1 // Copyright 2014 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
5 // TODO: turn off the serve goroutine when idle, so
6 // an idle conn only has the readFrames goroutine active. (which could
7 // also be optimized probably to pin less memory in crypto/tls). This
8 // would involve tracking when the serve goroutine is active (atomic
9 // int32 read/CAS probably?) and starting it up when frames arrive,
10 // and shutting it down when all handlers exit. the occasional PING
11 // packets could use time.AfterFunc to call sc.wakeStartServeLoop()
12 // (which is a no-op if already running) and then queue the PING write
13 // as normal. The serve loop would then exit in most cases (if no
14 // Handlers running) and not be woken up again until the PING packet
17 // TODO (maybe): add a mechanism for Handlers to going into
18 // half-closed-local mode (rw.(io.Closer) test?) but not exit their
19 // handler, and continue to be able to read from the
20 // Request.Body. This would be a somewhat semantic change from HTTP/1
21 // (or at least what we expose in net/http), so I'd probably want to
22 // add it there too. For now, this package says that returning from
23 // the Handler ServeHTTP function means you're both done reading and
24 // done writing, without a way to stop just one or the other.
49 "golang.org/x/net/http2/hpack"
53 prefaceTimeout = 10 * time.Second
54 firstSettingsTimeout = 2 * time.Second // should be in-flight with preface anyway
55 handlerChunkWriteSize = 4 << 10
56 defaultMaxStreams = 250 // TODO: make this 100 as the GFE seems to?
60 errClientDisconnected = errors.New("client disconnected")
61 errClosedBody = errors.New("body closed by handler")
62 errHandlerComplete = errors.New("http2: request body closed due to handler exiting")
63 errStreamClosed = errors.New("http2: stream closed")
66 var responseWriterStatePool = sync.Pool{
67 New: func() interface{} {
68 rws := &responseWriterState{}
69 rws.bw = bufio.NewWriterSize(chunkWriter{rws}, handlerChunkWriteSize)
77 testHookGetServerConn func(*serverConn)
78 testHookOnPanicMu *sync.Mutex // nil except in tests
79 testHookOnPanic func(sc *serverConn, panicVal interface{}) (rePanic bool)
82 // Server is an HTTP/2 server.
84 // MaxHandlers limits the number of http.Handler ServeHTTP goroutines
85 // which may run at a time over all connections.
86 // Negative or zero no limit.
90 // MaxConcurrentStreams optionally specifies the number of
91 // concurrent streams that each client may have open at a
92 // time. This is unrelated to the number of http.Handler goroutines
93 // which may be active globally, which is MaxHandlers.
94 // If zero, MaxConcurrentStreams defaults to at least 100, per
95 // the HTTP/2 spec's recommendations.
96 MaxConcurrentStreams uint32
98 // MaxReadFrameSize optionally specifies the largest frame
99 // this server is willing to read. A valid value is between
100 // 16k and 16M, inclusive. If zero or otherwise invalid, a
101 // default value is used.
102 MaxReadFrameSize uint32
104 // PermitProhibitedCipherSuites, if true, permits the use of
105 // cipher suites prohibited by the HTTP/2 spec.
106 PermitProhibitedCipherSuites bool
108 // IdleTimeout specifies how long until idle clients should be
109 // closed with a GOAWAY frame. PING frames are not considered
110 // activity for the purposes of IdleTimeout.
111 IdleTimeout time.Duration
113 // MaxUploadBufferPerConnection is the size of the initial flow
114 // control window for each connections. The HTTP/2 spec does not
115 // allow this to be smaller than 65535 or larger than 2^32-1.
116 // If the value is outside this range, a default value will be
118 MaxUploadBufferPerConnection int32
120 // MaxUploadBufferPerStream is the size of the initial flow control
121 // window for each stream. The HTTP/2 spec does not allow this to
122 // be larger than 2^32-1. If the value is zero or larger than the
123 // maximum, a default value will be used instead.
124 MaxUploadBufferPerStream int32
126 // NewWriteScheduler constructs a write scheduler for a connection.
127 // If nil, a default scheduler is chosen.
128 NewWriteScheduler func() WriteScheduler
130 // Internal state. This is a pointer (rather than embedded directly)
131 // so that we don't embed a Mutex in this struct, which will make the
132 // struct non-copyable, which might break some callers.
133 state *serverInternalState
136 func (s *Server) initialConnRecvWindowSize() int32 {
137 if s.MaxUploadBufferPerConnection > initialWindowSize {
138 return s.MaxUploadBufferPerConnection
143 func (s *Server) initialStreamRecvWindowSize() int32 {
144 if s.MaxUploadBufferPerStream > 0 {
145 return s.MaxUploadBufferPerStream
150 func (s *Server) maxReadFrameSize() uint32 {
151 if v := s.MaxReadFrameSize; v >= minMaxFrameSize && v <= maxFrameSize {
154 return defaultMaxReadFrameSize
157 func (s *Server) maxConcurrentStreams() uint32 {
158 if v := s.MaxConcurrentStreams; v > 0 {
161 return defaultMaxStreams
164 type serverInternalState struct {
166 activeConns map[*serverConn]struct{}
169 func (s *serverInternalState) registerConn(sc *serverConn) {
171 return // if the Server was used without calling ConfigureServer
174 s.activeConns[sc] = struct{}{}
178 func (s *serverInternalState) unregisterConn(sc *serverConn) {
180 return // if the Server was used without calling ConfigureServer
183 delete(s.activeConns, sc)
187 func (s *serverInternalState) startGracefulShutdown() {
189 return // if the Server was used without calling ConfigureServer
192 for sc := range s.activeConns {
193 sc.startGracefulShutdown()
198 // ConfigureServer adds HTTP/2 support to a net/http Server.
200 // The configuration conf may be nil.
202 // ConfigureServer must be called before s begins serving.
203 func ConfigureServer(s *http.Server, conf *Server) error {
205 panic("nil *http.Server")
210 conf.state = &serverInternalState{activeConns: make(map[*serverConn]struct{})}
211 if err := configureServer18(s, conf); err != nil {
214 if err := configureServer19(s, conf); err != nil {
218 if s.TLSConfig == nil {
219 s.TLSConfig = new(tls.Config)
220 } else if s.TLSConfig.CipherSuites != nil {
221 // If they already provided a CipherSuite list, return
222 // an error if it has a bad order or is missing
223 // ECDHE_RSA_WITH_AES_128_GCM_SHA256.
224 const requiredCipher = tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
225 haveRequired := false
227 for i, cs := range s.TLSConfig.CipherSuites {
228 if cs == requiredCipher {
234 return fmt.Errorf("http2: TLSConfig.CipherSuites index %d contains an HTTP/2-approved cipher suite (%#04x), but it comes after unapproved cipher suites. With this configuration, clients that don't support previous, approved cipher suites may be given an unapproved one and reject the connection.", i, cs)
238 return fmt.Errorf("http2: TLSConfig.CipherSuites is missing HTTP/2-required TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256")
242 // Note: not setting MinVersion to tls.VersionTLS12,
243 // as we don't want to interfere with HTTP/1.1 traffic
244 // on the user's server. We enforce TLS 1.2 later once
245 // we accept a connection. Ideally this should be done
246 // during next-proto selection, but using TLS <1.2 with
247 // HTTP/2 is still the client's bug.
249 s.TLSConfig.PreferServerCipherSuites = true
252 for _, p := range s.TLSConfig.NextProtos {
253 if p == NextProtoTLS {
259 s.TLSConfig.NextProtos = append(s.TLSConfig.NextProtos, NextProtoTLS)
262 if s.TLSNextProto == nil {
263 s.TLSNextProto = map[string]func(*http.Server, *tls.Conn, http.Handler){}
265 protoHandler := func(hs *http.Server, c *tls.Conn, h http.Handler) {
266 if testHookOnConn != nil {
269 conf.ServeConn(c, &ServeConnOpts{
274 s.TLSNextProto[NextProtoTLS] = protoHandler
278 // ServeConnOpts are options for the Server.ServeConn method.
279 type ServeConnOpts struct {
280 // BaseConfig optionally sets the base configuration
281 // for values. If nil, defaults are used.
282 BaseConfig *http.Server
284 // Handler specifies which handler to use for processing
285 // requests. If nil, BaseConfig.Handler is used. If BaseConfig
286 // or BaseConfig.Handler is nil, http.DefaultServeMux is used.
290 func (o *ServeConnOpts) baseConfig() *http.Server {
291 if o != nil && o.BaseConfig != nil {
294 return new(http.Server)
297 func (o *ServeConnOpts) handler() http.Handler {
299 if o.Handler != nil {
302 if o.BaseConfig != nil && o.BaseConfig.Handler != nil {
303 return o.BaseConfig.Handler
306 return http.DefaultServeMux
309 // ServeConn serves HTTP/2 requests on the provided connection and
310 // blocks until the connection is no longer readable.
312 // ServeConn starts speaking HTTP/2 assuming that c has not had any
313 // reads or writes. It writes its initial settings frame and expects
314 // to be able to read the preface and settings frame from the
315 // client. If c has a ConnectionState method like a *tls.Conn, the
316 // ConnectionState is used to verify the TLS ciphersuite and to set
317 // the Request.TLS field in Handlers.
319 // ServeConn does not support h2c by itself. Any h2c support must be
320 // implemented in terms of providing a suitably-behaving net.Conn.
322 // The opts parameter is optional. If nil, default values are used.
