Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 4B1C3200CD3 for ; Thu, 13 Jul 2017 14:58:08 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 482BA16BFC6; Thu, 13 Jul 2017 12:58:08 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 9C12316BFCA for ; Thu, 13 Jul 2017 14:58:07 +0200 (CEST) Received: (qmail 64255 invoked by uid 500); 13 Jul 2017 12:58:06 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 64245 invoked by uid 99); 13 Jul 2017 12:58:06 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 13 Jul 2017 12:58:06 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 1E7991A0040 for ; Thu, 13 Jul 2017 12:58:06 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.121 X-Spam-Level: X-Spam-Status: No, score=-0.121 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd2-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id lgkmZs0cJTxv for ; Thu, 13 Jul 2017 12:58:04 +0000 (UTC) Received: from mail-wm0-f54.google.com (mail-wm0-f54.google.com [74.125.82.54]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 457AE5FBBA for ; Thu, 13 Jul 2017 12:58:04 +0000 (UTC) Received: by mail-wm0-f54.google.com with SMTP id w126so22753693wme.0 for ; Thu, 13 Jul 2017 05:58:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=aU/noB2CQaYWN3MnJbYsHCbbLrpbmpRFNA6eh1Zga/E=; b=VA9Up0K0HgxdsXrglZYON2Q9bO/ez3Y5q583UCIK6WUu+WsN5hy5e/StIABjXGUZQS td+4l2YxbsK7Yc3XXcPp/XOYYIEhGH8ZYtx+TCWfO5H0SUh+hGW4MZoHqs+8j9DjeyL+ 6JUrsOZlpS2tYjg56YVMgwB9Da7qj21NeKo0+T6RVnnQQMcyhFx8msYNsSvT18w1AWQj CGbb3wTe7sD8Fsb78kBnwRlS6qf0dIbArO92auC2cN8PZAEh1t8gSZit4Qo0Eaua5CCF SJBo8Xbpp+iQDTqlaFUBO5H2p0A7pj5lM5hbuBELLhEpNto+0pSFCYXCHvSiKeB63DOs 17MQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=aU/noB2CQaYWN3MnJbYsHCbbLrpbmpRFNA6eh1Zga/E=; b=iQPQ+vbAiRq0WKCsE6BeQp1b7BXGP2n42Ip8nX3d8yJE7Ho61IZbsZgMAeeXMzeRjQ FkBWMcb1MjPefZGKnZnk05mkStVHFcD99KcRprqqmd39sUaMfhDjre2KLBfuMr8TIZQF kajz5jhHkWyZ6cbBbZ1Wnto0roeJ+2ijIYJ3Qn98TDC4MobWCo+pdUSNIgfvW+ae4Um7 oQxlVy77PCLK7vsddIVqIjyhtjRPxBgg7rGVSA1yK3ZYoWPexhT8gxGBp8eITziA2Cce 3tigW4wnei9WS+549L91AtZ4ntOnGHfth6oIK2NexBWFEWTlof+Tt9uUFyiVe9ykx3kS rb8Q== X-Gm-Message-State: AIVw113gS7XLMo+S/OJH3XNzlHwZtlLXjuwZ6qJuIFUJ7DCern9WqaK0 UXhiLkxOLgAyEQ== X-Received: by 10.28.139.204 with SMTP id n195mr1981147wmd.14.1499950683906; Thu, 13 Jul 2017 05:58:03 -0700 (PDT) Received: from [192.168.1.33] (214.red-88-13-63.dynamicip.rima-tde.net. [88.13.63.214]) by smtp.gmail.com with ESMTPSA id 5sm3537347wrq.60.2017.07.13.05.58.02 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 13 Jul 2017 05:58:02 -0700 (PDT) Subject: Re: svn commit: r1801594 - in /httpd/httpd/trunk: docs/manual/mod/mod_proxy_wstunnel.xml modules/proxy/mod_proxy_wstunnel.c To: dev@httpd.apache.org, Jacob Champion References: <20170711114146.1503D3A004B@svn01-us-west.apache.org> <477f846c-b840-ac6d-ce3c-2f54df7476f7@gmail.com> From: jean-frederic clere Message-ID: <3b4d46e5-675c-943e-e73d-5d3523bf7e3d@gmail.com> Date: Thu, 13 Jul 2017 14:57:59 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.0 MIME-Version: 1.0 In-Reply-To: <477f846c-b840-ac6d-ce3c-2f54df7476f7@gmail.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: 8bit archived-at: Thu, 13 Jul 2017 12:58:08 -0000 On 07/12/2017 07:25 PM, Jacob Champion wrote: > On 07/11/2017 05:36 AM, Yann Ylavic wrote: >> I think it's quite hazardous to use/allow ANY and would prefer the >> upgrade_method (worker->s->upgrade) to be a list of acceptable protocols. > > I think both ANY *and* NONE are dangerous. Both of them turn > proxy_wstunnel into a generic TCP forwarder (and NONE does so without > any opt-in on the client's part). So how I have the following to proxy: GET /jboss-websocket-hello/websocket/helloName HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.7,ca;q=0.3 Accept-Encoding: gzip, deflate Sec-WebSocket-Version: 13 Origin: http://localhost:8080 Sec-WebSocket-Extensions: permessage-deflate Sec-WebSocket-Key: CMVwRmu3A0Ozj0og8cnrlA== Connection: keep-alive, Upgrade Pragma: no-cache Cache-Control: no-cache Upgrade: websocket HTTP/1.1 101 Upgrade: websocket Connection: upgrade Sec-WebSocket-Accept: p4OcxSGQGdGqMJi7cxMnp8Sjrxc= Sec-WebSocket-Extensions: permessage-deflate Date: Thu, 13 Jul 2017 12:47:45 GMT ...,..9e...,.$.H...W(I-.QH+..U(OM*.O.N-QH.K)...+.. Tomcat web socket stuff... So yes the HTTP/1.1 really needs to upgrade and NONE is just a work-around. > >> The admin surely knows which protocol(s) the backend supports, the >> issue being that otherwise most backends will ignore the Upgrade and >> hence the connection will continue in normal HTTP (tunneled w/o any >> protocol checking). > > +1. Even once we implement the protocol list, we should still > double-check that the protocol is actually upgraded before we start > forwarding back and forth. Actually the tunnel allows nearly everything. Cheers Jean-Frederic > >> IMO the Upgrade handling should be part of mod_proxy_http (not >> _wstunnel) and depend on whether or not the backend accepted it. > > This I don't necessarily agree with as much... for now, Upgrade handling > belongs where it's needed, and if there are duplicate pieces of code, we > probably need to pull them into the core, not a different proxy module. > >> It was already discussed in [1], well, I can't say that the idea was >> unanimous at that time... > > Yeah, I don't understand the turn that conversation took. We're talking > about a feature that can be used for reverse-proxying, and there's > nothing to CONNECT to. > > --Jacob >