draft-ietf-httpbis-connect-tcp-08.txt | draft-ietf-httpbis-connect-tcp-latest.txt | |||
---|---|---|---|---|
httpbis Working Group B. Schwartz | httpbis Working Group B. Schwartz | |||
Internet-Draft Meta Platforms, Inc. | Internet-Draft Meta Platforms, Inc. | |||
Intended status: Standards Track June 11, 2025 | Intended status: Standards Track July 01, 2025 | |||
Expires: December 13, 2025 | Expires: January 2, 2026 | |||
Template-Driven HTTP CONNECT Proxying for TCP | Template-Driven HTTP CONNECT Proxying for TCP | |||
draft-ietf-httpbis-connect-tcp-08 | draft-ietf-httpbis-connect-tcp-latest | |||
Abstract | Abstract | |||
TCP proxying using HTTP CONNECT has long been part of the core HTTP | TCP proxying using HTTP CONNECT has long been part of the core HTTP | |||
specification. However, this proxying functionality has several | specification. However, this proxying functionality has several | |||
important deficiencies in modern HTTP environments. This | important deficiencies in modern HTTP environments. This | |||
specification defines an alternative HTTP proxy service configuration | specification defines an alternative HTTP proxy service configuration | |||
for TCP connections. This configuration is described by a URI | for TCP connections. This configuration is described by a URI | |||
Template, similar to the CONNECT-UDP and CONNECT-IP protocols. | Template, similar to the CONNECT-UDP and CONNECT-IP protocols. | |||
skipping to change at page 1, line 35 ¶ | skipping to change at page 1, line 35 ¶ | |||
Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
This Internet-Draft will expire on December 13, 2025. | This Internet-Draft will expire on January 2, 2026. | |||
Copyright Notice | Copyright Notice | |||
Copyright (c) 2025 IETF Trust and the persons identified as the | Copyright (c) 2025 IETF Trust and the persons identified as the | |||
document authors. All rights reserved. | document authors. All rights reserved. | |||
This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
(https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
publication of this document. Please review these documents | publication of this document. Please review these documents | |||
skipping to change at page 2, line 16 ¶ | skipping to change at page 2, line 16 ¶ | |||
Table of Contents | Table of Contents | |||
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
1.1. History . . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1.1. History . . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
1.2. Problems . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1.2. Problems . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
1.3. Overview . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1.3. Overview . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3 | 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3 | |||
3. Specification . . . . . . . . . . . . . . . . . . . . . . . . 4 | 3. Specification . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
3.1. In HTTP/1.1 . . . . . . . . . . . . . . . . . . . . . . . 4 | 3.1. In HTTP/1.1 . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
3.2. In HTTP/2 and HTTP/3 . . . . . . . . . . . . . . . . . . 5 | 3.2. In HTTP/2 and HTTP/3 . . . . . . . . . . . . . . . . . . 6 | |||
3.3. Use of Other Relevant Headers . . . . . . . . . . . . . . 6 | 3.3. Use of Other Relevant Headers . . . . . . . . . . . . . . 6 | |||
3.3.1. Origin-scoped Headers . . . . . . . . . . . . . . . . 6 | 3.3.1. Origin-scoped Headers . . . . . . . . . . . . . . . . 6 | |||
3.3.2. Authentication Headers . . . . . . . . . . . . . . . 7 | 3.3.2. Authentication Headers . . . . . . . . . . . . . . . 7 | |||