323 func (s *Server) ServeConn(c net.Conn, opts *ServeConnOpts) {
324 baseCtx, cancel := serverConnBaseContext(c, opts)
329 hs: opts.baseConfig(),
332 remoteAddrStr: c.RemoteAddr().String(),
333 bw: newBufferedWriter(c),
334 handler: opts.handler(),
335 streams: make(map[uint32]*stream),
336 readFrameCh: make(chan readFrameResult),
337 wantWriteFrameCh: make(chan FrameWriteRequest, 8),
338 serveMsgCh: make(chan interface{}, 8),
339 wroteFrameCh: make(chan frameWriteResult, 1), // buffered; one send in writeFrameAsync
340 bodyReadCh: make(chan bodyReadMsg), // buffering doesn't matter either way
341 doneServing: make(chan struct{}),
342 clientMaxStreams: math.MaxUint32, // Section 6.5.2: "Initially, there is no limit to this value"
343 advMaxStreams: s.maxConcurrentStreams(),
344 initialStreamSendWindowSize: initialWindowSize,
345 maxFrameSize: initialMaxFrameSize,
346 headerTableSize: initialHeaderTableSize,
347 serveG: newGoroutineLock(),
351 s.state.registerConn(sc)
352 defer s.state.unregisterConn(sc)
354 // The net/http package sets the write deadline from the
355 // http.Server.WriteTimeout during the TLS handshake, but then
356 // passes the connection off to us with the deadline already set.
357 // Write deadlines are set per stream in serverConn.newStream.
358 // Disarm the net.Conn write deadline here.
359 if sc.hs.WriteTimeout != 0 {
360 sc.conn.SetWriteDeadline(time.Time{})
363 if s.NewWriteScheduler != nil {
364 sc.writeSched = s.NewWriteScheduler()
366 sc.writeSched = NewRandomWriteScheduler()
369 // These start at the RFC-specified defaults. If there is a higher
370 // configured value for inflow, that will be updated when we send a
371 // WINDOW_UPDATE shortly after sending SETTINGS.
372 sc.flow.add(initialWindowSize)
373 sc.inflow.add(initialWindowSize)
374 sc.hpackEncoder = hpack.NewEncoder(&sc.headerWriteBuf)
376 fr := NewFramer(sc.bw, c)
377 fr.ReadMetaHeaders = hpack.NewDecoder(initialHeaderTableSize, nil)
378 fr.MaxHeaderListSize = sc.maxHeaderListSize()
379 fr.SetMaxReadFrameSize(s.maxReadFrameSize())
382 if tc, ok := c.(connectionStater); ok {
383 sc.tlsState = new(tls.ConnectionState)
384 *sc.tlsState = tc.ConnectionState()
385 // 9.2 Use of TLS Features
386 // An implementation of HTTP/2 over TLS MUST use TLS
387 // 1.2 or higher with the restrictions on feature set
388 // and cipher suite described in this section. Due to
389 // implementation limitations, it might not be
390 // possible to fail TLS negotiation. An endpoint MUST
391 // immediately terminate an HTTP/2 connection that
392 // does not meet the TLS requirements described in
393 // this section with a connection error (Section
394 // 5.4.1) of type INADEQUATE_SECURITY.
395 if sc.tlsState.Version < tls.VersionTLS12 {
396 sc.rejectConn(ErrCodeInadequateSecurity, "TLS version too low")
400 if sc.tlsState.ServerName == "" {
401 // Client must use SNI, but we don't enforce that anymore,
402 // since it was causing problems when connecting to bare IP
403 // addresses during development.
405 // TODO: optionally enforce? Or enforce at the time we receive
406 // a new request, and verify the the ServerName matches the :authority?
407 // But that precludes proxy situations, perhaps.
409 // So for now, do nothing here again.
412 if !s.PermitProhibitedCipherSuites && isBadCipher(sc.tlsState.CipherSuite) {
413 // "Endpoints MAY choose to generate a connection error
414 // (Section 5.4.1) of type INADEQUATE_SECURITY if one of
415 // the prohibited cipher suites are negotiated."
417 // We choose that. In my opinion, the spec is weak
418 // here. It also says both parties must support at least
419 // TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 so there's no
420 // excuses here. If we really must, we could allow an
421 // "AllowInsecureWeakCiphers" option on the server later.
422 // Let's see how it plays out first.
423 sc.rejectConn(ErrCodeInadequateSecurity, fmt.Sprintf("Prohibited TLS 1.2 Cipher Suite: %x", sc.tlsState.CipherSuite))
428 if hook := testHookGetServerConn; hook != nil {
434 func (sc *serverConn) rejectConn(err ErrCode, debug string) {
435 sc.vlogf("http2: server rejecting conn: %v, %s", err, debug)
436 // ignoring errors. hanging up anyway.
437 sc.framer.WriteGoAway(0, err, []byte(debug))
442 type serverConn struct {
447 bw *bufferedWriter // writing to conn
449 baseCtx contextContext
451 doneServing chan struct{} // closed when serverConn.serve ends
452 readFrameCh chan readFrameResult // written by serverConn.readFrames
453 wantWriteFrameCh chan FrameWriteRequest // from handlers -> serve
454 wroteFrameCh chan frameWriteResult // from writeFrameAsync -> serve, tickles more frame writes
455 bodyReadCh chan bodyReadMsg // from handlers -> serve
456 serveMsgCh chan interface{} // misc messages & code to send to / run on the serve loop
457 flow flow // conn-wide (not stream-specific) outbound flow control
458 inflow flow // conn-wide inbound flow control
459 tlsState *tls.ConnectionState // shared by all handlers, like net/http
461 writeSched WriteScheduler
463 // Everything following is owned by the serve loop; use serveG.check():
464 serveG goroutineLock // used to verify funcs are on serve()
466 sawFirstSettings bool // got the initial SETTINGS frame after the preface
467 needToSendSettingsAck bool
468 unackedSettings int // how many SETTINGS have we sent without ACKs?
469 clientMaxStreams uint32 // SETTINGS_MAX_CONCURRENT_STREAMS from client (our PUSH_PROMISE limit)
470 advMaxStreams uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client
471 curClientStreams uint32 // number of open streams initiated by the client
472 curPushedStreams uint32 // number of open streams initiated by server push
473 maxClientStreamID uint32 // max ever seen from client (odd), or 0 if there have been no client requests
474 maxPushPromiseID uint32 // ID of the last push promise (even), or 0 if there have been no pushes
475 streams map[uint32]*stream
476 initialStreamSendWindowSize int32
478 headerTableSize uint32
479 peerMaxHeaderListSize uint32 // zero means unknown (default)
480 canonHeader map[string]string // http2-lower-case -> Go-Canonical-Case
481 writingFrame bool // started writing a frame (on serve goroutine or separate)
482 writingFrameAsync bool // started a frame on its own goroutine but haven't heard back on wroteFrameCh
483 needsFrameFlush bool // last frame write wasn't a flush
484 inGoAway bool // we've started to or sent GOAWAY
485 inFrameScheduleLoop bool // whether we're in the scheduleFrameWrite loop
486 needToSendGoAway bool // we need to schedule a GOAWAY frame write
488 shutdownTimer *time.Timer // nil until used
489 idleTimer *time.Timer // nil if unused
491 // Owned by the writeFrameAsync goroutine:
492 headerWriteBuf bytes.Buffer
493 hpackEncoder *hpack.Encoder
495 // Used by startGracefulShutdown.
496 shutdownOnce sync.Once
499 func (sc *serverConn) maxHeaderListSize() uint32 {
500 n := sc.hs.MaxHeaderBytes
502 n = http.DefaultMaxHeaderBytes
504 // http2's count is in a slightly different unit and includes 32 bytes per pair.
505 // So, take the net/http.Server value and pad it up a bit, assuming 10 headers.
506 const perFieldOverhead = 32 // per http2 spec
507 const typicalHeaders = 10 // conservative
508 return uint32(n + typicalHeaders*perFieldOverhead)
511 func (sc *serverConn) curOpenStreams() uint32 {
513 return sc.curClientStreams + sc.curPushedStreams
516 // stream represents a stream. This is the minimal metadata needed by
517 // the serve goroutine. Most of the actual stream state is owned by
518 // the http.Handler's goroutine in the responseWriter. Because the
519 // responseWriter's responseWriterState is recycled at the end of a
520 // handler, this struct intentionally has no pointer to the
521 // *responseWriter{,State} itself, as the Handler ending nils out the
522 // responseWriter's state field.
527 body *pipe // non-nil if expecting DATA frames
528 cw closeWaiter // closed wait stream transitions to closed state
532 // owned by serverConn's serve loop:
533 bodyBytes int64 // body bytes seen so far
534 declBodyBytes int64 // or -1 if undeclared
535 flow flow // limits writing from Handler to client
536 inflow flow // what the client is allowed to POST/etc to us
537 parent *stream // or nil
538 numTrailerValues int64
541 resetQueued bool // RST_STREAM queued for write; set by sc.resetStream
542 gotTrailerHeader bool // HEADER frame for trailers was seen
543 wroteHeaders bool // whether we wrote headers (not status 100)
544 writeDeadline *time.Timer // nil if unused
546 trailer http.Header // accumulated trailers
547 reqTrailer http.Header // handler's Request.Trailer
550 func (sc *serverConn) Framer() *Framer { return sc.framer }
551 func (sc *serverConn) CloseConn() error { return sc.conn.Close() }
552 func (sc *serverConn) Flush() error { return sc.bw.Flush() }
553 func (sc *serverConn) HeaderEncoder() (*hpack.Encoder, *bytes.Buffer) {
554 return sc.hpackEncoder, &sc.headerWriteBuf
557 func (sc *serverConn) state(streamID uint32) (streamState, *stream) {
559 // http://tools.ietf.org/html/rfc7540#section-5.1
560 if st, ok := sc.streams[streamID]; ok {
563 // "The first use of a new stream identifier implicitly closes all
564 // streams in the "idle" state that might have been initiated by
565 // that peer with a lower-valued stream identifier. For example, if
566 // a client sends a HEADERS frame on stream 7 without ever sending a
567 // frame on stream 5, then stream 5 transitions to the "closed"
568 // state when the first frame for stream 7 is sent or received."
570 if streamID <= sc.maxClientStreamID {
571 return stateClosed, nil
574 if streamID <= sc.maxPushPromiseID {
575 return stateClosed, nil
578 return stateIdle, nil
581 // setConnState calls the net/http ConnState hook for this connection, if configured.
