You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Joe Orton <jo...@redhat.com> on 2006/02/27 11:18:15 UTC
proxy keepalive handling
(somewhat more appropriate $SUBJECT now ;)
On Thu, Feb 23, 2006 at 10:20:08PM +0100, Ruediger Pluem wrote:
> There is an interesting bug regarding this topic:
>
> http://issues.apache.org/bugzilla/show_bug.cgi?id=38763
>
> It seems that we do not have to worry about resending POSTs at all because of
>
> 8.1.4 of RFC2616 (http://www.w3.org/Protocols/rfc2616/rfc2616-sec8.html)
...
> POST does not seem to be an idempotent method to me.
Excellent point, yes. This could imply that case (a) in my proposal
should be modified such that it is only used for methods known to be
idempotent. This would however require the proxy to have knowledge of
whether any arbitrary HTTP method is idempotent or not!
But - if the downstream client sent a request with a non-idempotent
method on a keptalive connection, then it is already risking having to
resend said request after a connection timeout. So it would not seem
unreasonable to ignore this case, and leave it to the discretion of the
client. (if clients will only send non-idempotent requests as the first
request on the connection, then my case (b) will always apply to them)
w.r.t. your other questions (sorry for the slow reponses):
- I haven't tested how The Browsers behave:, but I'd bet that they will
both send POST requests on keptalive connections, and will automatically
retry them if the connection is closed.
- I think the "A client, server, or proxy MAY close the transport
connection at any time." statement in 8.1.4 means it is RFC-compliant to
have the proxy just drop the connection without sending a response like
this.
- I don't think that allowing a client to force the proxy to close a
backend connection is in any way a security issue; it doesn't cause a
denial of service or anything. There are various cases in 2616, such as
an unrecognized content-coding in the request, which require the
*server* to close the connection anyway.
> Even retransmitting GETs with parameters in the URL seems dangerous to
> me.
The opposing view is that 2616 says that GET is idempotent, and 2616 is
The Law. Pick one ;)
Regards,
joe