3.4. Closing Connections . . . . . . . . . . . . . . . . . . . 7 | 3.4. Closing Connections . . . . . . . . . . . . . . . . . . . 7 | |||
4. Additional Connection Setup Behaviors . . . . . . . . . . . . 9 | 4. Additional Connection Setup Behaviors . . . . . . . . . . . . 9 | |||
4.1. Latency optimizations . . . . . . . . . . . . . . . . . . 9 | 4.1. Latency optimizations . . . . . . . . . . . . . . . . . . 9 | |||
4.2. Conveying metadata . . . . . . . . . . . . . . . . . . . 9 | 4.2. Conveying metadata . . . . . . . . . . . . . . . . . . . 10 | |||
5. Applicability . . . . . . . . . . . . . . . . . . . . . . . . 10 | 5. Applicability . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
5.1. Servers . . . . . . . . . . . . . . . . . . . . . . . . . 10 | 5.1. Servers . . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
5.2. Clients . . . . . . . . . . . . . . . . . . . . . . . . . 10 | 5.2. Clients . . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
6. Security Considerations . . . . . . . . . . . . . . . . . . . 11 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 11 | |||
6.1. Resource Exhaustion attacks . . . . . . . . . . . . . . . 11 | 6.1. Resource Exhaustion attacks . . . . . . . . . . . . . . . 11 | |||
7. Operational Considerations . . . . . . . . . . . . . . . . . 12 | 7. Operational Considerations . . . . . . . . . . . . . . . . . 12 | |||
7.1. Avoiding HTTP/1.1 . . . . . . . . . . . . . . . . . . . . 12 | 7.1. Avoiding HTTP/1.1 . . . . . . . . . . . . . . . . . . . . 12 | |||
7.2. Gateway Compatibility . . . . . . . . . . . . . . . . . . 13 | 7.2. Gateway Compatibility . . . . . . . . . . . . . . . . . . 13 | |||
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 | 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 | |||
8.1. New Upgrade Token . . . . . . . . . . . . . . . . . . . . 13 | 8.1. New Upgrade Token . . . . . . . . . . . . . . . . . . . . 13 | |||
8.2. New MASQUE Default Template . . . . . . . . . . . . . . . 13 | 8.2. New MASQUE Default Template . . . . . . . . . . . . . . . 14 | |||
8.3. New Capsule Type . . . . . . . . . . . . . . . . . . . . 14 | 8.3. New Capsule Type . . . . . . . . . . . . . . . . . . . . 14 | |||
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
9.1. Normative References . . . . . . . . . . . . . . . . . . 14 | 9.1. Normative References . . . . . . . . . . . . . . . . . . 14 | |||
9.2. Informative References . . . . . . . . . . . . . . . . . 15 | 9.2. Informative References . . . . . . . . . . . . . . . . . 16 | |||
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 17 | Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 17 | |||
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 17 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 17 | |||
1. Introduction | 1. Introduction | |||
1.1. History | 1.1. History | |||
HTTP has used the CONNECT method for proxying TCP connections since | HTTP has used the CONNECT method for proxying TCP connections since | |||
HTTP/1.1. When using CONNECT, the request target specifies a host | HTTP/1.1. When using CONNECT, the request target specifies a host | |||
and port number, and the proxy forwards TCP payloads between the | and port number, and the proxy forwards TCP payloads between the | |||
skipping to change at page 5, line 8 ¶ | skipping to change at page 5, line 8 ¶ | |||
o The request SHALL include a single "Host" header field containing | o The request SHALL include a single "Host" header field containing | |||
the origin of the proxy. | the origin of the proxy. | |||
o The request SHALL include a "Connection" header field with the | o The request SHALL include a "Connection" header field with the | |||