582 // Note that the net/http package does StateNew and StateClosed for us.
583 // There is currently no plan for StateHijacked or hijacking HTTP/2 connections.
584 func (sc *serverConn) setConnState(state http.ConnState) {
585 if sc.hs.ConnState != nil {
586 sc.hs.ConnState(sc.conn, state)
590 func (sc *serverConn) vlogf(format string, args ...interface{}) {
592 sc.logf(format, args...)
596 func (sc *serverConn) logf(format string, args ...interface{}) {
597 if lg := sc.hs.ErrorLog; lg != nil {
598 lg.Printf(format, args...)
600 log.Printf(format, args...)
604 // errno returns v's underlying uintptr, else 0.
606 // TODO: remove this helper function once http2 can use build
607 // tags. See comment in isClosedConnError.
608 func errno(v error) uintptr {
609 if rv := reflect.ValueOf(v); rv.Kind() == reflect.Uintptr {
610 return uintptr(rv.Uint())
615 // isClosedConnError reports whether err is an error from use of a closed
616 // network connection.
617 func isClosedConnError(err error) bool {
622 // TODO: remove this string search and be more like the Windows
623 // case below. That might involve modifying the standard library
624 // to return better error types.
626 if strings.Contains(str, "use of closed network connection") {
630 // TODO(bradfitz): x/tools/cmd/bundle doesn't really support
631 // build tags, so I can't make an http2_windows.go file with
632 // Windows-specific stuff. Fix that and move this, once we
633 // have a way to bundle this into std's net/http somehow.
634 if runtime.GOOS == "windows" {
635 if oe, ok := err.(*net.OpError); ok && oe.Op == "read" {
636 if se, ok := oe.Err.(*os.SyscallError); ok && se.Syscall == "wsarecv" {
637 const WSAECONNABORTED = 10053
638 const WSAECONNRESET = 10054
639 if n := errno(se.Err); n == WSAECONNRESET || n == WSAECONNABORTED {
648 func (sc *serverConn) condlogf(err error, format string, args ...interface{}) {
652 if err == io.EOF || err == io.ErrUnexpectedEOF || isClosedConnError(err) {
653 // Boring, expected errors.
654 sc.vlogf(format, args...)
656 sc.logf(format, args...)
660 func (sc *serverConn) canonicalHeader(v string) string {
662 cv, ok := commonCanonHeader[v]
666 cv, ok = sc.canonHeader[v]
670 if sc.canonHeader == nil {
671 sc.canonHeader = make(map[string]string)
673 cv = http.CanonicalHeaderKey(v)
674 sc.canonHeader[v] = cv
678 type readFrameResult struct {
679 f Frame // valid until readMore is called
682 // readMore should be called once the consumer no longer needs or
683 // retains f. After readMore, f is invalid and more frames can be
688 // readFrames is the loop that reads incoming frames.
689 // It takes care to only read one frame at a time, blocking until the
690 // consumer is done with the frame.
691 // It's run on its own goroutine.
692 func (sc *serverConn) readFrames() {
694 gateDone := gate.Done
696 f, err := sc.framer.ReadFrame()
698 case sc.readFrameCh <- readFrameResult{f, err, gateDone}:
699 case <-sc.doneServing:
704 case <-sc.doneServing:
707 if terminalReadFrameError(err) {
713 // frameWriteResult is the message passed from writeFrameAsync to the serve goroutine.
714 type frameWriteResult struct {
715 wr FrameWriteRequest // what was written (or attempted)
716 err error // result of the writeFrame call
719 // writeFrameAsync runs in its own goroutine and writes a single frame
720 // and then reports when it's done.
721 // At most one goroutine can be running writeFrameAsync at a time per
723 func (sc *serverConn) writeFrameAsync(wr FrameWriteRequest) {
724 err := wr.write.writeFrame(sc)
725 sc.wroteFrameCh <- frameWriteResult{wr, err}
728 func (sc *serverConn) closeAllStreamsOnConnClose() {
730 for _, st := range sc.streams {
731 sc.closeStream(st, errClientDisconnected)
735 func (sc *serverConn) stopShutdownTimer() {
737 if t := sc.shutdownTimer; t != nil {
742 func (sc *serverConn) notePanic() {
743 // Note: this is for serverConn.serve panicking, not http.Handler code.
744 if testHookOnPanicMu != nil {
745 testHookOnPanicMu.Lock()
746 defer testHookOnPanicMu.Unlock()
748 if testHookOnPanic != nil {
749 if e := recover(); e != nil {
750 if testHookOnPanic(sc, e) {
757 func (sc *serverConn) serve() {
760 defer sc.conn.Close()
761 defer sc.closeAllStreamsOnConnClose()
762 defer sc.stopShutdownTimer()
763 defer close(sc.doneServing) // unblocks handlers trying to send
766 sc.vlogf("http2: server connection from %v on %p", sc.conn.RemoteAddr(), sc.hs)
769 sc.writeFrame(FrameWriteRequest{
770 write: writeSettings{
771 {SettingMaxFrameSize, sc.srv.maxReadFrameSize()},
772 {SettingMaxConcurrentStreams, sc.advMaxStreams},
773 {SettingMaxHeaderListSize, sc.maxHeaderListSize()},
774 {SettingInitialWindowSize, uint32(sc.srv.initialStreamRecvWindowSize())},
779 // Each connection starts with intialWindowSize inflow tokens.
780 // If a higher value is configured, we add more tokens.
781 if diff := sc.srv.initialConnRecvWindowSize() - initialWindowSize; diff > 0 {
782 sc.sendWindowUpdate(nil, int(diff))
785 if err := sc.readPreface(); err != nil {
786 sc.condlogf(err, "http2: server: error reading preface from client %v: %v", sc.conn.RemoteAddr(), err)
789 // Now that we've got the preface, get us out of the
790 // "StateNew" state. We can't go directly to idle, though.
791 // Active means we read some data and anticipate a request. We'll
792 // do another Active when we get a HEADERS frame.
793 sc.setConnState(http.StateActive)
794 sc.setConnState(http.StateIdle)
796 if sc.srv.IdleTimeout != 0 {
797 sc.idleTimer = time.AfterFunc(sc.srv.IdleTimeout, sc.onIdleTimer)
798 defer sc.idleTimer.Stop()
801 go sc.readFrames() // closed by defer sc.conn.Close above
803 settingsTimer := time.AfterFunc(firstSettingsTimeout, sc.onSettingsTimer)
804 defer settingsTimer.Stop()
810 case wr := <-sc.wantWriteFrameCh:
811 if se, ok := wr.write.(StreamError); ok {
816 case res := <-sc.wroteFrameCh:
818 case res := <-sc.readFrameCh:
819 if !sc.processFrameFromReader(res) {
823 if settingsTimer != nil {
827 case m := <-sc.bodyReadCh:
828 sc.noteBodyRead(m.st, m.n)
829 case msg := <-sc.serveMsgCh:
830 switch v := msg.(type) {
832 v(loopNum) // for testing
835 case settingsTimerMsg:
836 sc.logf("timeout waiting for SETTINGS frames from %v", sc.conn.RemoteAddr())
839 sc.vlogf("connection is idle")
841 case shutdownTimerMsg:
842 sc.vlogf("GOAWAY close timer fired; closing conn from %v", sc.conn.RemoteAddr())
844 case gracefulShutdownMsg:
845 sc.startGracefulShutdownInternal()
847 panic("unknown timer")
849 case *startPushRequest:
852 panic(fmt.Sprintf("unexpected type %T", v))
856 if sc.inGoAway && sc.curOpenStreams() == 0 && !sc.needToSendGoAway && !sc.writingFrame {
862 func (sc *serverConn) awaitGracefulShutdown(sharedCh <-chan struct{}, privateCh chan struct{}) {
864 case <-sc.doneServing:
870 type serverMessage int
872 // Message values sent to serveMsgCh.
874 settingsTimerMsg = new(serverMessage)
875 idleTimerMsg = new(serverMessage)
876 shutdownTimerMsg = new(serverMessage)
877 gracefulShutdownMsg = new(serverMessage)
880 func (sc *serverConn) onSettingsTimer() { sc.sendServeMsg(settingsTimerMsg) }
881 func (sc *serverConn) onIdleTimer() { sc.sendServeMsg(idleTimerMsg) }
882 func (sc *serverConn) onShutdownTimer() { sc.sendServeMsg(shutdownTimerMsg) }
884 func (sc *serverConn) sendServeMsg(msg interface{}) {
885 sc.serveG.checkNotOn() // NOT
887 case sc.serveMsgCh <- msg:
888 case <-sc.doneServing:
892 // readPreface reads the ClientPreface greeting from the peer
893 // or returns an error on timeout or an invalid greeting.
894 func (sc *serverConn) readPreface() error {
895 errc := make(chan error, 1)
897 // Read the client preface
898 buf := make([]byte, len(ClientPreface))
899 if _, err := io.ReadFull(sc.conn, buf); err != nil {
901 } else if !bytes.Equal(buf, clientPreface) {
902 errc <- fmt.Errorf("bogus greeting %q", buf)
907 timer := time.NewTimer(prefaceTimeout) // TODO: configurable on *Server?
911 return errors.New("timeout waiting for client preface")
915 sc.vlogf("http2: server: client %v said hello", sc.conn.RemoteAddr())
922 var errChanPool = sync.Pool{
923 New: func() interface{} { return make(chan error, 1) },
926 var writeDataPool = sync.Pool{
927 New: func() interface{} { return new(writeData) },
930 // writeDataFromHandler writes DATA response frames from a handler on
932 func (sc *serverConn) writeDataFromHandler(stream *stream, data []byte, endStream bool) error {
933 ch := errChanPool.Get().(chan error)
934 writeArg := writeDataPool.Get().(*writeData)
935 *writeArg = writeData{stream.id, data, endStream}
936 err := sc.writeFrameFromHandler(FrameWriteRequest{
944 var frameWriteDone bool // the frame write is done (successfully or not)
947 frameWriteDone = true
948 case <-sc.doneServing:
949 return errClientDisconnected
951 // If both ch and stream.cw were ready (as might
952 // happen on the final Write after an http.Handler
953 // ends), prefer the write result. Otherwise this
954 // might just be us successfully closing the stream.
