]> Reverse HTTP Transport Meta Platforms, Inc.
ietf@bemasc.net
Nokia
kondtir@gmail.com
Orange
mohamed.boucadair@orange.com
SAP SE
philipp@tiesel.net
ART HTTPBIS Internet-Draft This document defines a secure transport for HTTP in which the client and server roles are reversed. This arrangement improves the origin server's protection from Layer 3 and Layer 4 denial-of-service attacks when an intermediary is in use. It allows origin server's to be hosted without being publicly (and directly) accessible but allows clients to access these servers via an intermediary. About This Document Status information for this document may be found at . Discussion of this document takes place on the HTTPBIS Working Group mailing list (), which is archived at .
Introduction The Hypertext Transfer Protocol (HTTP) has long supported the ability of clients to access origins via an intermediary. There are a variety of well-defined intermediary types:
  • Client-selected
    • HTTP request proxies (a.k.a. forward proxies)
    • Transport proxies (e.g., CONNECT (), CONNECT-UDP )
    • IP relays (e.g., CONNECT-IP )
    • Oblivious HTTP Relays
  • Origin-selected
    • HTTP gateways (a.k.a. reverse proxies)
    • Transport load balancers (e.g., Performance-Enhancing Proxies (PEPs, Section 2.1.1 of )
Although these intermediaries differ widely in their functionality, many of them act as an HTTP client when connecting to the origin. Client-selected intermediaries reach the origin based on its hostname or IP address specified in the HTTP request, while origin-selected intermediaries first translate this destination address into a "backend address". One of the main advantages of origin-selected intermediaries is their ability to defend the origin from attacks, especially Denial of Service (DoS) and Distributed Denial-of-Service (DDoS) attacks in which an attacker floods the origin server with requests/packets. To prevent attackers from simply bypassing the intermediary, common practices include keeping the backend address hidden and/or instituting filtering rules (ACL, typically) that only allow packets from the intermediary. These practices are reasonably effective with origin-selected intermediaries, but they cannot be used with client-selected intermediaries, as those intermediaries do not know the hidden backend IP address and/or port number, and the origin does not know their "exit" IP addresses. This specification defines a protocol for HTTP connections between origins and arbitrary intermediaries that can limit the impact of Layer 3 and Layer 4 DoS/DDoS attacks. When this protocol is in use, origins have the ability to partition the infrastructure that serves each intermediary. This ensures that attacks targeting the origin's public IP address or attacks via one intermediary will not affect any other intermediaries. By partitioning the infrastructure, the impact of the attacks is contained within the affected intermediary or the origin's public IP address. This protocol works by reversing the roles of the Transport Layer Security (TLS) or QUIC transport that supports an HTTP connection: the origin acts as the transport client, and the intermediary acts as the server. HTTP operates normally inside the secure transport but with the client and server roles reversed.
Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.
Reverse HTTP: Protocol Overview The protocol defined in this document is termed "Reverse HTTP". The "Reverse HTTP/2" version is identified by the ALPN ID "h2-reverse", and "Reverse HTTP/3" by "h3-reverse" (see ). These protocols represent HTTP/2 and HTTP/3, operating with the roles reversed but otherwise unmodified, except as follows:
  • The intermediary MUST send a TLS CertificateRequest message () to indicate that certificate-based client authentication is required.
  • The origin MUST respond with a valid certificate chain.
  • Each party MUST send a SETTINGS frame () as soon as the transport becomes writable to them. This means that the intermediary will typically send its SETTINGS frame first.
  • The origin MUST immediately send an ORIGIN frame identifying the origins it claims. This frame is used as originally defined, except that wildcard names are permitted (contrary to ).
    • Otherwise, use of Reverse HTTP with wildcard certificates would be impossible.
  • The intermediary MUST check the ORIGIN frame contents against the provided TLS client certificate.
Reverse HTTP/1.1 is not defined, as the lack of multiplexing renders it unsuitable for this use. Once this process has completed, the origin has proved ownership of the Origin Set and is ready to receive requests. The intermediary SHOULD direct subsequent HTTP requests for this origin over this Reverse HTTP channel absent explicit policy (e.g., overload limit or ACL). For example, a policy can be provided to the intermediary to help determining unacceptable load threshold.