value "Upgrade". (Note that this requirement is case-insensitive | value "Upgrade". (Note that this requirement is case-insensitive | |||
as per Section 7.6.1 of [RFC9110].) | as per Section 7.6.1 of [RFC9110].) | |||
o The request SHALL include an "Upgrade" header field with the value | o The request SHALL include an "Upgrade" header field with the value | |||
"connect-tcp". | "connect-tcp". | |||
o The request SHOULD include a "Capsule-Protocol: ?1" header. | o The request SHOULD include a "Capsule-Protocol: ?1" header (as | |||
recommended in [RFC9297], Section 3.4). | ||||
If the request is well-formed and permissible, the proxy MUST attempt | If the request is well-formed and permissible, the proxy MUST attempt | |||
to establish the TCP connection before sending any response status | to establish the TCP connection before sending any response status | |||
code other than "100 (Continue)" (see Section 4.2). If the TCP | code other than "100 (Continue)" (see Section 4.2). If the TCP | |||
connection is successful, the response SHALL be as follows: | connection is successful, the response SHALL be as follows: | |||
o The HTTP status code SHALL be "101 (Switching Protocols)". | o The HTTP status code SHALL be "101 (Switching Protocols)". | |||
o The response SHALL include a "Connection" header field with the | o The response SHALL include a "Connection" header field with the | |||
value "Upgrade". | value "Upgrade". | |||
o The response SHALL include a single "Upgrade" header field with | o The response SHALL include a single "Upgrade" header field with | |||
the value "connect-tcp". | the value "connect-tcp". | |||
o The response SHOULD include a "Capsule-Protocol: ?1" header. | o The response SHOULD include a "Capsule-Protocol: ?1" header (as | |||
above). | ||||
If the request is malformed or impermissible, the proxy MUST return a | If the request is malformed or impermissible, the proxy MUST return a | |||
4XX error code. If a TCP connection was not established, the proxy | 4XX error code. If a TCP connection was not established, the proxy | |||
MUST NOT switch protocols to "connect-tcp", and the client MAY reuse | MUST NOT switch protocols to "connect-tcp", and the client MAY reuse | |||
this connection for additional HTTP requests. | this connection for additional HTTP requests. | |||
Client Proxy | Client Proxy | |||
GET /proxy?target_host=192.0.2.1&target_port=443 HTTP/1.1 | GET /proxy?target_host=192.0.2.1&target_port=443 HTTP/1.1 | |||
Host: example.com | Host: example.com | |||
skipping to change at page 6, line 21 ¶ | skipping to change at page 6, line 28 ¶ | |||
o The :path and :scheme pseudo-header fields SHALL contain the path | o The :path and :scheme pseudo-header fields SHALL contain the path | |||
and scheme of the request URI derived from the proxy's URI | and scheme of the request URI derived from the proxy's URI | |||
Template. | Template. | |||
A templated TCP proxying request that does not conform to all of | A templated TCP proxying request that does not conform to all of | |||
these requirements represents a client error (see [RFC9110], | these requirements represents a client error (see [RFC9110], | |||
Section 15.5) and may be malformed (see Section 8.1.1 of [RFC9113] | Section 15.5) and may be malformed (see Section 8.1.1 of [RFC9113] | |||
and Section 4.1.2 of [RFC9114]). | and Section 4.1.2 of [RFC9114]). | |||
Additionally the "capsule-protocol" header field SHOULD be present | ||||
with a value of "?1" (as recommended in [RFC9297], Section 3.4). | ||||
HEADERS | HEADERS | |||
:method = CONNECT | :method = CONNECT | |||
:scheme = https | :scheme = https | |||
:authority = request-proxy.example | :authority = request-proxy.example | |||
