You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Dean Gaudet <dg...@arctic.org> on 1998/02/18 12:09:24 UTC

absoluteURIs suck

I really don't understand the lameness regarding absoluteURIs in HTTP/1.1. 
Suppose HTTP/1.2 comes out and dictates that absoluteURIs must be used for
all requests (this is hinted at in RFC2068).  In order to interoperate
with HTTP/1.1 servers all HTTP/1.2 clients will have to also include Host:
headers.  This is a waste of bandwidth having to include the hostname
twice. 

It could be fixed by relaxing HTTP/1.1 and requiring that the client MUST
send either an absoluteURI or a relativeURI with a Host: header. 

Apache 1.2 and 1.3 are broken as far as forward compatibility with this
hypothetical HTTP spec as well.  Consider: 

<VirtualHost 10.1.1.1>
...
</VirtualHost>

No NameVirtualHost in the config.  I consider the only correct way to
implement this config is that *all requests* appearing at 10.1.1.1:80 will
be served by that virtual host.  Right now if a request appears there with
an absolute URI with a hostname that isn't listed *we will reject it*.
This means we're not forward compatible with some lame HTTP version that
doesn't exist but is threatened to exist. 

Contrast this with the behaviour on a Host: header that we don't
recognize... we just don't care about it, we serve what has been
configured (a default server, or the ip-vhost).

Martin I'm gonna go look at your uri parsing patch.  I think in order to
fix some of this we really need it.

Dean

Re: absoluteURIs suck

Posted by Ben Laurie <be...@algroup.co.uk>.

Dean Gaudet wrote:
> 
> I really don't understand the lameness regarding absoluteURIs in HTTP/1.1.
> Suppose HTTP/1.2 comes out and dictates that absoluteURIs must be used for
> all requests (this is hinted at in RFC2068).  In order to interoperate
> with HTTP/1.1 servers all HTTP/1.2 clients will have to also include Host:
> headers.  This is a waste of bandwidth having to include the hostname
> twice.

All I remember from the WG discussions is that this was considered to be
a good idea, if not strictly necessary. If pushed, I could probably
remember why. I have a vague memory that Alexei had a fair amount to say
on the subject.

Actually, I have a nasty suspicion that there is no good reason to
require this.

Cheers,

Ben.

-- 
Ben Laurie            |Phone: +44 (181) 735 0686|Apache Group member
Freelance Consultant  |Fax:   +44 (181) 735 0689|http://www.apache.org
and Technical Director|Email: ben@algroup.co.uk |Apache-SSL author
A.L. Digital Ltd,     |http://www.algroup.co.uk/Apache-SSL
London, England.      |"Apache: TDG" http://www.ora.com/catalog/apache

Re: absoluteURIs suck

Posted by Alvaro Martinez Echevarria <al...@lander.es>.

On Fri, 20 Feb 1998, Marc Slemko wrote:

> On Sat, 21 Feb 1998, Alvaro Martinez Echevarria wrote:
> 
> > > On Fri, 20 Feb 1998, Anand Kumria wrote:
> > > > Indeed following "Be liberal in what you accept" would be useful. The
> > > > rational (I beieve) for closing 1454 was that "Apache relaxes the
> > > > requirement for a Host: header for versions greater than HTTP/1.1"
> > 
> > Yeah; and also "don't be too liberal in what you accept", or you
> > might end up accepting requests like "GIMME www.nasa.gov BUDDY".
> > Just kidding.
> 
> Well, not quite but close:
> 
> marcs@valis:~$ nc -v www.roxen.com 80
> roxen.com [194.52.182.96] 80 (http) open
> GIMME / BUDDY
> 
> HTTP/1.0 200 OK
> Last-Modified: Sat, 21 Feb 1998 04:04:41 GMT
> Server: Roxen·Challenger/1.2alpha14

Believe me, I have woke up my whole family with my laughters when
I've seen that :-). That's really nice, but anyway I would say
you can expect such kind of behaviour from that
roxen-challenger-something thingie. But those ones I've found
after you killed my innocence are even better, and more
surprising (at least to me):

----------------------------------------
alvaro@leon:~$ telnet www.nasa.gov 80
Trying 198.116.116.10...
Connected to www.nsi.nasa.gov.
Escape character is '^]'.
GIMME www.nasa.gov BUDDY

HTTP/1.1 404 Not found
Server: Netscape-Enterprise/3.0
Date: Sat, 21 Feb 1998 04:15:34 GMT
Content-type: text/html
Last-modified: Fri, 03 Oct 1997 19:25:44 GMT
Content-length: 769
Accept-ranges: bytes

<html>
<head>
<title>Error</title>
</head>
<body bgcolor=#ffffff text=#000000>
<h1>Please note...</h1>
<a href=http://www.nasa.gov>www.nasa.gov</a> has been re-designed and 
deployed to provide better service to the public.  As a result, some old 
URLs may not work.  Please refer to the new site for further assistance.
<p>  
[....]
----------------------------------------

"Houston, we have a problem". Yes, they seem to have a serious problem
with orientation there at the NASA. And what about this one? This
server here just says "mea culpa". Smells like a SIGSEGV
somewhere in the parser.