Use with Transport Proxies Transport proxies do not normally act as HTTP clients, so they cannot use Reverse HTTP directly. Instead, if a transport proxy receives a request whose destination host and port number appears in the Origin Set, the proxy establishes a transport proxy connection to this origin over the Reverse HTTP connection. For example, this corresponds to an HTTP CONNECT request for TCP, and for UDP it corresponds to an extended-CONNECT request with the "connect-udp" protocol, using the registered .well-known URI template. Note that transport destinations identified by an IP address can only use this mechanism if the origin's certificate includes that IP address explicitly. For IP relays, the destination does not include a port number. By default, the intermediary MUST add a port number of 443 before attempting to forward packets using this procedure.
Discovery of Client-selected Intermediaries The HTTP "Via" header can indicate the presence of a client-selected intermediary. If a "Via" header arrives with an unrecognized host, the origin MAY attempt a Reverse HTTP connection for use by future requests from this intermediary. If the intermediary does not confirm the protocol via ALPN, the origin MUST close the connection.
Service Binding Mapping Intermediaries that support Reverse HTTP SHOULD indicate this by publishing a SVCB record with port-prefix naming, using the scheme "http-reverse" with a default port number of 443. Applicable SvcParamKeys include "alpn", "ipv4hint"/"ipv6hint", and "port". There is no default ALPN value, so the "alpn" key is REQUIRED.
Example Records for a Forward Proxy that Supports Reverse HTTP
Operational Considerations
Compatibility Reverse HTTP applies to a single hop of a multihop HTTP connection, especially the hop between an intermediary and the origin. When used in this way, Reverse HTTP is compatible with any ordinary HTTP user agent, and user agents ordinarily cannot tell that Reverse HTTP is in use. (Reverse HTTP does not alter the contents of the "Via" response header.)
Efficiency Reverse HTTP does not use appreciably more bandwidth or CPU time than ordinary HTTP on active connections. However, it is much less efficient for idle connections, which use memory and other connection-related resources on the intermediary even when no requests are being processed.
Connection Management To accommodate loss of state in firewalls or translators (), especially in the absence of application traffic, the origin SHOULD use appropriate transport-level keepalives and MUST re-establish a new connection when an application-level communication has failed. Origins backed by multiple servers MAY attempt to establish a separate Reverse HTTP connection from each one in order to tolerate node failures and support optimized path selection. However, intermediaries SHOULD limit the number of idle Reverse HTTP connections operated on behalf of each registrable domain, in order to avoid resource exhaustion attacks. A local configuration may be provided to an intermediary to control the maximum number of active connections. For very high-traffic origins and multi-instance intermediaries, a disruption could occur if the intermediary immediately directs all user traffic onto the first Reverse HTTP connection. Very large intermediaries SHOULD ensure that transitions to Reverse HTTP are gradual, so that large origins have time to establish multiple connections.
  • Note: define more what is meant precisly by "Very large", "multi-instance", etc.
Non-public Origins In some cases, an HTTP origin may be intended exclusively for use via one or more client-selected intermediaries that are known to the origin. In this situation, the publication of DNS records outside a domain for the origin is OPTIONAL.
Other Applications Reverse HTTP is principally intended for use between intermediaries and origins. It is not applicable to general HTTP clients, as it requires that the origin knows that the client will issue a request before the request occurs. However, in cases where an HTTP client is publicly reachable and produces frequent requests to one origin over a long period of time, Reverse HTTP may be applicable. It is out of scope of this document to identify a comprehensive list of the protocol applicability.
An Example The following shows the example of the reverse HTTP in the context of Oblivious HTTP deployments.
Example: Reverse HTTP/2 for Oblivious HTTP Client Relay Gateway Target Resource Resource Resource Initiate TCP handshake Initiate TLS with ALPN="h2-reverse" CertificateRequest, HTTP SETTINGS CertificateVerify, SETTINGS, ORIGIN Validate certificate & role reversal Relay Request [+ Encapsulated Request ] Gateway Request [+ Encapsulated Request ] Request Response Gateway Response [+ Encapsulated Response ] Relay Response [+ Encapsulated Response ] | | | | CertificateVerify, | | | | SETTINGS, ORIGIN | | | |<-------------------+ | | .-------------. | | | | | Validate | | | | | | certificate & |+-+| | | | | role reversal | | | | | `-------------' | | | | | | | | Relay | | | | Request | | | | [+ Encapsulated | | | | Request ] | | | +-------------------->| Gateway | | | | Request | | | | [+ Encapsulated | | | | Request ] | | | +------------------->| Request | | | +------------->| | | | | | | | Response | | | Gateway |<-------------+ | | Response | | | | [+ Encapsulated | | | | Response ] | | | Relay |<-------------------+ | | Response | | | | [+ Encapsulated | | | | Response ] | | | |<--------------------+ | | | | | | ]]>
Security Considerations
Stolen Key Attacks As noted in , accepting ORIGIN frames without DNS confirmation facilitates the use of stolen keys, and thus increases the incentive to steal these keys. The mitigations listed in that section also apply here, and are RECOMMENDED. Intermediaries also MAY impose a DNS confirmation requirement, although this weakens the DoS/DDoS defense provided by Reverse HTTP ().