955 // The writeFrameAsync and serve goroutines guarantee
956 // that the ch send will happen before the stream.cw
960 frameWriteDone = true
962 return errStreamClosed
967 writeDataPool.Put(writeArg)
972 // writeFrameFromHandler sends wr to sc.wantWriteFrameCh, but aborts
973 // if the connection has gone away.
975 // This must not be run from the serve goroutine itself, else it might
976 // deadlock writing to sc.wantWriteFrameCh (which is only mildly
977 // buffered and is read by serve itself). If you're on the serve
978 // goroutine, call writeFrame instead.
979 func (sc *serverConn) writeFrameFromHandler(wr FrameWriteRequest) error {
980 sc.serveG.checkNotOn() // NOT
982 case sc.wantWriteFrameCh <- wr:
984 case <-sc.doneServing:
985 // Serve loop is gone.
986 // Client has closed their connection to the server.
987 return errClientDisconnected
991 // writeFrame schedules a frame to write and sends it if there's nothing
992 // already being written.
994 // There is no pushback here (the serve goroutine never blocks). It's
995 // the http.Handlers that block, waiting for their previous frames to
996 // make it onto the wire
998 // If you're not on the serve goroutine, use writeFrameFromHandler instead.
999 func (sc *serverConn) writeFrame(wr FrameWriteRequest) {
1002 // If true, wr will not be written and wr.done will not be signaled.
1003 var ignoreWrite bool
1005 // We are not allowed to write frames on closed streams. RFC 7540 Section
1006 // 5.1.1 says: "An endpoint MUST NOT send frames other than PRIORITY on
1007 // a closed stream." Our server never sends PRIORITY, so that exception
1010 // The serverConn might close an open stream while the stream's handler
1011 // is still running. For example, the server might close a stream when it
1012 // receives bad data from the client. If this happens, the handler might
1013 // attempt to write a frame after the stream has been closed (since the
1014 // handler hasn't yet been notified of the close). In this case, we simply
1015 // ignore the frame. The handler will notice that the stream is closed when
1016 // it waits for the frame to be written.
1018 // As an exception to this rule, we allow sending RST_STREAM after close.
1019 // This allows us to immediately reject new streams without tracking any
1020 // state for those streams (except for the queued RST_STREAM frame). This
1021 // may result in duplicate RST_STREAMs in some cases, but the client should
1023 if wr.StreamID() != 0 {
1024 _, isReset := wr.write.(StreamError)
1025 if state, _ := sc.state(wr.StreamID()); state == stateClosed && !isReset {
1030 // Don't send a 100-continue response if we've already sent headers.
1031 // See golang.org/issue/14030.
1032 switch wr.write.(type) {
1033 case *writeResHeaders:
1034 wr.stream.wroteHeaders = true
1035 case write100ContinueHeadersFrame:
1036 if wr.stream.wroteHeaders {
1037 // We do not need to notify wr.done because this frame is
1038 // never written with wr.done != nil.
1040 panic("wr.done != nil for write100ContinueHeadersFrame")
1047 sc.writeSched.Push(wr)
1049 sc.scheduleFrameWrite()
1052 // startFrameWrite starts a goroutine to write wr (in a separate
1053 // goroutine since that might block on the network), and updates the
1054 // serve goroutine's state about the world, updated from info in wr.
1055 func (sc *serverConn) startFrameWrite(wr FrameWriteRequest) {
1057 if sc.writingFrame {
1058 panic("internal error: can only be writing one frame at a time")
1064 case stateHalfClosedLocal:
1065 switch wr.write.(type) {
1066 case StreamError, handlerPanicRST, writeWindowUpdate:
1067 // RFC 7540 Section 5.1 allows sending RST_STREAM, PRIORITY, and WINDOW_UPDATE
1068 // in this state. (We never send PRIORITY from the server, so that is not checked.)
1070 panic(fmt.Sprintf("internal error: attempt to send frame on a half-closed-local stream: %v", wr))
1073 panic(fmt.Sprintf("internal error: attempt to send frame on a closed stream: %v", wr))
1076 if wpp, ok := wr.write.(*writePushPromise); ok {
1078 wpp.promisedID, err = wpp.allocatePromisedID()
1080 sc.writingFrameAsync = false
1081 wr.replyToWriter(err)
1086 sc.writingFrame = true
1087 sc.needsFrameFlush = true
1088 if wr.write.staysWithinBuffer(sc.bw.Available()) {
1089 sc.writingFrameAsync = false
1090 err := wr.write.writeFrame(sc)
1091 sc.wroteFrame(frameWriteResult{wr, err})
1093 sc.writingFrameAsync = true
1094 go sc.writeFrameAsync(wr)
1098 // errHandlerPanicked is the error given to any callers blocked in a read from
1099 // Request.Body when the main goroutine panics. Since most handlers read in the
1100 // the main ServeHTTP goroutine, this will show up rarely.
1101 var errHandlerPanicked = errors.New("http2: handler panicked")
1103 // wroteFrame is called on the serve goroutine with the result of
1104 // whatever happened on writeFrameAsync.
1105 func (sc *serverConn) wroteFrame(res frameWriteResult) {
1107 if !sc.writingFrame {
1108 panic("internal error: expected to be already writing a frame")
1110 sc.writingFrame = false
1111 sc.writingFrameAsync = false
1115 if writeEndsStream(wr.write) {
1118 panic("internal error: expecting non-nil stream")
1122 // Here we would go to stateHalfClosedLocal in
1123 // theory, but since our handler is done and
1124 // the net/http package provides no mechanism
1125 // for closing a ResponseWriter while still
1126 // reading data (see possible TODO at top of
1127 // this file), we go into closed state here
1128 // anyway, after telling the peer we're
1129 // hanging up on them. We'll transition to
1130 // stateClosed after the RST_STREAM frame is
1132 st.state = stateHalfClosedLocal
1133 // Section 8.1: a server MAY request that the client abort
1134 // transmission of a request without error by sending a
1135 // RST_STREAM with an error code of NO_ERROR after sending
1136 // a complete response.
1137 sc.resetStream(streamError(st.id, ErrCodeNo))
1138 case stateHalfClosedRemote:
1139 sc.closeStream(st, errHandlerComplete)
1142 switch v := wr.write.(type) {
1144 // st may be unknown if the RST_STREAM was generated to reject bad input.
1145 if st, ok := sc.streams[v.StreamID]; ok {
1146 sc.closeStream(st, v)
1148 case handlerPanicRST:
1149 sc.closeStream(wr.stream, errHandlerPanicked)
1153 // Reply (if requested) to unblock the ServeHTTP goroutine.
1154 wr.replyToWriter(res.err)
1156 sc.scheduleFrameWrite()
1159 // scheduleFrameWrite tickles the frame writing scheduler.
1161 // If a frame is already being written, nothing happens. This will be called again
1162 // when the frame is done being written.
1164 // If a frame isn't being written we need to send one, the best frame
1165 // to send is selected, preferring first things that aren't
1166 // stream-specific (e.g. ACKing settings), and then finding the
1167 // highest priority stream.
1169 // If a frame isn't being written and there's nothing else to send, we
1170 // flush the write buffer.
1171 func (sc *serverConn) scheduleFrameWrite() {
1173 if sc.writingFrame || sc.inFrameScheduleLoop {
1176 sc.inFrameScheduleLoop = true
1177 for !sc.writingFrameAsync {
1178 if sc.needToSendGoAway {
1179 sc.needToSendGoAway = false
1180 sc.startFrameWrite(FrameWriteRequest{
1181 write: &writeGoAway{
1182 maxStreamID: sc.maxClientStreamID,
1183 code: sc.goAwayCode,
1188 if sc.needToSendSettingsAck {
1189 sc.needToSendSettingsAck = false
1190 sc.startFrameWrite(FrameWriteRequest{write: writeSettingsAck{}})
1193 if !sc.inGoAway || sc.goAwayCode == ErrCodeNo {
1194 if wr, ok := sc.writeSched.Pop(); ok {
1195 sc.startFrameWrite(wr)
1199 if sc.needsFrameFlush {
1200 sc.startFrameWrite(FrameWriteRequest{write: flushFrameWriter{}})
1201 sc.needsFrameFlush = false // after startFrameWrite, since it sets this true
1206 sc.inFrameScheduleLoop = false
1209 // startGracefulShutdown gracefully shuts down a connection. This
1210 // sends GOAWAY with ErrCodeNo to tell the client we're gracefully
1211 // shutting down. The connection isn't closed until all current
1212 // streams are done.
1214 // startGracefulShutdown returns immediately; it does not wait until
1215 // the connection has shut down.
1216 func (sc *serverConn) startGracefulShutdown() {
1217 sc.serveG.checkNotOn() // NOT
1218 sc.shutdownOnce.Do(func() { sc.sendServeMsg(gracefulShutdownMsg) })
1221 func (sc *serverConn) startGracefulShutdownInternal() {
1222 sc.goAwayIn(ErrCodeNo, 0)
1225 func (sc *serverConn) goAway(code ErrCode) {
1227 var forceCloseIn time.Duration
1228 if code != ErrCodeNo {
1229 forceCloseIn = 250 * time.Millisecond
1231 // TODO: configurable
1232 forceCloseIn = 1 * time.Second
1234 sc.goAwayIn(code, forceCloseIn)
1237 func (sc *serverConn) goAwayIn(code ErrCode, forceCloseIn time.Duration) {
1242 if forceCloseIn != 0 {
1243 sc.shutDownIn(forceCloseIn)
1246 sc.needToSendGoAway = true
1247 sc.goAwayCode = code
1248 sc.scheduleFrameWrite()
1251 func (sc *serverConn) shutDownIn(d time.Duration) {
1253 sc.shutdownTimer = time.AfterFunc(d, sc.onShutdownTimer)
1256 func (sc *serverConn) resetStream(se StreamError) {
1258 sc.writeFrame(FrameWriteRequest{write: se})
1259 if st, ok := sc.streams[se.StreamID]; ok {
1260 st.resetQueued = true
1264 // processFrameFromReader processes the serve loop's read from readFrameCh from the
1265 // frame-reading goroutine.
