is determined by the 
Host header field value.

This leaves the question of the final of the 4 cases for Request-URI, 
being "*".  Is a host header required or not for this?  My assumption 
would be not.

although it looks like S5.2 is intended for Origin Servers, rather than 
proxies.

S 9 states clearly "The Host request-header field (section 14.23) MUST 
accompany all HTTP/1.1 requests" which conflicts with 5.2 (otherwise 
must be present but must be ignored in case of Request-URI = 
AbsoluteURI...?)  5.2. implies (by saying "Any host header... ") that 
the Host header is optional, otherwise it should read "The host header 
MUST be ignored".

S 14.2.3 States "A client MUST include a Host header field in all 
HTTP/1.1 request messages .If the requested URI does not include an 
Internet host name for the service being requested, then the Host header 
field MUST be given with an empty value. An HTTP/1.1 proxy MUST ensure 
that any request message it forwards does contain an appropriate Host 
header field that identifies the service being requested by the proxy. 
All Internet-based HTTP/1.1 servers MUST respond with a 400 (Bad 
Request) status code to any HTTP/1.1 request message which lacks a Host 
header field. "

I've never seen an empty Host header, so I presume the up-take of that 
requirement is rare if any.

Regards

Adrien

> ....Roy
>

-- 
Adrien de Croy - WinGate Proxy Server - http://www.wingate.com

Received on Wednesday, 17 June 2009 00:26:14 UTC