RE: Receiving HTTP (any version but 3 prefered) over UDP
CONFIDENTIAL & RESTRICTED You seem to know that domain. Would it make sense if you tried to create that HTTP/UDP support such that it could be integrated into future Tomcats? Hiran -Original Message- From: Aryeh Friedman Sent: Saturday, December 10, 2022 23:16 To: Tomcat Users List Subject: Re: Receiving HTTP (any version but 3 prefered) over UDP [...] Due to my soon forthcoming project being a streaming media site, true real time delivery is the most important thing, and from my past work as a protocol designer, I can say without any qualification that TCP is absolutely the wrong protocol (there are other good end-to-end reliable UDP protocols besides QUIC). As far I can tell there are no web servers and/or major hosting companies (i.e. AWS, etc.) that support UIUC/HTTP3. For that reason, I am playing with different options for making a stripped down UDP HTTP server (prefer 3 but forcing TLS seems to be a deal breaker for anyone except name brand sites like Google -- E.g. my main client had a total cow over the $500/yr fee for a Comodo multi-domain cert even though due to being healthcare it is a legal requirement.) IMPORTANT - CONFIDENTIALITY NOTICE - This e-mail is intended only for the use of the individual or entity shown above as addressees . It may contain information which is privileged, confidential or otherwise protected from disclosure under applicable laws . If the reader of this transmission is not the intended recipient, you are hereby notified that any dissemination, printing, distribution, copying, disclosure or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this transmission in error, please immediately notify us by reply e-mail or using the address below and delete the message and any attachments from your system. Amadeus Data Processing GmbH Geschaftsfuhrer: Sven Fuhrmeister Sitz der Gesellschaft: Erding HR Munchen 212770 Berghamer Strasse 6 85435 Erding Germany. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Receiving HTTP (any version but 3 prefered) over UDP
Hi. On 11.12.22 17:44, Shawn Heisey wrote: On 12/10/22 15:15, Aryeh Friedman wrote: Is there any browser support for direct UDP sockets in any browser besides Chrome? I know WebRTC and Websockets force TCP. I know Chrome does support UDP but can find no evidence one way for the other browsers. I'm sure you know that if Chrome is doing it, you can be sure that the other browsers either already do or are planning to have it in a new release very soon. As far I can tell there are no web servers and/or major hosting companies (i.e. AWS, etc.) that support UIUC/HTTP3. For that reason, I am playing with different options for making a stripped down UDP HTTP server (prefer 3 but forcing TLS seems to be a deal breaker for anyone except name brand sites like Google -- E.g. my main client had a total cow over the $500/yr fee for a Comodo multi-domain cert even though due to being healthcare it is a legal requirement.) I'm not in touch with which of the major web servers can do H3/QUIC. Almost all of my web servers are behind haproxy, to offload TLS and make decisions about which webserver will receive each request. Except in cases where it just wasn't possible for one reason or another (like plex) all backend communication in haproxy is unencrypted. At this time, haproxy only supports H3/QUIC on the front end, not the back end. Most of the backends are h2c, some only do http/1.1. (side note ... I am still seeing http/1.0 requests in my logs, and even a few 0.9.) If I ever find myself in a situation where I need to make a container like Tomcat reachable from the Internet, I will be using haproxy as the front end, not the common choice of Apache of Nginx. The only reason I can see for using one of those webservers is to have a separate logfile for each domain. The log that haproxy produces is good enough for me. JFYI: There are some Webservers out there which already support H3. Caddyserver https://caddyserver.com/docs/caddyfile/options#protocols H2o https://github.com/h2o/h2o/ There is a overview page about interoperability of different Quic and H3 Tools https://interop.seemann.io/ I have another haproxy installation in AWS on my mail server, configured the same way as the main install in my basement. Mostly for my webmail, but I do have a few other websites on that install. It handles UDP/443. This little website is running on my AWS instance: https://http3test.elyograg.org/ If you visit that page and look at the cert, you'll see it's made by LetsEncrypt. Renewal and deployment of that cert is completely automated, so the 90 day lifetime is not the administrative hassle that it could be. I am planning to implement the same automated LE certificate deployment at $DAYJOB that I already have for my personal domains. I work for a company that handles healthcare data, and nobody has raised a concern about HITRUST not allowing free certificates. Thanks, Shawn Regards Ales - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Receiving HTTP (any version but 3 prefered) over UDP