1266 // processFrameFromReader returns whether the connection should be kept open.
1267 func (sc *serverConn) processFrameFromReader(res readFrameResult) bool {
1271 if err == ErrFrameTooLarge {
1272 sc.goAway(ErrCodeFrameSize)
1273 return true // goAway will close the loop
1275 clientGone := err == io.EOF || err == io.ErrUnexpectedEOF || isClosedConnError(err)
1277 // TODO: could we also get into this state if
1278 // the peer does a half close
1279 // (e.g. CloseWrite) because they're done
1280 // sending frames but they're still wanting
1281 // our open replies? Investigate.
1282 // TODO: add CloseWrite to crypto/tls.Conn first
1283 // so we have a way to test this? I suppose
1284 // just for testing we could have a non-TLS mode.
1290 sc.vlogf("http2: server read frame %v", summarizeFrame(f))
1292 err = sc.processFrame(f)
1298 switch ev := err.(type) {
1302 case goAwayFlowError:
1303 sc.goAway(ErrCodeFlowControl)
1305 case ConnectionError:
1306 sc.logf("http2: server connection error from %v: %v", sc.conn.RemoteAddr(), ev)
1307 sc.goAway(ErrCode(ev))
1308 return true // goAway will handle shutdown
1311 sc.vlogf("http2: server closing client connection; error reading frame from client %s: %v", sc.conn.RemoteAddr(), err)
1313 sc.logf("http2: server closing client connection: %v", err)
1319 func (sc *serverConn) processFrame(f Frame) error {
1322 // First frame received must be SETTINGS.
1323 if !sc.sawFirstSettings {
1324 if _, ok := f.(*SettingsFrame); !ok {
1325 return ConnectionError(ErrCodeProtocol)
1327 sc.sawFirstSettings = true
1330 switch f := f.(type) {
1331 case *SettingsFrame:
1332 return sc.processSettings(f)
1333 case *MetaHeadersFrame:
1334 return sc.processHeaders(f)
1335 case *WindowUpdateFrame:
1336 return sc.processWindowUpdate(f)
1338 return sc.processPing(f)
1340 return sc.processData(f)
1341 case *RSTStreamFrame:
1342 return sc.processResetStream(f)
1343 case *PriorityFrame:
1344 return sc.processPriority(f)
1346 return sc.processGoAway(f)
1347 case *PushPromiseFrame:
1348 // A client cannot push. Thus, servers MUST treat the receipt of a PUSH_PROMISE
1349 // frame as a connection error (Section 5.4.1) of type PROTOCOL_ERROR.
1350 return ConnectionError(ErrCodeProtocol)
1352 sc.vlogf("http2: server ignoring frame: %v", f.Header())
1357 func (sc *serverConn) processPing(f *PingFrame) error {
1360 // 6.7 PING: " An endpoint MUST NOT respond to PING frames
1361 // containing this flag."
1364 if f.StreamID != 0 {
1365 // "PING frames are not associated with any individual
1366 // stream. If a PING frame is received with a stream
1367 // identifier field value other than 0x0, the recipient MUST
1368 // respond with a connection error (Section 5.4.1) of type
1370 return ConnectionError(ErrCodeProtocol)
1372 if sc.inGoAway && sc.goAwayCode != ErrCodeNo {
1375 sc.writeFrame(FrameWriteRequest{write: writePingAck{f}})
1379 func (sc *serverConn) processWindowUpdate(f *WindowUpdateFrame) error {
1382 case f.StreamID != 0: // stream-level flow control
1383 state, st := sc.state(f.StreamID)
1384 if state == stateIdle {
1385 // Section 5.1: "Receiving any frame other than HEADERS
1386 // or PRIORITY on a stream in this state MUST be
1387 // treated as a connection error (Section 5.4.1) of
1388 // type PROTOCOL_ERROR."
1389 return ConnectionError(ErrCodeProtocol)
1392 // "WINDOW_UPDATE can be sent by a peer that has sent a
1393 // frame bearing the END_STREAM flag. This means that a
1394 // receiver could receive a WINDOW_UPDATE frame on a "half
1395 // closed (remote)" or "closed" stream. A receiver MUST
1396 // NOT treat this as an error, see Section 5.1."
1399 if !st.flow.add(int32(f.Increment)) {
1400 return streamError(f.StreamID, ErrCodeFlowControl)
1402 default: // connection-level flow control
1403 if !sc.flow.add(int32(f.Increment)) {
1404 return goAwayFlowError{}
1407 sc.scheduleFrameWrite()
1411 func (sc *serverConn) processResetStream(f *RSTStreamFrame) error {
1414 state, st := sc.state(f.StreamID)
1415 if state == stateIdle {
1416 // 6.4 "RST_STREAM frames MUST NOT be sent for a
1417 // stream in the "idle" state. If a RST_STREAM frame
1418 // identifying an idle stream is received, the
1419 // recipient MUST treat this as a connection error
1420 // (Section 5.4.1) of type PROTOCOL_ERROR.
1421 return ConnectionError(ErrCodeProtocol)
1425 sc.closeStream(st, streamError(f.StreamID, f.ErrCode))
1430 func (sc *serverConn) closeStream(st *stream, err error) {
1432 if st.state == stateIdle || st.state == stateClosed {
1433 panic(fmt.Sprintf("invariant; can't close stream in state %v", st.state))
1435 st.state = stateClosed
1436 if st.writeDeadline != nil {
1437 st.writeDeadline.Stop()
1440 sc.curPushedStreams--
1442 sc.curClientStreams--
1444 delete(sc.streams, st.id)
1445 if len(sc.streams) == 0 {
1446 sc.setConnState(http.StateIdle)
1447 if sc.srv.IdleTimeout != 0 {
1448 sc.idleTimer.Reset(sc.srv.IdleTimeout)
1450 if h1ServerKeepAlivesDisabled(sc.hs) {
1451 sc.startGracefulShutdownInternal()
1454 if p := st.body; p != nil {
1455 // Return any buffered unread bytes worth of conn-level flow control.
1456 // See golang.org/issue/16481
1457 sc.sendWindowUpdate(nil, p.Len())
1459 p.CloseWithError(err)
1461 st.cw.Close() // signals Handler's CloseNotifier, unblocks writes, etc
1462 sc.writeSched.CloseStream(st.id)
1465 func (sc *serverConn) processSettings(f *SettingsFrame) error {
1468 sc.unackedSettings--
1469 if sc.unackedSettings < 0 {
1470 // Why is the peer ACKing settings we never sent?
1471 // The spec doesn't mention this case, but
1472 // hang up on them anyway.
1473 return ConnectionError(ErrCodeProtocol)
1477 if err := f.ForeachSetting(sc.processSetting); err != nil {
1480 sc.needToSendSettingsAck = true
1481 sc.scheduleFrameWrite()
1485 func (sc *serverConn) processSetting(s Setting) error {
1487 if err := s.Valid(); err != nil {
1491 sc.vlogf("http2: server processing setting %v", s)
1494 case SettingHeaderTableSize:
1495 sc.headerTableSize = s.Val
1496 sc.hpackEncoder.SetMaxDynamicTableSize(s.Val)
1497 case SettingEnablePush:
1498 sc.pushEnabled = s.Val != 0
1499 case SettingMaxConcurrentStreams:
1500 sc.clientMaxStreams = s.Val
1501 case SettingInitialWindowSize:
1502 return sc.processSettingInitialWindowSize(s.Val)
1503 case SettingMaxFrameSize:
1504 sc.maxFrameSize = int32(s.Val) // the maximum valid s.Val is < 2^31
1505 case SettingMaxHeaderListSize:
1506 sc.peerMaxHeaderListSize = s.Val
1508 // Unknown setting: "An endpoint that receives a SETTINGS
1509 // frame with any unknown or unsupported identifier MUST
1510 // ignore that setting."
1512 sc.vlogf("http2: server ignoring unknown setting %v", s)
1518 func (sc *serverConn) processSettingInitialWindowSize(val uint32) error {
1520 // Note: val already validated to be within range by
1521 // processSetting's Valid call.
1523 // "A SETTINGS frame can alter the initial flow control window
1524 // size for all current streams. When the value of
1525 // SETTINGS_INITIAL_WINDOW_SIZE changes, a receiver MUST
1526 // adjust the size of all stream flow control windows that it
1527 // maintains by the difference between the new value and the
1529 old := sc.initialStreamSendWindowSize
1530 sc.initialStreamSendWindowSize = int32(val)
1531 growth := int32(val) - old // may be negative
1532 for _, st := range sc.streams {
1533 if !st.flow.add(growth) {
1534 // 6.9.2 Initial Flow Control Window Size
1535 // "An endpoint MUST treat a change to
1536 // SETTINGS_INITIAL_WINDOW_SIZE that causes any flow
1537 // control window to exceed the maximum size as a
1538 // connection error (Section 5.4.1) of type
1539 // FLOW_CONTROL_ERROR."
1540 return ConnectionError(ErrCodeFlowControl)
1546 func (sc *serverConn) processData(f *DataFrame) error {
1548 if sc.inGoAway && sc.goAwayCode != ErrCodeNo {
1553 // "If a DATA frame is received whose stream is not in "open"
1554 // or "half closed (local)" state, the recipient MUST respond
1555 // with a stream error (Section 5.4.2) of type STREAM_CLOSED."
1556 id := f.Header().StreamID
1557 state, st := sc.state(id)
1558 if id == 0 || state == stateIdle {
1559 // Section 5.1: "Receiving any frame other than HEADERS
1560 // or PRIORITY on a stream in this state MUST be
1561 // treated as a connection error (Section 5.4.1) of
1562 // type PROTOCOL_ERROR."
