Re: #158: Proxy-Connection and Keep-alive from Willy Tarreau on 2011-11-28 (ietf-http-wg@w3.org from October to December 2011)

From: Willy Tarreau <w@1wt.eu>
Date: Mon, 28 Nov 2011 08:01:48 +0100
To: Mark Nottingham <mnot@mnot.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20111128070148.GB28429@1wt.eu>
Hi Mark,

On Mon, Nov 28, 2011 at 03:44:40PM +1100, Mark Nottingham wrote:
> <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/158>
> 
> Description: 
> 
> > The Keep-Alive header is referred to in a few places, but not defined as a HTTP/1.1 header. This should be addressed (e.g., in an appendix).
> > 
> > Likewise, Proxy-Connection is still (!) in common use, but has been deprecated for at least a decade. A few words in an appendix may encourage implementers to stop this practice.
> 
> We already have text in p1 about Keep-Alive, so it seemed best to just modify it slightly to also cover Proxy-Connection. I made a proposal on-ticke:
> 
> > Proposal - replace p1 A.1.2 with:
> > 
> > Most HTTP/1.0 implementations use a separate connection for each request. However, some implement persistent connections using the Keep-Alive negotiation mechanism described in Section 19.7.1 of [RFC2068].
> > 
> > In contrast, persistent connections are the default for HTTP/1.1; they do not need to be explicitly negotiated, as in HTTP/1.0. This is because there were various interoperability problems in the implementations of HTTP/1.0 persistent connections, especially when a proxy is involved.
> > 
> > For example, some existing HTTP/1.0 clients might send Keep-Alive to a proxy server that doesn't understand Connection, which would then erroneously forward it to the next inbound server, which would establish the Keep-Alive connection and result in a hung HTTP/1.0 proxy waiting for the close on the response. The result is that HTTP/1.0 clients must be prevented from using Keep-Alive when talking to proxies.
> > 
> > However, talking to proxies is the most important use of persistent connections, so that prohibition is clearly unacceptable. Some early attempts to correct this was to use the Proxy-Connection request header, but this approach was also unworkable, for similar reasons.
> > 
> > Therefore, some other mechanism for indicating a persistent connection was needed -- one that is safe to use even when talking to an old proxy that ignores Connection. Persistent connections are the default for HTTP/1.1 messages; we introduce a new keyword (Connection: close) for declaring non-persistence. See Section 8.1.
> > 
> > As a result, HTTP/1.1 clients ought not to send the Proxy-Connection or Keep-Alive header; at best, they will waste bytes in requests, and at worst they can cause interoperability problems.
> 
> We should also probably register Proxy-Connection with a status of "obsoleted".
> 
> Comments?

I like this. Shouldn't we add something like this :

  A proxy receiving an HTTP/1.1 request must ignore Proxy-Connection and
  Keep-Alive headers and consider only the Connection header.

and :

  A client wishing to use persistent connections with a proxy running an
  unknown HTTP version may explicitly send "Connection: keep-alive". This
  statement will be silently ignored by 1.1 proxies and will enable use of
  persistent connections on 1.0 proxies which understand the Connection header.

I've encountered a number of issues when deploying haproxy as an intermediary
between some clients and ancient Squid versions which made me use the
Proxy-Connection header only in this case because the Connection header was
not always usable. From what I recall, the issue appeared if haproxy only
altered the connection header and not the proxy-connection, because both the
proxy and the client would consider only the later.

It's easy to notice in a response that it's HTTP/1.0, but in the request,
the client speaks 1.1 and the intermediary does not know the next hop will
prefer Proxy-Connection over Connection.

For instance, if I send this to my local squid 2.6-stable13 :

  HEAD http://www.yahoo.fr/ HTTP/1.1
  Host: www.yahoo.fr
  Proxy-connection: keep-alive
  Connection: close

The connection remains alive in the response :

  HTTP/1.0 301 Moved Permanently
  Date: Mon, 28 Nov 2011 06:39:55 GMT
  P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
  Cache-Control: max-age=3600
  Location: http://fr.yahoo.com/
  Vary: Accept-Encoding
  Content-Type: text/html; charset=utf-8
  Age: 165
  Content-Length: 81
  Server: YTS/1.19.5
  X-Cache: MISS from px.home.local
  Via: HTTP/1.1 rc1.ops.ird.yahoo.com (YahooTrafficServer/1.19.5 [cHs f ]), 1.0 px.home.local:3128 (squid/2.6.STABLE13)
  Proxy-Connection: keep-alive

But at least it seems that Squid falls back to Connection if it does not
see Proxy-Connection. It just defaults to close if neither is present,
which makes a difference with standard HTTP/1.1, so clients will be tempted
to continue to send "Proxy-Connection: keep-alive" with such proxies. While
Squid is quite smart and interoperable, I suspect that other proxies are
harder to get right when it comes to the Connection header. So probably that
the Proxy-Connection header will still live for a long time because of this
if we don't suggest an alternative solution as above.

Best regards,
Willy
Received on Monday, 28 November 2011 07:02:18 UTC