:path = /proxy?target_host=2001%3Adb8%3A%3A1&target_port=443 | :path = /proxy?target_host=2001%3Adb8%3A%3A1&target_port=443 | |||
:protocol = connect-tcp | :protocol = connect-tcp | |||
capsule-protocol = ?1 | capsule-protocol = ?1 | |||
... | ... | |||
Templated TCP proxy example in HTTP/2 | Templated TCP proxy example in HTTP/2 | |||
skipping to change at page 15, line 42 ¶ | skipping to change at page 16, line 5 ¶ | |||
June 2022, <https://www.rfc-editor.org/info/rfc9114>. | June 2022, <https://www.rfc-editor.org/info/rfc9114>. | |||
[RFC9209] Nottingham, M. and P. Sikora, "The Proxy-Status HTTP | [RFC9209] Nottingham, M. and P. Sikora, "The Proxy-Status HTTP | |||
Response Header Field", RFC 9209, DOI 10.17487/RFC9209, | Response Header Field", RFC 9209, DOI 10.17487/RFC9209, | |||
June 2022, <https://www.rfc-editor.org/info/rfc9209>. | June 2022, <https://www.rfc-editor.org/info/rfc9209>. | |||
[RFC9220] Hamilton, R., "Bootstrapping WebSockets with HTTP/3", | [RFC9220] Hamilton, R., "Bootstrapping WebSockets with HTTP/3", | |||
RFC 9220, DOI 10.17487/RFC9220, June 2022, | RFC 9220, DOI 10.17487/RFC9220, June 2022, | |||
<https://www.rfc-editor.org/info/rfc9220>. | <https://www.rfc-editor.org/info/rfc9220>. | |||
[RFC9297] Schinazi, D. and L. Pardue, "HTTP Datagrams and the | ||||
Capsule Protocol", RFC 9297, DOI 10.17487/RFC9297, August | ||||
2022, <https://www.rfc-editor.org/info/rfc9297>. | ||||
[RFC9298] Schinazi, D., "Proxying UDP in HTTP", RFC 9298, | [RFC9298] Schinazi, D., "Proxying UDP in HTTP", RFC 9298, | |||
DOI 10.17487/RFC9298, August 2022, | DOI 10.17487/RFC9298, August 2022, | |||
<https://www.rfc-editor.org/info/rfc9298>. | <https://www.rfc-editor.org/info/rfc9298>. | |||
9.2. Informative References | 9.2. Informative References | |||
[CAPABILITY] | [CAPABILITY] | |||
"Good Practices for Capability URLs", February 2014, | "Good Practices for Capability URLs", February 2014, | |||
<https://www.w3.org/TR/capability-urls/>. | <https://www.w3.org/TR/capability-urls/>. | |||
skipping to change at page 17, line 5 ¶ | skipping to change at page 17, line 17 ¶ | |||
2015, <https://www.rfc-editor.org/info/rfc7469>. | 2015, <https://www.rfc-editor.org/info/rfc7469>. | |||
[RFC7838] Nottingham, M., McManus, P., and J. Reschke, "HTTP | [RFC7838] Nottingham, M., McManus, P., and J. Reschke, "HTTP | |||
Alternative Services", RFC 7838, DOI 10.17487/RFC7838, | Alternative Services", RFC 7838, DOI 10.17487/RFC7838, | |||
April 2016, <https://www.rfc-editor.org/info/rfc7838>. | April 2016, <https://www.rfc-editor.org/info/rfc7838>. | |||
[RFC8942] Grigorik, I. and Y. Weiss, "HTTP Client Hints", RFC 8942, | [RFC8942] Grigorik, I. and Y. Weiss, "HTTP Client Hints", RFC 8942, | |||
DOI 10.17487/RFC8942, February 2021, | DOI 10.17487/RFC8942, February 2021, | |||
<https://www.rfc-editor.org/info/rfc8942>. | <https://www.rfc-editor.org/info/rfc8942>. | |||
[RFC9297] Schinazi, D. and L. Pardue, "HTTP Datagrams and the | ||||
Capsule Protocol", RFC 9297, DOI 10.17487/RFC9297, August | ||||
2022, <https://www.rfc-editor.org/info/rfc9297>. | ||||
Acknowledgments | Acknowledgments | |||
Thanks to Amos Jeffries, Tommy Pauly, Kyle Nekritz, David Schinazi, | Thanks to Amos Jeffries, Tommy Pauly, Kyle Nekritz, David Schinazi, | |||
and Kazuho Oku for close review and suggested changes. | and Kazuho Oku for close review and suggested changes. | |||
Author's Address | Author's Address | |||
Benjamin M. Schwartz | Benjamin M. Schwartz | |||
Meta Platforms, Inc. | Meta Platforms, Inc. | |||
End of changes. 12 change blocks. | ||||
14 lines changed or deleted | 19 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |