-
-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
http/2 support in ipfs api server #5974
Comments
AFAIK we use the built-in go http server, which currently doesn't support http2 (there is a WIP implementation in Quote from https://github.com/golang/net/blob/master/http2/README:
|
Hmm, the docs says that it is used automatically since 1.6:
I believe the problem is that the connection is done without TLS. As it seems to work with a really simple demo: package main
import (
"log"
"net/http"
)
func hello(w http.ResponseWriter, r *http.Request) {
w.Write([]byte("Hello there"))
}
func main() {
http.HandleFunc("/", hello)
if err := http.ListenAndServeTLS(":8888", "server.crt", "server.key", nil); err != nil {
log.Fatalln(err)
}
}
I do, however, get the same error as posted above if I'm not using TLS. :) |
Providing an HTTPS on local API is hard. It is quite possible that we depend on some HTTP1.X semantics in our commands library that facilitates the HTTP API. This is why I'm leaning toward closing this issue as |
The motivation behind HTTP/2 support on IPFS api server is prevent head of line blocking in HTTP/1.1, since when do I do remember that Google mentioned on they only support HTTP/2 via TLS, in order to enforce a more secure internet. So Google Chrome and golang's |
go-ipfs' API port has connection reuse disabled, so there is no possibility of ahead of the line blocking. In past, we explicitly decided not to implement any HTTPS related functionality in go-ipfs and I see little to no benefit in introducing HTTP/2. Unless we find that benefit and fix already existing issues there is no need for it. |
Not entirely. We had to disable this for some requests due to #5168 and golang/go#15527 but we can otherwise reuse connections. But, in this case, I agree that the right approach is one connection per request (or a large connection pool). The API is generally designed for use on localhost so we're not worried about RTT. |
@Kubuxu I have a use case where there are two ipfs nodes in a private network(with swarm.key). In one node, add a file
In another node, cat the file, it works
However, if I cat a non-existing file hash(changing the last letter to lower case), it stuck there and not return anything
Since I only have 2 nodes in my entire network, if it cannot find the file in the entire network, it should at least return something instead of stuck there. Not sure if this is the desired behavior for ipfs or a bug? Or am I missing anything here? |
I'm not seeing how this is related to the current issue. Note, the issue here is that the second peer has no way of knowing that it won't eventually get the file (the first peer may add it later, more peers may join, etc.). Related to: #5541 |
If i'm using a HTTP/1.1 connection and send a cat request to ipfs api server, it's gonna stuck here and all the following request send via the same connection will be stuck as well due to the head of line blocking. Though HTTP/2 would resolve this issue. I guess the only option for now is to use a new connection per request. However, if on the ipfs server end, the connection won't close in a reasonable time but waiting there and hoping eventually it will get the file, it's pretty easy to DDOS attack the ipfs server right? I can just send 10000 request per second with non-existing hash, then the server would try to get those files and eventually eat up all the memory? |
Yes, the solution here is just to use a new connection. Reusing the same connection is important on the open web but doesn't really make a difference for localhost. Independent calls to
Against a gateway? Possibly but you'd need to keep all those connections open. I'm not sure what our DoS mitigation is at the moment but, if necessary, we could introduce rate-limits and/or connection limits. Note: IPFS really isn't designed to be used as a "server" in this way. We run public gateways but that's just a stop-gap to allow people to access content on IPFS without having to install it. |
Even if we just returned errors there, you could just not read the header. Or do that really slowly.. |
Version information:
➜ ipfs version --all
go-ipfs version: 0.4.18-aefc746
Repo version: 7
System version: amd64/darwin
Golang version: go1.11.2
Type:
bug
Description:
Repro step
http/1.1 request to cat a file works
http/2 request does not
I'm not sure if this is a bug, or ipfs api server doesn't support http/2 yet? Thanks!
The text was updated successfully, but these errors were encountered: