- From: Kari Hurtta <hurtta-ietf@elmme-mailer.org>
- Date: Thu, 6 Oct 2016 06:57:07 +0300 (EEST)
- To: Martin Thomson <martin.thomson@gmail.com>
- CC: Mike Bishop <Michael.Bishop@microsoft.com>, Kari Hurtta <hurtta-ietf@elmme-mailer.org>, Patrick McManus <mcmanus@ducksong.com>, HTTP working group mailing list <ietf-http-wg@w3.org>, Ilari Liusvaara <ilariliusvaara@welho.com>
Martin Thomson <martin.thomson@gmail.com>: (Thu Oct 6 03:35:09 2016) > I think that Kari was hinting at a problem where a load balancer > terminates TLS and then routes based on the Host header alone. The > back-end servers aren't all equally capable of distinguishing between > "secure" and "not-secure". Yes. Host: -header alone or on case of HTTP/2 also :authority can be used (if there is it). SETTINGS_MIXED_SCHEME_PERMITTED RFC may be written that way that load balancer MUST NOT send it, if load balancer works with Host: / :authority alone. It is harder to say when SETTINGS_MIXED_SCHEME_PERMITTED = 1 can be sent. Effectively there HTTP/2 over TLS requires quite much new software if SETTINGS_MIXED_SCHEME_PERMITTED route is used. Perhaps that is good. Ilari Liusvaara: | Then there is the problem what to do if client sends a :scheme value | the server/rproxy does not know anything about, not even how to properly | reject it. | | In the original proposal, I proposed adding a new stream error type for | rejecting such streams. Hypothetical SETTINGS_MIXED_SCHEME_PERMITTED RFC need specify that error code. / Kari Hurtta
Received on Thursday, 6 October 2016 03:57:44 UTC