[OFF TOPIC] more IIS tricks...

[Marc Slemko <ma...@worldgate.com>]

Tell your client to use www.microsoft.com:80 as a proxy.

Then go to http://www.netscape.com/

That is an awesome way to convince (fill in name of paranoid) that (fill
in name of company running IIS) has taken over (fill in name of other
company on the web).  <g>

IIS will accept full URLs in requests, but just assumes the hostname must
be local so it strips it.  Probably a lot of servers w/o built in
proxy that do this, so IIS is far from alone... and the behaviour is
arguable.  But it still produces cool results.

Re: [OFF TOPIC] more IIS tricks...

[Dean Gaudet <dg...@arctic.org>]

On Wed, 25 Feb 1998, Marc Slemko wrote:

> On Wed, 25 Feb 1998, Dean Gaudet wrote:
> 
> > This is the exact behaviour that I think Apache should have.  Right now I
> > consider us broken (well actually we are broken even if you take a more
> > limited view). 
> 
> How do you make that fit with section 5.2 of 2068?
> 
> Heck, how do you make anything fit with that?

This is what Roy and I were babbling about in the "absoluteURIs suck"
thread.

What part of 5.2 would this violate?  none of it.

   An origin server that does not allow resources to differ by the
   requested host MAY ignore the Host header field value. (But see
   section 19.5.1 for other requirements on Host support in HTTP/1.1.)

This essentially gives us permission to do it, although one of the glaring
omissions regarding absoluteURI and Host: is that the host from the
absoluteURI should be treated just like a Host: header.  5.2 gives origin
servers complete control over what they consider to be their hostname(s).

An *ip only* vhost serves all requests that reach it.  You can send
a request to www.arctic.org port 80, and say "Host: www.netscape.com"
and it will happily serve www.arctic.org to you.  It damn well better:
because I've told it to serve www.arctic.org to you.  But right now
if you say "GET http://www.netscape.com/..."  what does Apache do?
*A DNS LOOKUP*.  Denial of service.

A NameVirtualHost address is defined to serve all requests which are
not otherwise matched from the first vhost in the list.  We get this
right for the Host: header, but not for absoluteURIs.

These two are inconsistancies that make Apache not forward compatible
with future HTTP/1.x protocols.  Future protocols which will require
clients to send absoluteURI on all requests... and suddenly folks'
vhosts behaviour will change.  I want to fix this in 1.3b6.

Insert Dean's standard rant about how name vhosts are an inaccurate
protocol.  Oh yeah, I meant to reply to Roy about this one.  Roy, even
though I use www.chem.happy.edu vs. www.cs.happy.edu as an example
my example works equally well with www.foobar.com and www.barfoo.com
name-vhosted by an ISP -- if the folks at foobar.com put "http://www/"
into their browser it won't work right.  This is why I think HTTP/1.1
should contain a paragraph encouraging clients to send FQDNs.

Dean

Re: [OFF TOPIC] more IIS tricks...

[Marc Slemko <ma...@worldgate.com>]

On Wed, 25 Feb 1998, Dean Gaudet wrote:

> This is the exact behaviour that I think Apache should have.  Right now I
> consider us broken (well actually we are broken even if you take a more
> limited view). 

How do you make that fit with section 5.2 of 2068?

Heck, how do you make anything fit with that?

> 
> Dean
> 
> On Wed, 25 Feb 1998, Marc Slemko wrote:
> 
> > Tell your client to use www.microsoft.com:80 as a proxy.
> > 
> > Then go to http://www.netscape.com/
> > 
> > That is an awesome way to convince (fill in name of paranoid) that (fill
> > in name of company running IIS) has taken over (fill in name of other
> > company on the web).  <g>
> > 
> > IIS will accept full URLs in requests, but just assumes the hostname must
> > be local so it strips it.  Probably a lot of servers w/o built in
> > proxy that do this, so IIS is far from alone... and the behaviour is
> > arguable.  But it still produces cool results.
> > 
> > 
> 

Re: [OFF TOPIC] more IIS tricks...

[Dean Gaudet <dg...@arctic.org>]

This is the exact behaviour that I think Apache should have.  Right now I
consider us broken (well actually we are broken even if you take a more
limited view). 

Dean

On Wed, 25 Feb 1998, Marc Slemko wrote:

> Tell your client to use www.microsoft.com:80 as a proxy.
> 
> Then go to http://www.netscape.com/
> 
> That is an awesome way to convince (fill in name of paranoid) that (fill
> in name of company running IIS) has taken over (fill in name of other
> company on the web).  <g>
> 
> IIS will accept full URLs in requests, but just assumes the hostname must
> be local so it strips it.  Probably a lot of servers w/o built in
> proxy that do this, so IIS is far from alone... and the behaviour is
> arguable.  But it still produces cool results.
> 
>