mod_h2 icon indicating copy to clipboard operation
mod_h2 copied to clipboard

Published 20 hours ago verified publisher icon icing

mod_http2: implement ORIGIN frames

Open icing opened this issue 8 years ago • 1 comments

With the latest additions to the nghttp2API, new frame type can be supported. The proposed ORIGIN frame should be added to inform clients about proper connection reuse, since the server will deny streams for virtual hosts with different TLS configurations. Something the client is unable to guess correctly upfront.

icing avatar Mar 31 '16 18:03 icing

With ORIGIN draft getting more attention again in the http-wg and browser showing willingness to implement, this feature needs to be considered in upcoming releases.

Current thoughts on as to how:

  • Without further configuration, send an empty ORIGIN frame at the start of the connection, making this connection viable for the SNI host only. This avoid conflicting SSL configs in different vhosts that might share a certificate.
  • Add new directive H2Origins which can take a list of authorities (hostnames+port) that only applies to SSL server configs. Can be repeatedly used, is additive.
  • Special values for H2Origins will be Never and SelfOnly, suppressing the sending of ORIGIN frames, resp. sending an empty frame.
  • Will work only with nghttp2version 1.8.0 and onwards

icing avatar Feb 06 '17 10:02 icing