[BUG?] protocol.version=2 sends HTTP "Expect" headers

[BUG?] protocol.version=2 sends HTTP "Expect" headers

[Jeff King]

Since 959dfcf42f (smart-http: Really never use Expect: 100-continue,
2011-03-14), we try to avoid sending "Expect" headers, since some
proxies apparently don't handle them well. There we have to explicitly
tell curl not to use them.

The exception is large requests with GSSAPI, as explained in c80d96ca0c
(remote-curl: fix large pushes with GSSAPI, 2013-10-31).

However, Jon Simons noticed that when using protocol.version=2, we've
started sending Expect headers again. That's because rather than going
through post_rpc(), we push the stateless data through a proxy_state
struct. And in proxy_state_init(), when we set up the headers, we do not
disable curl's Expect handling.

So a few questions:

  - is this a bug or not? I.e., do we still need to care about proxies
    that can't handle Expect? The original commit was from 2011. Maybe
    things are better now. Or maybe that's blind optimism.

    Nobody has complained yet, but that's probably just because v2 isn't
    widely deployed yet.

  - if it is a bug, how can we handle it like the v0 code? There we
    enable it only for GSSAPI on large requests. But I'm not sure we can
    know here whether the request is large, since we're inherently just
    streaming through chunked data. It looks like post_rpc tries to read
    a single packet first, and considers anything over 64k to be large.

  - alternatively, should we just leave it on for v2, and provide a
    config switch to disable it if you have a crappy proxy? I don't know
    how widespread the problem is, but I can imagine that the issue is
    subtle enough that most users wouldn't even know.

I think I've convinced myself that we probably do need to do the "peek
at the first packet" thing like post_rpc() does, but I think it might be
tricky with the way the proxy_state code is structured.

Thoughts from people with more HTTP knowledge/experience?

-Peff

Re: [BUG?] protocol.version=2 sends HTTP "Expect" headers

[brian m. carlson]

[-- Attachment #1: Type: text/plain, Size: 2778 bytes --]

On Wed, Oct 31, 2018 at 12:03:53PM -0400, Jeff King wrote:
> Since 959dfcf42f (smart-http: Really never use Expect: 100-continue,
> 2011-03-14), we try to avoid sending "Expect" headers, since some
> proxies apparently don't handle them well. There we have to explicitly
> tell curl not to use them.
> 
> The exception is large requests with GSSAPI, as explained in c80d96ca0c
> (remote-curl: fix large pushes with GSSAPI, 2013-10-31).
> 
> However, Jon Simons noticed that when using protocol.version=2, we've
> started sending Expect headers again. That's because rather than going
> through post_rpc(), we push the stateless data through a proxy_state
> struct. And in proxy_state_init(), when we set up the headers, we do not
> disable curl's Expect handling.
> 
> So a few questions:
> 
>   - is this a bug or not? I.e., do we still need to care about proxies
>     that can't handle Expect? The original commit was from 2011. Maybe
>     things are better now. Or maybe that's blind optimism.
> 
>     Nobody has complained yet, but that's probably just because v2 isn't
>     widely deployed yet.

HTTP/1.1 requires support for 100 Continue on the server side and in
proxies (it is mandatory to implement).  The original commit disabling
it (959dfcf42f ("smart-http: Really never use Expect: 100-continue",
2011-03-14)), describes proxies as the reason for disabling it.

It's my understanding that all major proxies (including, as of version
3.2, Squid) support HTTP/1.1 at this point.  Moreover, Kerberos is more
likely to be used in enterprises, where proxies (especially poorly
behaved and outright broken proxies) are more common.  We haven't seen
any complaints about Kerberos support in a long time.  This leads me to
believe that things generally work[0].

Finally, modern versions of libcurl also have a timeout after which they
assume that the server is not going to respond and just send the request
body anyways.  This makes the issue mostly moot.

>   - alternatively, should we just leave it on for v2, and provide a
>     config switch to disable it if you have a crappy proxy? I don't know
>     how widespread the problem is, but I can imagine that the issue is
>     subtle enough that most users wouldn't even know.

For the reasons I mentioned above, I'd leave it on for now.  Between
libcurl and better proxy support, I think this issue is mostly solved.
If we need to fix it in the future, we can, and people can fall back to
older protocols via config in the interim.

[0] In some environments, people use SSH because the proxy breaks
everything that looks like HTTP, but that's beyond the scope of this
discussion.
-- 
brian m. carlson: Houston, Texas, US
OpenPGP: https://keybase.io/bk2204

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 868 bytes --]

Re: [BUG?] protocol.version=2 sends HTTP "Expect" headers

[Jeff King]

On Thu, Nov 01, 2018 at 12:48:04AM +0000, brian m. carlson wrote:

> > So a few questions:
> > 
> >   - is this a bug or not? I.e., do we still need to care about proxies
> >     that can't handle Expect? The original commit was from 2011. Maybe
> >     things are better now. Or maybe that's blind optimism.
> > 
> >     Nobody has complained yet, but that's probably just because v2 isn't
> >     widely deployed yet.
> 
> HTTP/1.1 requires support for 100 Continue on the server side and in
> proxies (it is mandatory to implement).  The original commit disabling
> it (959dfcf42f ("smart-http: Really never use Expect: 100-continue",
> 2011-03-14)), describes proxies as the reason for disabling it.
> 
> It's my understanding that all major proxies (including, as of version
> 3.2, Squid) support HTTP/1.1 at this point.  Moreover, Kerberos is more
> likely to be used in enterprises, where proxies (especially poorly
> behaved and outright broken proxies) are more common.  We haven't seen
> any complaints about Kerberos support in a long time.  This leads me to
> believe that things generally work[0].

Rooting around in the archive a bit, I found this discussion:

  https://public-inbox.org/git/CAJo=hJvyorMjFYZnVwz4iZr88ewor6LuqOE-mpt4LsPyoddBqg@mail.gmail.com/

The original motivation for 959dfcf42f was apparently Google's own
servers. And they are likely the biggest users of the v2 protocol
(since my impression is that Google ships a modified client to most of
their devs that flips the v2 switch). So if they're not having problems,
maybe that's a sign that this is a non-issue.

> Finally, modern versions of libcurl also have a timeout after which they
> assume that the server is not going to respond and just send the request
> body anyways.  This makes the issue mostly moot.

I think this was always the case. It's just that it introduced annoying
stalls into the protocol.

> >   - alternatively, should we just leave it on for v2, and provide a
> >     config switch to disable it if you have a crappy proxy? I don't know
> >     how widespread the problem is, but I can imagine that the issue is
> >     subtle enough that most users wouldn't even know.
> 
> For the reasons I mentioned above, I'd leave it on for now.  Between
> libcurl and better proxy support, I think this issue is mostly solved.
> If we need to fix it in the future, we can, and people can fall back to
> older protocols via config in the interim.

OK. If nobody is complaining, this seems like a good way to ease into
the migration. I.e., if we dropped the old "suppress Expect headers"
code, people might complain that things are now broken. But if it
gradually follows the v2 adoptions, that's a bit more of a gentle curve
(well, until we hit the cliff where we switch the default to trying v2).

-Peff