On 12/10/22 15:15, Aryeh Friedman wrote: Is there any browser support for direct UDP sockets in any browser besides Chrome? I know WebRTC and Websockets force TCP. I know Chrome does support UDP but can find no evidence one way for the other browsers. I'm sure you know that if Chrome is doing it, you can be sure that the other browsers either already do or are planning to have it in a new release very soon. As far I can tell there are no web servers and/or major hosting companies (i.e. AWS, etc.) that support UIUC/HTTP3. For that reason, I am playing with different options for making a stripped down UDP HTTP server (prefer 3 but forcing TLS seems to be a deal breaker for anyone except name brand sites like Google -- E.g. my main client had a total cow over the $500/yr fee for a Comodo multi-domain cert even though due to being healthcare it is a legal requirement.) I'm not in touch with which of the major web servers can do H3/QUIC. Almost all of my web servers are behind haproxy, to offload TLS and make decisions about which webserver will receive each request. Except in cases where it just wasn't possible for one reason or another (like plex) all backend communication in haproxy is unencrypted. At this time, haproxy only supports H3/QUIC on the front end, not the back end. Most of the backends are h2c, some only do http/1.1. (side note ... I am still seeing http/1.0 requests in my logs, and even a few 0.9.) If I ever find myself in a situation where I need to make a container like Tomcat reachable from the Internet, I will be using haproxy as the front end, not the common choice of Apache of Nginx. The only reason I can see for using one of those webservers is to have a separate logfile for each domain. The log that haproxy produces is good enough for me. I have another haproxy installation in AWS on my mail server, configured the same way as the main install in my basement. Mostly for my webmail, but I do have a few other websites on that install. It handles UDP/443. This little website is running on my AWS instance: https://http3test.elyograg.org/ If you visit that page and look at the cert, you'll see it's made by LetsEncrypt. Renewal and deployment of that cert is completely automated, so the 90 day lifetime is not the administrative hassle that it could be. I am planning to implement the same automated LE certificate deployment at $DAYJOB that I already have for my personal domains. I work for a company that handles healthcare data, and nobody has raised a concern about HITRUST not allowing free certificates. Thanks, Shawn - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Receiving HTTP (any version but 3 prefered) over UDP
On Sat, Dec 10, 2022 at 4:59 PM Shawn Heisey wrote: > > On 12/9/2022 2:12 PM, Aryeh Friedman wrote: > > For example the following code works against port 7 (UDP echo service) > > but not against 8080 (my local tomcat): > > I suspect that you are running into the fact that HTTP/3 *always* uses > TLS. It's baked into the protocol and NOT optional as with earlier HTTP > versions. As far as I know, HTTP/3 is the only version of HTTP that > uses UDP transport. Is there any browser support for direct UDP sockets in any browser besides Chrome? I know WebRTC and Websockets force TCP. I know Chrome does support UDP but can find no evidence one way for the other browsers. Due to my soon forthcoming project being a streaming media site, true real time delivery is the most important thing, and from my past work as a protocol designer, I can say without any qualification that TCP is absolutely the wrong protocol (there are other good end-to-end reliable UDP protocols besides QUIC). As far I can tell there are no web servers and/or major hosting companies (i.e. AWS, etc.) that support UIUC/HTTP3. For that reason, I am playing with different options for making a stripped down UDP HTTP server (prefer 3 but forcing TLS seems to be a deal breaker for anyone except name brand sites like Google -- E.g. my main client had a total cow over the $500/yr fee for a Comodo multi-domain cert even though due to being healthcare it is a legal requirement.) -- Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Receiving HTTP (any version but 3 prefered) over UDP