  • QUESTION: Should we do more about this? For example, we could define an OID to mark these certificates as Reverse HTTP-only, or we could commit to an IP range by placing a MAC in a DNS record and revealing the message via a SETTINGS value.
IP Address Leaks One goal of Reverse HTTP is to prevent DoS/DDoS attackers from learning the IP addresses used by an origin to communicate with this intermediary. These IP addresses can be leaked in various ways, requiring certain mitigations:
  • In the ordinary DNS address records for the origin.
    • Origins SHOULD use different IP addresses for Reverse HTTP (unless the intermediary imposes a DNS confirmation requirement as described in ).
  • In the Proxy-Status HTTP header field's "next-hop" attribute.
    • Intermediaries MUST NOT populate the "next-hop" attribute when using Reverse HTTP to the origin.
  • From the probes sent to intermediaries discovered from the "Via" header field.
    • Origins SHOULD use distinct, unrelated IP addresses to contact each intermediary.
  • From connection monitoring of the ALPN values in ClientHellos.
    • Intermediaries MAY use a single Encrypted ClientHello configuration for HTTP and Reverse HTTP.
  • From statistical analysis of traffic patterns.
    • Origins SHOULD regularly change the IP address that is used.
Even if the origin's Reverse HTTP IP addresses do leak, Reverse HTTP still provides significant protection by simplifying the filtering rules required to block unsolicited connections.
Key Consistency with Oblivious HTTP The security considerations for the Oblivious HTTP () as well as the security considerations for Discovery of Oblivious Services via Service Binding Records () apply. provides an analysis of the options for ensuring the key configurations are consistent between different clients. Clients MUST employ techniques to mitigate key targeting attacks. Note that the option of confirming the key with a shared proxy as described in will work if the Oblivious HTTP relay and the forward proxy operate from a single origin.
IANA Considerations
ALPN IDs This document rquests IANA to add two new registrations in the "TLS Application-Layer Protocol Negotiation (ALPN) Protocol IDs" registry :
Protocol Identification Sequence Specification
Reverse HTTP/2 0x68 0x32 0x2d 0x72 0x65 0x76 0x65 0x72 0x73 0x65 ("h2-reverse") (This document)
Reverse HTTP/3 0x68 0x33 0x2d 0x72 0x65 0x76 0x65 0x72 0x73 0x65 ("h3-reverse") (This document)
New Scheme Per , IANA is requested to add the following entry to the DNS Underscore Global Scoped Entry registry:
RR TYPE _NODE NAME Reference
SVCB _http-reverse (This document, )
  • TODO: Register the URI scheme as well.
References Normative References Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. The Transport Layer Security (TLS) Protocol Version 1.3 This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations. HTTP/2 This specification describes an optimized expression of the semantics of the Hypertext Transfer Protocol (HTTP), referred to as HTTP version 2 (HTTP/2). HTTP/2 enables a more efficient use of network resources and a reduced latency by introducing field compression and allowing multiple concurrent exchanges on the same connection. This document obsoletes RFCs 7540 and 8740. The ORIGIN HTTP/2 Frame This document specifies the ORIGIN frame for HTTP/2, to indicate what origins are available on a given connection. Service binding and parameter specification via the DNS (DNS SVCB and HTTPS RRs) Google Akamai Technologies Akamai Technologies This document specifies the "SVCB" and "HTTPS" DNS resource record (RR) types to facilitate the lookup of information needed to make connections to network services, such as for HTTP origins. SVCB records allow a service to be provided from multiple alternative endpoints, each with associated parameters (such as transport protocol configuration), and are extensible to support future uses (such as keys for encrypting the TLS ClientHello). They also enable aliasing of apex domains, which is not possible with CNAME. The HTTPS RR is a variation of SVCB for use with HTTP [HTTP]. By providing more information to the client before it attempts to establish a connection, these records offer potential benefits to both performance and privacy. TO BE REMOVED: This document is being collaborated on in Github at: https://github.com/MikeBishop/dns-alt-svc (https://github.com/MikeBishop/dns-alt-svc). The most recent working version of the document, open issues, etc. should all be available there. The authors (gratefully) accept pull requests. Transport Layer Security (TLS) Application-Layer Protocol Negotiation Extension This document describes a Transport Layer Security (TLS) extension for application-layer protocol negotiation within the TLS handshake. For instances in which multiple application protocols are supported on the same TCP or UDP port, this extension allows the application layer to negotiate which protocol will be used within the TLS connection. Informative References HTTP Semantics The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document describes the overall