W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2015

X-Forwarded-For and HTTP2

From: Fedor Indutny <fedor@indutny.com>
Date: Wed, 08 Jul 2015 08:28:09 +0000
Message-Id: <CAEv2VfJyOnQ9Ft7t92GSH6HTVuEYOoz_6R_axuUHF3TrViP-mw@mail.gmail.com>
To: ietf-http-wg@w3.org
Hello again!

I have a question/suggestion with regards to HTTP2 spec, and TLS
terminator implementations.

When HTTP2 (or previously SPDY) is used under the TLS terminator,
there is a big question about how the address of the original
client should be sent to the back end.

One of the ways is to add `x-forwarded-for` header for every
request, but it requires parsing the underlying protocol (be it
HTTP2, SPDY, or HTTP/1.1), which is rather costly.

Another approach is to send (so called) proxyline. This is what
[HAProxy][0], and stud ([hitch][1]) are doing at the moment. In
a few words this means prefixing all decrypted data with a single
line specifying the client's IP address and port (and sometimes
more metadata, like TLS servername and other protocol-specific
things).

And the third approach that is to the best of my knowledge is
implemented only in [bud][2] TLS terminator - is to add special
SPDY frame, asking the SPDY server to automatically add
`x-forwarded-for` for every incoming connection.

What I was wondering if this frame could be standardized, or at
least if it might be possible to allocate the frame type for it.
So that people may use it for their own purposes, without being
afraid of the possible frame type conflicts.

What are your thoughts on this?

Thank you,
Fedor.

[0]: http://www.haproxy.org/ <http://www.haproxy.org/>
[1]: https://github.com/varnish/hitch <https://github.com/varnish/hitch>
[2]: https://github.com/indutny/bud <https://github.com/indutny/bud>


Received on Wednesday, 8 July 2015 10:00:29 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:45 UTC