Re: Hello from Mozilla from Ian Hickson on 2009-07-15 (squid-dev)

From: Ian Hickson <ian_at_hixie.ch>
Date: Thu, 16 Jul 2009 00:07:09 +0000 (UTC)

On Wed, 15 Jul 2009, Alex Rousskov wrote:
> >>
> >> Can such a dual-purpose port-sharing server implement both HTTP and
> >> WebSocket stacks and use the right stack depending on the first
> >> byte[s] of the incoming message?
> >
> > Isn't that exactly what an HTTP Upgrade is?
>
> No, it is not. HTTP Upgrade assumes HTTP traffic first, some other
> traffic after the upgrade.
>
> The "TCP switch" scheme sketched above does not have the HTTP traffic
> for WebSocket connections and does not have WebSocket traffic for HTTP
> connections. There is no HTTP Upgrade involved. Connections start and
> finish with only "their" traffic on the wire.
>
> For the TCP switch to make sense, WebSocket handshake must be changed to
> remove the HTTP simulation part (with all its negative side-effects), of
> course.

We actually used to do that, but we got requests to make it more
compatible with the HTTP Upgrade mechanism so that people could add the
support to their HTTP servers instead of having to put code in front of
their servers.

> >> If port sharing is the primary motivation here, then dual protocol
> >> stack support seems like the right solution.
> >>
> >> This can be even implemented as a dumb TCP-level "switch" application
> >> that connects to either an HTTP server or a WebSocket server behind
> >> it. No "binary" HTTP messages, no risk of HTTP intermediaries
> >> screwing up with the not-really-HTTP-but-looking-like-one traffic.
> >> Just two completely different protocols sharing the same port.
> >
> > That's exactly what WebSocket is doing.
>
> No, it is not. It is pretending to use HTTP before switching to
> WebSocket stuff, and it does not allow valid HTTP modifications of the
> pretended-HTTP messages.

Well, since Upgrade is a by-hop packet, apparently that's a moot point
anyway, because man-in-the-middle proxies will always break it if they're
present. So I'm not convinced that allowing HTTP modifications matters.

But the point is that it is a recognisable handshake and so could be
implemented as a switch before hitting the HTTP server, or it could be
implemented in the HTTP server itself (as some people apparently want). It
fails with man-in-the-middle proxies, but then that's what the TLS-over-
port-443 solution is intended for.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Thu Jul 16 2009 - 00:07:10 MDT

This archive was generated by hypermail 2.2.0 : Thu Jul 16 2009 - 12:00:05 MDT