1563 return ConnectionError(ErrCodeProtocol)
1565 if st == nil || state != stateOpen || st.gotTrailerHeader || st.resetQueued {
1566 // This includes sending a RST_STREAM if the stream is
1567 // in stateHalfClosedLocal (which currently means that
1568 // the http.Handler returned, so it's done reading &
1569 // done writing). Try to stop the client from sending
1572 // But still enforce their connection-level flow control,
1573 // and return any flow control bytes since we're not going
1575 if sc.inflow.available() < int32(f.Length) {
1576 return streamError(id, ErrCodeFlowControl)
1578 // Deduct the flow control from inflow, since we're
1579 // going to immediately add it back in
1580 // sendWindowUpdate, which also schedules sending the
1582 sc.inflow.take(int32(f.Length))
1583 sc.sendWindowUpdate(nil, int(f.Length)) // conn-level
1585 if st != nil && st.resetQueued {
1586 // Already have a stream error in flight. Don't send another.
1589 return streamError(id, ErrCodeStreamClosed)
1592 panic("internal error: should have a body in this state")
1595 // Sender sending more than they'd declared?
1596 if st.declBodyBytes != -1 && st.bodyBytes+int64(len(data)) > st.declBodyBytes {
1597 st.body.CloseWithError(fmt.Errorf("sender tried to send more than declared Content-Length of %d bytes", st.declBodyBytes))
1598 return streamError(id, ErrCodeStreamClosed)
1601 // Check whether the client has flow control quota.
1602 if st.inflow.available() < int32(f.Length) {
1603 return streamError(id, ErrCodeFlowControl)
1605 st.inflow.take(int32(f.Length))
1608 wrote, err := st.body.Write(data)
1610 return streamError(id, ErrCodeStreamClosed)
1612 if wrote != len(data) {
1613 panic("internal error: bad Writer")
1615 st.bodyBytes += int64(len(data))
1618 // Return any padded flow control now, since we won't
1619 // refund it later on body reads.
1620 if pad := int32(f.Length) - int32(len(data)); pad > 0 {
1621 sc.sendWindowUpdate32(nil, pad)
1622 sc.sendWindowUpdate32(st, pad)
1625 if f.StreamEnded() {
1631 func (sc *serverConn) processGoAway(f *GoAwayFrame) error {
1633 if f.ErrCode != ErrCodeNo {
1634 sc.logf("http2: received GOAWAY %+v, starting graceful shutdown", f)
1636 sc.vlogf("http2: received GOAWAY %+v, starting graceful shutdown", f)
1638 sc.startGracefulShutdownInternal()
1639 // http://tools.ietf.org/html/rfc7540#section-6.8
1640 // We should not create any new streams, which means we should disable push.
1641 sc.pushEnabled = false
1645 // isPushed reports whether the stream is server-initiated.
1646 func (st *stream) isPushed() bool {
1650 // endStream closes a Request.Body's pipe. It is called when a DATA
1651 // frame says a request body is over (or after trailers).
1652 func (st *stream) endStream() {
1656 if st.declBodyBytes != -1 && st.declBodyBytes != st.bodyBytes {
1657 st.body.CloseWithError(fmt.Errorf("request declared a Content-Length of %d but only wrote %d bytes",
1658 st.declBodyBytes, st.bodyBytes))
1660 st.body.closeWithErrorAndCode(io.EOF, st.copyTrailersToHandlerRequest)
1661 st.body.CloseWithError(io.EOF)
1663 st.state = stateHalfClosedRemote
1666 // copyTrailersToHandlerRequest is run in the Handler's goroutine in
1667 // its Request.Body.Read just before it gets io.EOF.
1668 func (st *stream) copyTrailersToHandlerRequest() {
1669 for k, vv := range st.trailer {
1670 if _, ok := st.reqTrailer[k]; ok {
1671 // Only copy it over it was pre-declared.
1672 st.reqTrailer[k] = vv
1677 // onWriteTimeout is run on its own goroutine (from time.AfterFunc)
1678 // when the stream's WriteTimeout has fired.
1679 func (st *stream) onWriteTimeout() {
1680 st.sc.writeFrameFromHandler(FrameWriteRequest{write: streamError(st.id, ErrCodeInternal)})
1683 func (sc *serverConn) processHeaders(f *MetaHeadersFrame) error {
1690 // http://tools.ietf.org/html/rfc7540#section-5.1.1
1691 // Streams initiated by a client MUST use odd-numbered stream
1692 // identifiers. [...] An endpoint that receives an unexpected
1693 // stream identifier MUST respond with a connection error
1694 // (Section 5.4.1) of type PROTOCOL_ERROR.
1696 return ConnectionError(ErrCodeProtocol)
1698 // A HEADERS frame can be used to create a new stream or
1699 // send a trailer for an open one. If we already have a stream
1700 // open, let it process its own HEADERS frame (trailers at this
1701 // point, if it's valid).
1702 if st := sc.streams[f.StreamID]; st != nil {
1704 // We're sending RST_STREAM to close the stream, so don't bother
1705 // processing this frame.
1708 return st.processTrailerHeaders(f)
1711 // [...] The identifier of a newly established stream MUST be
1712 // numerically greater than all streams that the initiating
1713 // endpoint has opened or reserved. [...] An endpoint that
1714 // receives an unexpected stream identifier MUST respond with
1715 // a connection error (Section 5.4.1) of type PROTOCOL_ERROR.
1716 if id <= sc.maxClientStreamID {
1717 return ConnectionError(ErrCodeProtocol)
1719 sc.maxClientStreamID = id
1721 if sc.idleTimer != nil {
1725 // http://tools.ietf.org/html/rfc7540#section-5.1.2
1726 // [...] Endpoints MUST NOT exceed the limit set by their peer. An
1727 // endpoint that receives a HEADERS frame that causes their
1728 // advertised concurrent stream limit to be exceeded MUST treat
1729 // this as a stream error (Section 5.4.2) of type PROTOCOL_ERROR
1730 // or REFUSED_STREAM.
1731 if sc.curClientStreams+1 > sc.advMaxStreams {
1732 if sc.unackedSettings == 0 {
1733 // They should know better.
1734 return streamError(id, ErrCodeProtocol)
1736 // Assume it's a network race, where they just haven't
1737 // received our last SETTINGS update. But actually
1738 // this can't happen yet, because we don't yet provide
1739 // a way for users to adjust server parameters at
1741 return streamError(id, ErrCodeRefusedStream)
1744 initialState := stateOpen
1745 if f.StreamEnded() {
1746 initialState = stateHalfClosedRemote
1748 st := sc.newStream(id, 0, initialState)
1750 if f.HasPriority() {
1751 if err := checkPriority(f.StreamID, f.Priority); err != nil {
1754 sc.writeSched.AdjustStream(st.id, f.Priority)
1757 rw, req, err := sc.newWriterAndRequest(st, f)
1761 st.reqTrailer = req.Trailer
1762 if st.reqTrailer != nil {
1763 st.trailer = make(http.Header)
1765 st.body = req.Body.(*requestBody).pipe // may be nil
1766 st.declBodyBytes = req.ContentLength
1768 handler := sc.handler.ServeHTTP
1770 // Their header list was too long. Send a 431 error.
1771 handler = handleHeaderListTooLong
1772 } else if err := checkValidHTTP2RequestHeaders(req.Header); err != nil {
1773 handler = new400Handler(err)
1776 // The net/http package sets the read deadline from the
1777 // http.Server.ReadTimeout during the TLS handshake, but then
1778 // passes the connection off to us with the deadline already
1779 // set. Disarm it here after the request headers are read,
1780 // similar to how the http1 server works. Here it's
1781 // technically more like the http1 Server's ReadHeaderTimeout
1782 // (in Go 1.8), though. That's a more sane option anyway.
1783 if sc.hs.ReadTimeout != 0 {
1784 sc.conn.SetReadDeadline(time.Time{})
1787 go sc.runHandler(rw, req, handler)
1791 func (st *stream) processTrailerHeaders(f *MetaHeadersFrame) error {
1794 if st.gotTrailerHeader {
1795 return ConnectionError(ErrCodeProtocol)
1797 st.gotTrailerHeader = true
1798 if !f.StreamEnded() {
1799 return streamError(st.id, ErrCodeProtocol)
1802 if len(f.PseudoFields()) > 0 {
1803 return streamError(st.id, ErrCodeProtocol)
1805 if st.trailer != nil {
1806 for _, hf := range f.RegularFields() {
1807 key := sc.canonicalHeader(hf.Name)
1808 if !ValidTrailerHeader(key) {
1809 // TODO: send more details to the peer somehow. But http2 has
1810 // no way to send debug data at a stream level. Discuss with
1812 return streamError(st.id, ErrCodeProtocol)
1814 st.trailer[key] = append(st.trailer[key], hf.Value)
1821 func checkPriority(streamID uint32, p PriorityParam) error {
1822 if streamID == p.StreamDep {
1823 // Section 5.3.1: "A stream cannot depend on itself. An endpoint MUST treat
1824 // this as a stream error (Section 5.4.2) of type PROTOCOL_ERROR."
1825 // Section 5.3.3 says that a stream can depend on one of its dependencies,
1826 // so it's only self-dependencies that are forbidden.
