Feature #2924
closedSuboptimal keep-alive handling when request body is not read
Description
- A HTTP client performs a HTTP request.
- The request is eligible for keep-alive (e.g. because HTTP/1.1 was used)
- The request includes a request body (e.g. POST)
- lighttpd determines a reply without reading the request body (e.g. mod_auth returns 401)
In this case, the connection_handle_response_end_state function determines that keep-alive is not possible and initiates a connection shutdown. A remote client may be unprepared for such a shutdown, because lighttpd did not include a "Connection: close" header in its reply and attempt a second request on the same connection. This is subject to a race condition (i.e. if the shutdown is deferred compared to the response). When reproducing the issue, I hit that race at most in 0.1% of the attempts (i.e. quite unlikely). A client that is prone to hitting it is python-requests. python-requests' behaviour is suboptimal as well as is documented at https://github.com/requests/requests/issues/4664.
I propose that when lighttpd sends its response headers, it performs the same check as in connection_handle_response_end_state and adds the relevant Connection: close header. "gps" pointed out that this may be undesirable when using server.stream-request-body = 1 with mod_proxy. Requiring server.stream-request-body = 0 is a reasonable compromise to me. Is the patch a reasonable trade-off?
Files
Added by gstrauss about 6 years ago
Also available in: Atom
[core] send Connection: close if reqbody not read (fixes #2924)
send Connection: close if it is known that request body has not finished
being read and will not finish being read
x-ref:
"Suboptimal keep-alive handling when request body is not read"
https://redmine.lighttpd.net/issues/2924