- From: Fedor Indutny <fedor@indutny.com>
- Date: Wed, 08 Jul 2015 08:28:09 +0000
- To: ietf-http-wg@w3.org
- Message-Id: <CAEv2VfJyOnQ9Ft7t92GSH6HTVuEYOoz_6R_axuUHF3TrViP-mw@mail.gmail.com>
Hello again! I have a question/suggestion with regards to HTTP2 spec, and TLS terminator implementations. When HTTP2 (or previously SPDY) is used under the TLS terminator, there is a big question about how the address of the original client should be sent to the back end. One of the ways is to add `x-forwarded-for` header for every request, but it requires parsing the underlying protocol (be it HTTP2, SPDY, or HTTP/1.1), which is rather costly. Another approach is to send (so called) proxyline. This is what [HAProxy][0], and stud ([hitch][1]) are doing at the moment. In a few words this means prefixing all decrypted data with a single line specifying the client's IP address and port (and sometimes more metadata, like TLS servername and other protocol-specific things). And the third approach that is to the best of my knowledge is implemented only in [bud][2] TLS terminator - is to add special SPDY frame, asking the SPDY server to automatically add `x-forwarded-for` for every incoming connection. What I was wondering if this frame could be standardized, or at least if it might be possible to allocate the frame type for it. So that people may use it for their own purposes, without being afraid of the possible frame type conflicts. What are your thoughts on this? Thank you, Fedor. [0]: http://www.haproxy.org/ <http://www.haproxy.org/> [1]: https://github.com/varnish/hitch <https://github.com/varnish/hitch> [2]: https://github.com/indutny/bud <https://github.com/indutny/bud>
Received on Wednesday, 8 July 2015 10:00:29 UTC