architecture of HTTP, establishes common terminology, and defines aspects of the protocol that are shared by all versions. In this definition are core protocol elements, extensibility mechanisms, and the "http" and "https" Uniform Resource Identifier (URI) schemes. This document updates RFC 3864 and obsoletes RFCs 2818, 7231, 7232, 7233, 7235, 7538, 7615, 7694, and portions of 7230. Proxying UDP in HTTP This document describes how to proxy UDP in HTTP, similar to how the HTTP CONNECT method allows proxying TCP in HTTP. More specifically, this document defines a protocol that allows an HTTP client to create a tunnel for UDP communications through an HTTP server that acts as a proxy. Proxying IP in HTTP Apple Inc. Google LLC Google LLC Ericsson Ericsson This document describes how to proxy IP packets in HTTP. This protocol is similar to UDP proxying in HTTP but allows transmitting arbitrary IP packets. More specifically, this document defines a protocol that allows an HTTP client to create an IP tunnel through an HTTP server that acts as an IP proxy. This document updates RFC 9298. Oblivious HTTP Mozilla Cloudflare This document describes Oblivious HTTP, a protocol for forwarding encrypted HTTP messages. Oblivious HTTP allows a client to make multiple requests to an origin server without that server being able to link those requests to the client or to identify the requests as having come from the same client, while placing only limited trust in the nodes used to forward the messages. Performance Enhancing Proxies Intended to Mitigate Link-Related Degradations This document is a survey of Performance Enhancing Proxies (PEPs) often employed to improve degraded TCP performance caused by characteristics of specific link environments, for example, in satellite, wireless WAN, and wireless LAN environments. This memo provides information for the Internet community. Issues with IP Address Sharing The completion of IPv4 address allocations from IANA and the Regional Internet Registries (RIRs) is causing service providers around the world to question how they will continue providing IPv4 connectivity service to their subscribers when there are no longer sufficient IPv4 addresses to allocate them one per subscriber. Several possible solutions to this problem are now emerging based around the idea of shared IPv4 addressing. These solutions give rise to a number of issues, and this memo identifies those common to all such address sharing approaches. Such issues include application failures, additional service monitoring complexity, new security vulnerabilities, and so on. Solution-specific discussions are out of scope. Deploying IPv6 is the only perennial way to ease pressure on the public IPv4 address pool without the need for address sharing mechanisms that give rise to the issues identified herein. This document is not an Internet Standards Track specification; it is published for informational purposes. Oblivious HTTP Mozilla Cloudflare This document describes Oblivious HTTP, a protocol for forwarding encrypted HTTP messages. Oblivious HTTP allows a client to make multiple requests to an origin server without that server being able to link those requests to the client or to identify the requests as having come from the same client, while placing only limited trust in the nodes used to forward the messages. Discovery of Oblivious Services via Service Binding Records Apple Inc. Nokia This document defines a parameter that can be included in SVCB and HTTPS DNS resource records to denote that a service is accessible using Oblivious HTTP, by offering an Oblivious Gateway Resource through which to access the target. This document also defines a mechanism to learn the key configuration of the discovered Oblivious Gateway Resource. Key Consistency and Discovery Brave Software The Tor Project Mozilla Cloudflare This document describes the consistency requirements of protocols such as Privacy Pass, Oblivious DoH, and Oblivious HTTP for user privacy. It presents definitions for consistency and then surveys mechanisms for providing consistency in varying threat models. In concludes with discussion of open problems in this area. Scoped Interpretation of DNS Resource Records through "Underscored" Naming of Attribute Leaves Formally, any DNS Resource Record (RR) may occur under any domain name. However, some services use an operational convention for defining specific interpretations of an RRset by locating the records in a DNS branch under the parent domain to which the RRset actually applies. The top of this subordinate branch is defined by a naming convention that uses a reserved node name, which begins with the underscore character (e.g., "_name"). The underscored naming construct defines a semantic scope for DNS record types that are associated with the parent domain above the underscored branch. This specification explores the nature of this DNS usage and defines the "Underscored and Globally Scoped DNS Node Names" registry with IANA. The purpose of this registry is to avoid collisions resulting from the use of the same underscored name for different services.