----------------------------------------
alvaro@leon:~$ telnet www.netscape.com 80
Trying 207.200.73.73...
Connected to www24.netscape.com.
Escape character is '^]'.
GIMME / BUDDY

HTTP/1.0 500 Server Error
Server: Netscape-Enterprise/2.01
Date: Sat, 21 Feb 1998 04:28:39 GMT
Content-type: text/html
Content-length: 305

<HTML><HEAD><TITLE>Server Error</TITLE></HEAD>
<BODY><H1>Server Error</H1>
This server has encountered an internal error which prevents it
from fulfilling your request. The most likely cause is a
misconfiguration. Please ask the administrator to look for
messages in the server's error log.
</BODY></HTML>Connection closed by foreign host.
----------------------------------------

After this, I am pretty sure some developers out there have
understood "be anarchic in what you accept".
Now I can go to bed.
Regards.

.------------------------------------------------------------------.
|   Alvaro Martínez Echevarría   |      LANDER SISTEMAS            |
|        alvaro@lander.es        |      Pº Castellana, 121         |
`--------------------------------|      28046 Madrid, SPAIN        |
                                 |      Tel: +34-1-5562883         |
                                 |      Fax: +34-1-5563001         |
                                 `---------------------------------'

Re: absoluteURIs suck

Posted by Marc Slemko <ma...@worldgate.com>.

On Sat, 21 Feb 1998, Alvaro Martinez Echevarria wrote:

> > On Fri, 20 Feb 1998, Anand Kumria wrote:
> > > Indeed following "Be liberal in what you accept" would be useful. The
> > > rational (I beieve) for closing 1454 was that "Apache relaxes the
> > > requirement for a Host: header for versions greater than HTTP/1.1"
> 
> Yeah; and also "don't be too liberal in what you accept", or you
> might end up accepting requests like "GIMME www.nasa.gov BUDDY".
> Just kidding.

Well, not quite but close:

marcs@valis:~$ nc -v www.roxen.com 80
roxen.com [194.52.182.96] 80 (http) open
GIMME / BUDDY

HTTP/1.0 200 OK

Last-Modified: Sat, 21 Feb 1998 04:04:41 GMT

Server: Roxen�Challenger/1.2alpha14

MIME-Version: 1.0

Content-type: text/html

Date: Sat, 21 Feb 1998 04:04:41 GMT

Content-length: 658



<!-- $Id: welcome.html,v 1.9 1997/12/15 20:01:59 peter Exp $
     name="Roxen Welcome Page";
     doc="The page with the password form";
  -->
<img src=/image/roxen-source-inside.jpg align=right spacing=20>
<font size=+4 face="new century schoolbook"><b>Welcome!</b></font>
[...]

Re: absoluteURIs suck

Posted by Alvaro Martinez Echevarria <al...@lander.es>.

> On Fri, 20 Feb 1998, Anand Kumria wrote:
> > Indeed following "Be liberal in what you accept" would be useful. The
> > rational (I beieve) for closing 1454 was that "Apache relaxes the
> > requirement for a Host: header for versions greater than HTTP/1.1"

Yeah; and also "don't be too liberal in what you accept", or you
might end up accepting requests like "GIMME www.nasa.gov BUDDY".
Just kidding.

.------------------------------------------------------------------.
|   Alvaro Martínez Echevarría   |      LANDER SISTEMAS            |
|        alvaro@lander.es        |      Pº Castellana, 121         |
`--------------------------------|      28046 Madrid, SPAIN        |
                                 |      Tel: +34-1-5562883         |
                                 |      Fax: +34-1-5563001         |
                                 `---------------------------------'

Re: absoluteURIs suck

Posted by Dean Gaudet <dg...@arctic.org>.

On Fri, 20 Feb 1998, Anand Kumria wrote:

> On Wed, 18 Feb 1998, Dean Gaudet wrote:
> 
> > I really don't understand the lameness regarding absoluteURIs in HTTP/1.1. 
> > Suppose HTTP/1.2 comes out and dictates that absoluteURIs must be used for
> > all requests (this is hinted at in RFC2068).  In order to interoperate
> > with HTTP/1.1 servers all HTTP/1.2 clients will have to also include Host:
> > headers.  This is a waste of bandwidth having to include the hostname
> > twice. 
> 
> And it will be because of Apache. This is basically the same issue I was
> trying to point out to you in PR#1454 - if you follow the processing
> strategy outlined in the RFC and ignore the precense of Host: fields then
> client implementors won't have to do this.

No, Apache follows the spec.  Until and unless a later revision of
HTTP/1.1 relaxes the two or three places that RFC2068 says a client MUST
send a host header apache will require it.

> > It could be fixed by relaxing HTTP/1.1 and requiring that the client MUST
> > send either an absoluteURI or a relativeURI with a Host: header. 
> 
> Indeed following "Be liberal in what you accept" would be useful. The
> rational (I beieve) for closing 1454 was that "Apache relaxes the
> requirement for a Host: header for versions greater than HTTP/1.1"

"Be liberal in what you accept" has absolutely no relevance here.  A
client is not an HTTP/1.1 client unless it follows that MUST include Host: 
header rule.  No such clients exist, because Apache enforces the rule (as
required) and any client author would be stupid to not interoperate with
Apache. 

> Marc (Slemko) notes that some other HTTP server ignore the Host: header
> (for 1.1 requests) and some others don't. Sounds like a spec ambiguity,
> perhaps Roy Fielding would care to comment on the intent of the WG at the
> time?

No, those servers are broken.  There is no ambiguity in the spec, it
spells this out twice.

Dean

Re: absoluteURIs suck

Posted by Marc Slemko <ma...@worldgate.com>.

On Fri, 20 Feb 1998, Anand Kumria wrote:

> On Wed, 18 Feb 1998, Dean Gaudet wrote:
> 
> > I really don't understand the lameness regarding absoluteURIs in HTTP/1.1. 
> > Suppose HTTP/1.2 comes out and dictates that absoluteURIs must be used for
> > all requests (this is hinted at in RFC2068).  In order to interoperate
> > with HTTP/1.1 servers all HTTP/1.2 clients will have to also include Host:
> > headers.  This is a waste of bandwidth having to include the hostname
> > twice. 
> 
> And it will be because of Apache. This is basically the same issue I was
> trying to point out to you in PR#1454 - if you follow the processing
> strategy outlined in the RFC and ignore the precense of Host: fields then
> client implementors won't have to do this.

No, it is because of the spec.  Unless you have a darn good reason, not
following the spec is a poor idea.  There is perhaps a good reason here,
not a darn good reason.

> > It could be fixed by relaxing HTTP/1.1 and requiring that the client MUST
> > send either an absoluteURI or a relativeURI with a Host: header. 
> 
> Indeed following "Be liberal in what you accept" would be useful. The
> rational (I beieve) for closing 1454 was that "Apache relaxes the
> requirement for a Host: header for versions greater than HTTP/1.1"
> 
> Marc (Slemko) notes that some other HTTP server ignore the Host: header
> (for 1.1 requests) and some others don't. Sounds like a spec ambiguity,
> perhaps Roy Fielding would care to comment on the intent of the WG at the
> time?

I don't think it is necessarily due to ambiguity in the spec as much as
the fact that it seems most server implementors are too dumb to or don't
want toread it.

Re: absoluteURIs suck

Posted by Anand Kumria <wi...@progsoc.uts.edu.au>.

On Wed, 18 Feb 1998, Dean Gaudet wrote:

> I really don't understand the lameness regarding absoluteURIs in HTTP/1.1. 
> Suppose HTTP/1.2 comes out and dictates that absoluteURIs must be used for
> all requests (this is hinted at in RFC2068).  In order to interoperate
> with HTTP/1.1 servers all HTTP/1.2 clients will have to also include Host:
> headers.  This is a waste of bandwidth having to include the hostname
> twice. 

And it will be because of Apache. This is basically the same issue I was
trying to point out to you in PR#1454 - if you follow the processing
strategy outlined in the RFC and ignore the precense of Host: fields then
client implementors won't have to do this.

> It could be fixed by relaxing HTTP/1.1 and requiring that the client MUST
> send either an absoluteURI or a relativeURI with a Host: header. 

Indeed following "Be liberal in what you accept" would be useful. The
rational (I beieve) for closing 1454 was that "Apache relaxes the
requirement for a Host: header for versions greater than HTTP/1.1"

Marc (Slemko) notes that some other HTTP server ignore the Host: header
(for 1.1 requests) and some others don't. Sounds like a spec ambiguity,
perhaps Roy Fielding would care to comment on the intent of the WG at the
time?

Regards,
Anand.