1827 return streamError(streamID, ErrCodeProtocol)
1832 func (sc *serverConn) processPriority(f *PriorityFrame) error {
1836 if err := checkPriority(f.StreamID, f.PriorityParam); err != nil {
1839 sc.writeSched.AdjustStream(f.StreamID, f.PriorityParam)
1843 func (sc *serverConn) newStream(id, pusherID uint32, state streamState) *stream {
1846 panic("internal error: cannot create stream with id 0")
1849 ctx, cancelCtx := contextWithCancel(sc.baseCtx)
1855 cancelCtx: cancelCtx,
1858 st.flow.conn = &sc.flow // link to conn-level counter
1859 st.flow.add(sc.initialStreamSendWindowSize)
1860 st.inflow.conn = &sc.inflow // link to conn-level counter
1861 st.inflow.add(sc.srv.initialStreamRecvWindowSize())
1862 if sc.hs.WriteTimeout != 0 {
1863 st.writeDeadline = time.AfterFunc(sc.hs.WriteTimeout, st.onWriteTimeout)
1867 sc.writeSched.OpenStream(st.id, OpenStreamOptions{PusherID: pusherID})
1869 sc.curPushedStreams++
1871 sc.curClientStreams++
1873 if sc.curOpenStreams() == 1 {
1874 sc.setConnState(http.StateActive)
1880 func (sc *serverConn) newWriterAndRequest(st *stream, f *MetaHeadersFrame) (*responseWriter, *http.Request, error) {
1884 method: f.PseudoValue("method"),
1885 scheme: f.PseudoValue("scheme"),
1886 authority: f.PseudoValue("authority"),
1887 path: f.PseudoValue("path"),
1890 isConnect := rp.method == "CONNECT"
1892 if rp.path != "" || rp.scheme != "" || rp.authority == "" {
1893 return nil, nil, streamError(f.StreamID, ErrCodeProtocol)
1895 } else if rp.method == "" || rp.path == "" || (rp.scheme != "https" && rp.scheme != "http") {
1896 // See 8.1.2.6 Malformed Requests and Responses:
1898 // Malformed requests or responses that are detected
1899 // MUST be treated as a stream error (Section 5.4.2)
1900 // of type PROTOCOL_ERROR."
1902 // 8.1.2.3 Request Pseudo-Header Fields
1903 // "All HTTP/2 requests MUST include exactly one valid
1904 // value for the :method, :scheme, and :path
1905 // pseudo-header fields"
1906 return nil, nil, streamError(f.StreamID, ErrCodeProtocol)
1909 bodyOpen := !f.StreamEnded()
1910 if rp.method == "HEAD" && bodyOpen {
1911 // HEAD requests can't have bodies
1912 return nil, nil, streamError(f.StreamID, ErrCodeProtocol)
1915 rp.header = make(http.Header)
1916 for _, hf := range f.RegularFields() {
1917 rp.header.Add(sc.canonicalHeader(hf.Name), hf.Value)
1919 if rp.authority == "" {
1920 rp.authority = rp.header.Get("Host")
1923 rw, req, err := sc.newWriterAndRequestNoBody(st, rp)
1925 return nil, nil, err
1928 if vv, ok := rp.header["Content-Length"]; ok {
1929 req.ContentLength, _ = strconv.ParseInt(vv[0], 10, 64)
1931 req.ContentLength = -1
1933 req.Body.(*requestBody).pipe = &pipe{
1934 b: &dataBuffer{expected: req.ContentLength},
1940 type requestParam struct {
1942 scheme, authority, path string
1946 func (sc *serverConn) newWriterAndRequestNoBody(st *stream, rp requestParam) (*responseWriter, *http.Request, error) {
1949 var tlsState *tls.ConnectionState // nil if not scheme https
1950 if rp.scheme == "https" {
1951 tlsState = sc.tlsState
1954 needsContinue := rp.header.Get("Expect") == "100-continue"
1956 rp.header.Del("Expect")
1958 // Merge Cookie headers into one "; "-delimited value.
1959 if cookies := rp.header["Cookie"]; len(cookies) > 1 {
1960 rp.header.Set("Cookie", strings.Join(cookies, "; "))
1964 var trailer http.Header
1965 for _, v := range rp.header["Trailer"] {
1966 for _, key := range strings.Split(v, ",") {
1967 key = http.CanonicalHeaderKey(strings.TrimSpace(key))
1969 case "Transfer-Encoding", "Trailer", "Content-Length":
1970 // Bogus. (copy of http1 rules)
1974 trailer = make(http.Header)
1980 delete(rp.header, "Trailer")
1983 var requestURI string
1984 if rp.method == "CONNECT" {
1985 url_ = &url.URL{Host: rp.authority}
1986 requestURI = rp.authority // mimic HTTP/1 server behavior
1989 url_, err = url.ParseRequestURI(rp.path)
1991 return nil, nil, streamError(st.id, ErrCodeProtocol)
1993 requestURI = rp.path
1996 body := &requestBody{
1999 needsContinue: needsContinue,
2001 req := &http.Request{
2004 RemoteAddr: sc.remoteAddrStr,
2006 RequestURI: requestURI,
2015 req = requestWithContext(req, st.ctx)
2017 rws := responseWriterStatePool.Get().(*responseWriterState)
2019 *rws = responseWriterState{} // zero all the fields
2022 rws.bw.Reset(chunkWriter{rws})
2027 rw := &responseWriter{rws: rws}
2031 // Run on its own goroutine.
2032 func (sc *serverConn) runHandler(rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) {
2035 rw.rws.stream.cancelCtx()
2038 sc.writeFrameFromHandler(FrameWriteRequest{
2039 write: handlerPanicRST{rw.rws.stream.id},
2040 stream: rw.rws.stream,
2042 // Same as net/http:
2043 if shouldLogPanic(e) {
2044 const size = 64 << 10
2045 buf := make([]byte, size)
2046 buf = buf[:runtime.Stack(buf, false)]
2047 sc.logf("http2: panic serving %v: %v\n%s", sc.conn.RemoteAddr(), e, buf)
2057 func handleHeaderListTooLong(w http.ResponseWriter, r *http.Request) {
2058 // 10.5.1 Limits on Header Block Size:
2059 // .. "A server that receives a larger header block than it is
2060 // willing to handle can send an HTTP 431 (Request Header Fields Too
2061 // Large) status code"
2062 const statusRequestHeaderFieldsTooLarge = 431 // only in Go 1.6+
2063 w.WriteHeader(statusRequestHeaderFieldsTooLarge)
2064 io.WriteString(w, "<h1>HTTP Error 431</h1><p>Request Header Field(s) Too Large</p>")
2067 // called from handler goroutines.
2069 func (sc *serverConn) writeHeaders(st *stream, headerData *writeResHeaders) error {
2070 sc.serveG.checkNotOn() // NOT on
2072 if headerData.h != nil {
2073 // If there's a header map (which we don't own), so we have to block on
2074 // waiting for this frame to be written, so an http.Flush mid-handler
2075 // writes out the correct value of keys, before a handler later potentially
2077 errc = errChanPool.Get().(chan error)
2079 if err := sc.writeFrameFromHandler(FrameWriteRequest{
2089 errChanPool.Put(errc)
2091 case <-sc.doneServing:
2092 return errClientDisconnected
2094 return errStreamClosed
2100 // called from handler goroutines.
2101 func (sc *serverConn) write100ContinueHeaders(st *stream) {
2102 sc.writeFrameFromHandler(FrameWriteRequest{
2103 write: write100ContinueHeadersFrame{st.id},
2108 // A bodyReadMsg tells the server loop that the http.Handler read n
2109 // bytes of the DATA from the client on the given stream.
2110 type bodyReadMsg struct {
2115 // called from handler goroutines.
2116 // Notes that the handler for the given stream ID read n bytes of its body
2117 // and schedules flow control tokens to be sent.
2118 func (sc *serverConn) noteBodyReadFromHandler(st *stream, n int, err error) {
2119 sc.serveG.checkNotOn() // NOT on
2122 case sc.bodyReadCh <- bodyReadMsg{st, n}:
2123 case <-sc.doneServing:
2128 func (sc *serverConn) noteBodyRead(st *stream, n int) {
2130 sc.sendWindowUpdate(nil, n) // conn-level
2131 if st.state != stateHalfClosedRemote && st.state != stateClosed {
2132 // Don't send this WINDOW_UPDATE if the stream is closed
2134 sc.sendWindowUpdate(st, n)
2138 // st may be nil for conn-level
2139 func (sc *serverConn) sendWindowUpdate(st *stream, n int) {
2141 // "The legal range for the increment to the flow control
2142 // window is 1 to 2^31-1 (2,147,483,647) octets."
2143 // A Go Read call on 64-bit machines could in theory read
2144 // a larger Read than this. Very unlikely, but we handle it here
2145 // rather than elsewhere for now.
2146 const maxUint31 = 1<<31 - 1
2147 for n >= maxUint31 {
2148 sc.sendWindowUpdate32(st, maxUint31)
2151 sc.sendWindowUpdate32(st, int32(n))
2154 // st may be nil for conn-level
2155 func (sc *serverConn) sendWindowUpdate32(st *stream, n int32) {
2161 panic("negative update")
2167 sc.writeFrame(FrameWriteRequest{
2168 write: writeWindowUpdate{streamID: streamID, n: uint32(n)},
2173 ok = sc.inflow.add(n)
2175 ok = st.inflow.add(n)
2178 panic("internal error; sent too many window updates without decrements?")
2182 // requestBody is the Handler's Request.Body type.
2183 // Read and Close may be called concurrently.
2184 type requestBody struct {
2187 closed bool // for use by Close only
2188 sawEOF bool // for use by Read only
2189 pipe *pipe // non-nil if we have a HTTP entity message body
2190 needsContinue bool // need to send a 100-continue
2193 func (b *requestBody) Close() error {
2194 if b.pipe != nil && !b.closed {
2195 b.pipe.BreakWithError(errClosedBody)
2201 func (b *requestBody) Read(p []byte) (n int, err error) {
2202 if b.needsContinue {
2203 b.needsContinue = false
2204 b.conn.write100ContinueHeaders(b.stream)
2206 if b.pipe == nil || b.sawEOF {
2209 n, err = b.pipe.Read(p)
2213 if b.conn == nil && inTests {
2216 b.conn.noteBodyReadFromHandler(b.stream, n, err)
2220 // responseWriter is the http.ResponseWriter implementation. It's
2221 // intentionally small (1 pointer wide) to minimize garbage. The
2222 // responseWriterState pointer inside is zeroed at the end of a
2223 // request (in handlerDone) and calls on the responseWriter thereafter
2224 // simply crash (caller's mistake), but the much larger responseWriterState
2225 // and buffers are reused between multiple requests.