On 12/9/2022 2:12 PM, Aryeh Friedman wrote: For example the following code works against port 7 (UDP echo service) but not against 8080 (my local tomcat): I suspect that you are running into the fact that HTTP/3 *always* uses TLS. It's baked into the protocol and NOT optional as with earlier HTTP versions. As far as I know, HTTP/3 is the only version of HTTP that uses UDP transport. Thanks, Shawn - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Receiving HTTP (any version but 3 prefered) over UDP
On Fri, Dec 9, 2022 at 4:02 AM Mark Thomas wrote: > > On 08/12/2022 21:55, Aryeh Friedman wrote: > > I just tried the following command to test if tomcat does in fact listen on > > UDP: > > > > aryeh@sarek1024% nc -u localhost 8080 > > GET / HTTP/1.1 > > > > > > aryeh@sarek1024% > > > > Which is nice to see tomcat is listening > > That command doesn't do what you think it does. > > UDP doesn't work the way you think it does. Please don't make assumptions about my background or about how I think UDP works. I have designed and implemented several transport protocols over UDP (in C not Java) see ecip.org. The man page for nc does take the connectionless nature of UDP into consideration. For example here is an nc session working with the echo server on UDP port 7: aryeh@sarek1024% nc -u 127.0.0.1 7 Hi there I am an echo Hi there I am an echo ^C > > Even if Tomcat was listening for UDP packets, HTTP/3 has a completely > different wire format to HTTP/1.1 and the above wouldn't work. I was not attempting to use HTTP (3 or 1.1). I was only testing if I got any response at all (or if I would get an ICMP Port Unavailable exception/error). For example the following code works against port 7 (UDP echo service) but not against 8080 (my local tomcat): import java.net.InetAddress; import java.net.InetSocketAddress; import java.net.DatagramPacket; import java.net.DatagramSocket; import java.net.SocketAddress; public class UDPHttp { public static void main(String[] args) throws Throwable { int port=7; DatagramSocket sock=new DatagramSocket(); InetAddress addr=InetAddress.getByName("localhost"); SocketAddress sockAddr=new InetSocketAddress(addr,port); sock.connect(sockAddr); String msg="GET / HTTP/1.1\r\n\r\n"; byte[] buf=msg.getBytes(); DatagramPacket packet= new DatagramPacket(buf,buf.length,sockAddr); sock.send(packet); byte[] out=new byte[buf.length]; packet=new DatagramPacket(out,out.length,sockAddr); sock.receive(packet); System.out.print(new String(out)); } } Yields the original value of msg Going to 8080 gives: Exception in thread "main" java.net.PortUnreachableException: ICMP Port Unreachable at java.net.PlainDatagramSocketImpl.receive0(Native Method) at java.net.AbstractPlainDatagramSocketImpl.receive(AbstractPlainDatagramSocketImpl.java:143) at java.net.DatagramSocket.receive(DatagramSocket.java:812) at UDPHttp.main(UDPHttp.java:29) > > Tomcat is NOT listening for UDP packets. > > Tomcat does not support HTTP/3 or QUIC. Any plans in this direction? -- Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Receiving HTTP (any version but 3 prefered) over UDP
On Fri, Dec 9, 2022 at 10:02 AM Mark Thomas wrote: > > On 08/12/2022 21:55, Aryeh Friedman wrote: > > I just tried the following command to test if tomcat does in fact listen on > > UDP: > > > > aryeh@sarek1024% nc -u localhost 8080 > > GET / HTTP/1.1 > > > > > > aryeh@sarek1024% > > > > Which is nice to see tomcat is listening > > That command doesn't do what you think it does. > > UDP doesn't work the way you think it does. > > Even if Tomcat was listening for UDP packets, HTTP/3 has a completely > different wire format to HTTP/1.1 and the above wouldn't work. > > Tomcat is NOT listening for UDP packets. > > Tomcat does not support HTTP/3 or QUIC. > > According to the roadmap: https://www.openssl.org/roadmap.html I'll look at it with 3.3, basically. Rémy - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Receiving HTTP (any version but 3 prefered) over UDP
On 08/12/2022 21:55, Aryeh Friedman wrote: I just tried the following command to test if tomcat does in fact listen on UDP: aryeh@sarek1024% nc -u localhost 8080 GET / HTTP/1.1 aryeh@sarek1024% Which is nice to see tomcat is listening That command doesn't do what you think it does. UDP doesn't work the way you think it does. Even if Tomcat was listening for UDP packets, HTTP/3 has a completely different wire format to HTTP/1.1 and the above wouldn't work. Tomcat is NOT listening for UDP packets. Tomcat does not support HTTP/3 or QUIC. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org