On Wed, Jan 30, 2019 at 10:37:29AM +0100, Willy Tarreau wrote:
> > It seems google replies "Header: :status: 400 Bad Request" But leaves me
> > 'guessing' why it would be invalid,
>
> Interesting case.
Actually we're doing something wrong, and we cannot rule out that it's
why google is upset. Since :authority and Host are interchangeable, our
:authority pseudo-header is turned into Host if the latter is absent
(needed when going to H1 for example). But on the other side we don't
turn Host to :authority as you have noticed so we always lose :authority
on end-to-end H2. While according to the "shoulds" in the spec it should
still work, there's at least one case we definitely break, it's the
outgoing H2 CONNECT request, which absolutely requires a :authority
field.
One of the pain points is that the way we currently do it causes Host
to be appended last so that we can decide which one to pick. In terms
of processing, I'm a bit bothered by having to scan the whole headers
list to find Host when reconstructing :authority (which should be placed
before any regular headers). So I'll have to change a little bit how all
this works and will probably proceed differently based on these rules :
- Host and :authority, if present together, must match. This is
indirectly mandated by HTTP/1.1
- in H2 :authority must be omitted if the request used to have "*"
in the H1 URI field.
- in H2 Host is optional, so we need to consider :authority first
But comparing these two fields bothers me a little bit to say the least.
They should be canonicalized before being compared to absorb case
sensitivity, and we should probably also ignore the port part in
certain cases. Also this has to consider what happens when users
perform header rewriting.
I'll give it some more thinking.
Cheers,
Willy
