Matt & Łukasz,
> Am 07.02.2022 um 19:23 schrieb Łukasz Moskała <lm@lukaszmoskala.pl>:
>
> Actually the request is:
>
> GET / HTTP/1.1
> Host: example.com
>
> Host header is REQUIRED by HTTP/1.1 specification: https://datatracker.ietf.org/doc/html/rfc2616#section-14.23
>
> HTTPS also sends host header, but SNI is still used to choose correct certificate.
> Am 07.02.2022 um 18:15 schrieb Matthew Ernisse <mernisse@ub3rgeek.net>:
>
> On Mon, Feb 07, 2022 at 05:23:03PM +0100, Mike Fischer said:
>>
>> Not quite true. I do use DNS and for practical applications I also
>> use HTTPS and SNI. But DNS is secondary and sometimes adds another
>> layer of complexity. Also SNI is not available for services not
>> secured by SSL/TLS to my knowledge. E.g. in my example for a web
>> server on port 80 the hostname comes into play only to resolve the
>> IP. The actual request would be "GET / HTTP/1.1" — no hostname in
>> sight.
>
> FWIW, the assertion about HTTP is incorrect here. HTTP 1.1 defines the Host
> header which is mandatory in requests which and has been used for decades to
> provide name based virtual hosting sharing an IP address.
>
> https://datatracker.ietf.org/doc/html/rfc2616/#section-14.23
>
> In practice DNS isn't even needed, an entry in your client's hosts(5) file
> has been sufficient.
>
> —Matt
You are both correct! I hadn't realized the header was mandatory for HTTP/1.1.
Thanks for pointing that out.
(I wonder if curl(8) adds that header automatically? Though that is off topic for this thread…)
Mike
No comments:
Post a Comment