Re: WebSocket2 from Kari Hurtta on 2016-10-03 (ietf-http-wg@w3.org from October to December 2016)

From: Kari Hurtta <hurtta-ietf@elmme-mailer.org>
Date: Mon, 3 Oct 2016 22:24:19 +0300 (EEST)
To: Van Catha <vans554@gmail.com>
CC: Kari Hurtta <hurtta-ietf@elmme-mailer.org>, Ilari Liusvaara <ilariliusvaara@welho.com>, HTTP working group mailing list <ietf-http-wg@w3.org>
Message-Id: <201610031924.u93JOJc7008588@shell.siilo.fmi.fi>

Van Catha <vans554@gmail.com>: (Mon Oct  3 19:39:34 2016)
> About Proxies:
> ~
> I assumed the concern was with forward / reverse proxies like NGINX
> forwarding http/2 to http.
> 
> Afaik HTTP/2 browser only allow using TLS, so a HTTP transparent proxy will
> not be able to "proxy" anything unless the reverse proxy serves a MITM
> certificate.  I do not think this is a common enough use case.

You can avoid complications of forward proxy if you define 
WebSocket2 only for wss: -scheme (which implies TLS).

On case of ws: -scheme request of HTTP/2 is 
interpreted by forward proxy.  Forward proxy 
uses :scheme, and :authority to determine what 
host and port to connect and which protocol to 
use.

( If browsers use HTTP/2 only for https connections,
  then ws: means HTTP/1.1 for Websockect protocol 
  negation I guess. )

I do not know if any browser is using HTTP/2
for connection to configured proxy. I guess
that they use HTTP/1.1 on here. Is there
HTTP/2 forward proxies either? (‡)

( Some browsers can use TLS on connection
  to configured proxy. )

Anyway these parts which process HTTP/2 frames
must understand that DATA -frames are not
HTTP request / response body. Instead they
behave same way than with :method = CONNECT
(and no :scheme or :path).

Situation what I was looking was


    +---------------------------+
    | Web browser or other      |
    | WebSockect client         |
    +---------------------------+
                 ⇓
                 ⇓
    +---------------------------+
    | forward proxy configure   |     ( client uses CONNECT
    | on client                 |       tunnel if encypted scheme )
    +---------------------------+
                 ⇓
                 ⇓
    +---------------------------+
    | reverse proxy for         |   ( may include TLS offloading,
    | :authority                |     if encryption is used )
    +---------------------------+
                 ⇓
                 ⇓
    +---------------------------+
    | origin server             |
    |                           |
    +---------------------------+


I think that is is common network
architecture.

I'm ignoring transparent proxies
and MITM of TLS here.

/ Kari Hurtta



(‡) nghttp2 as forward proxy
    needs http/1.1 proxy which it
    uses for proxy functionality

    nginx seems mention only
    reverse proxy.

Received on Monday, 3 October 2016 19:24:53 UTC