2226 type responseWriter struct {
2227 rws *responseWriterState
2230 // Optional http.ResponseWriter interfaces implemented.
2232 _ http.CloseNotifier = (*responseWriter)(nil)
2233 _ http.Flusher = (*responseWriter)(nil)
2234 _ stringWriter = (*responseWriter)(nil)
2237 type responseWriterState struct {
2238 // immutable within a request:
2241 body *requestBody // to close at end of request, if DATA frames didn't
2244 // TODO: adjust buffer writing sizes based on server config, frame size updates from peer, etc
2245 bw *bufio.Writer // writing to a chunkWriter{this *responseWriterState}
2247 // mutated by http.Handler goroutine:
2248 handlerHeader http.Header // nil until called
2249 snapHeader http.Header // snapshot of handlerHeader at WriteHeader time
2250 trailers []string // set in writeChunk
2251 status int // status code passed to WriteHeader
2252 wroteHeader bool // WriteHeader called (explicitly or implicitly). Not necessarily sent to user yet.
2253 sentHeader bool // have we sent the header frame?
2254 handlerDone bool // handler has finished
2255 dirty bool // a Write failed; don't reuse this responseWriterState
2257 sentContentLen int64 // non-zero if handler set a Content-Length header
2260 closeNotifierMu sync.Mutex // guards closeNotifierCh
2261 closeNotifierCh chan bool // nil until first used
2264 type chunkWriter struct{ rws *responseWriterState }
2266 func (cw chunkWriter) Write(p []byte) (n int, err error) { return cw.rws.writeChunk(p) }
2268 func (rws *responseWriterState) hasTrailers() bool { return len(rws.trailers) != 0 }
2270 // declareTrailer is called for each Trailer header when the
2271 // response header is written. It notes that a header will need to be
2272 // written in the trailers at the end of the response.
2273 func (rws *responseWriterState) declareTrailer(k string) {
2274 k = http.CanonicalHeaderKey(k)
2275 if !ValidTrailerHeader(k) {
2276 // Forbidden by RFC 2616 14.40.
2277 rws.conn.logf("ignoring invalid trailer %q", k)
2280 if !strSliceContains(rws.trailers, k) {
2281 rws.trailers = append(rws.trailers, k)
2285 // writeChunk writes chunks from the bufio.Writer. But because
2286 // bufio.Writer may bypass its chunking, sometimes p may be
2287 // arbitrarily large.
2289 // writeChunk is also responsible (on the first chunk) for sending the
2291 func (rws *responseWriterState) writeChunk(p []byte) (n int, err error) {
2292 if !rws.wroteHeader {
2293 rws.writeHeader(200)
2296 isHeadResp := rws.req.Method == "HEAD"
2297 if !rws.sentHeader {
2298 rws.sentHeader = true
2299 var ctype, clen string
2300 if clen = rws.snapHeader.Get("Content-Length"); clen != "" {
2301 rws.snapHeader.Del("Content-Length")
2302 clen64, err := strconv.ParseInt(clen, 10, 64)
2303 if err == nil && clen64 >= 0 {
2304 rws.sentContentLen = clen64
2309 if clen == "" && rws.handlerDone && bodyAllowedForStatus(rws.status) && (len(p) > 0 || !isHeadResp) {
2310 clen = strconv.Itoa(len(p))
2312 _, hasContentType := rws.snapHeader["Content-Type"]
2313 if !hasContentType && bodyAllowedForStatus(rws.status) {
2314 ctype = http.DetectContentType(p)
2317 if _, ok := rws.snapHeader["Date"]; !ok {
2318 // TODO(bradfitz): be faster here, like net/http? measure.
2319 date = time.Now().UTC().Format(http.TimeFormat)
2322 for _, v := range rws.snapHeader["Trailer"] {
2323 foreachHeaderElement(v, rws.declareTrailer)
2326 endStream := (rws.handlerDone && !rws.hasTrailers() && len(p) == 0) || isHeadResp
2327 err = rws.conn.writeHeaders(rws.stream, &writeResHeaders{
2328 streamID: rws.stream.id,
2329 httpResCode: rws.status,
2331 endStream: endStream,
2333 contentLength: clen,
2347 if len(p) == 0 && !rws.handlerDone {
2351 if rws.handlerDone {
2352 rws.promoteUndeclaredTrailers()
2355 endStream := rws.handlerDone && !rws.hasTrailers()
2356 if len(p) > 0 || endStream {
2357 // only send a 0 byte DATA frame if we're ending the stream.
2358 if err := rws.conn.writeDataFromHandler(rws.stream, p, endStream); err != nil {
2364 if rws.handlerDone && rws.hasTrailers() {
2365 err = rws.conn.writeHeaders(rws.stream, &writeResHeaders{
2366 streamID: rws.stream.id,
2367 h: rws.handlerHeader,
2368 trailers: rws.trailers,
2379 // TrailerPrefix is a magic prefix for ResponseWriter.Header map keys
2380 // that, if present, signals that the map entry is actually for
2381 // the response trailers, and not the response headers. The prefix
2382 // is stripped after the ServeHTTP call finishes and the values are
2383 // sent in the trailers.
2385 // This mechanism is intended only for trailers that are not known
2386 // prior to the headers being written. If the set of trailers is fixed
2387 // or known before the header is written, the normal Go trailers mechanism
2389 // https://golang.org/pkg/net/http/#ResponseWriter
2390 // https://golang.org/pkg/net/http/#example_ResponseWriter_trailers
2391 const TrailerPrefix = "Trailer:"
2393 // promoteUndeclaredTrailers permits http.Handlers to set trailers
2394 // after the header has already been flushed. Because the Go
2395 // ResponseWriter interface has no way to set Trailers (only the
2396 // Header), and because we didn't want to expand the ResponseWriter
2397 // interface, and because nobody used trailers, and because RFC 2616
2398 // says you SHOULD (but not must) predeclare any trailers in the
2399 // header, the official ResponseWriter rules said trailers in Go must
2400 // be predeclared, and then we reuse the same ResponseWriter.Header()
2401 // map to mean both Headers and Trailers. When it's time to write the
2402 // Trailers, we pick out the fields of Headers that were declared as
2403 // trailers. That worked for a while, until we found the first major
2404 // user of Trailers in the wild: gRPC (using them only over http2),
2405 // and gRPC libraries permit setting trailers mid-stream without
2406 // predeclarnig them. So: change of plans. We still permit the old
2407 // way, but we also permit this hack: if a Header() key begins with
2408 // "Trailer:", the suffix of that key is a Trailer. Because ':' is an
2409 // invalid token byte anyway, there is no ambiguity. (And it's already
2410 // filtered out) It's mildly hacky, but not terrible.
2412 // This method runs after the Handler is done and promotes any Header
2413 // fields to be trailers.
2414 func (rws *responseWriterState) promoteUndeclaredTrailers() {
2415 for k, vv := range rws.handlerHeader {
2416 if !strings.HasPrefix(k, TrailerPrefix) {
2419 trailerKey := strings.TrimPrefix(k, TrailerPrefix)
2420 rws.declareTrailer(trailerKey)
2421 rws.handlerHeader[http.CanonicalHeaderKey(trailerKey)] = vv
2424 if len(rws.trailers) > 1 {
2425 sorter := sorterPool.Get().(*sorter)
2426 sorter.SortStrings(rws.trailers)
2427 sorterPool.Put(sorter)
2431 func (w *responseWriter) Flush() {
2434 panic("Header called after Handler finished")
2436 if rws.bw.Buffered() > 0 {
2437 if err := rws.bw.Flush(); err != nil {
2438 // Ignore the error. The frame writer already knows.
2442 // The bufio.Writer won't call chunkWriter.Write
2443 // (writeChunk with zero bytes, so we have to do it
2444 // ourselves to force the HTTP response header and/or
2445 // final DATA frame (with END_STREAM) to be sent.
2450 func (w *responseWriter) CloseNotify() <-chan bool {
2453 panic("CloseNotify called after Handler finished")
2455 rws.closeNotifierMu.Lock()
2456 ch := rws.closeNotifierCh
2458 ch = make(chan bool, 1)
2459 rws.closeNotifierCh = ch
2462 cw.Wait() // wait for close
2466 rws.closeNotifierMu.Unlock()
2470 func (w *responseWriter) Header() http.Header {
2473 panic("Header called after Handler finished")
2475 if rws.handlerHeader == nil {
2476 rws.handlerHeader = make(http.Header)
2478 return rws.handlerHeader
2481 func (w *responseWriter) WriteHeader(code int) {
2484 panic("WriteHeader called after Handler finished")
2486 rws.writeHeader(code)
2489 func (rws *responseWriterState) writeHeader(code int) {
2490 if !rws.wroteHeader {
2491 rws.wroteHeader = true
2493 if len(rws.handlerHeader) > 0 {
2494 rws.snapHeader = cloneHeader(rws.handlerHeader)
2499 func cloneHeader(h http.Header) http.Header {
2500 h2 := make(http.Header, len(h))
2501 for k, vv := range h {
2502 vv2 := make([]string, len(vv))
2509 // The Life Of A Write is like this:
2511 // * Handler calls w.Write or w.WriteString ->
2512 // * -> rws.bw (*bufio.Writer) ->
2513 // * (Handler might call Flush)
2514 // * -> chunkWriter{rws}
2515 // * -> responseWriterState.writeChunk(p []byte)
2516 // * -> responseWriterState.writeChunk (most of the magic; see comment there)
2517 func (w *responseWriter) Write(p []byte) (n int, err error) {
2518 return w.write(len(p), p, "")
2521 func (w *responseWriter) WriteString(s string) (n int, err error) {
2522 return w.write(len(s), nil, s)
2525 // either dataB or dataS is non-zero.
2526 func (w *responseWriter) write(lenData int, dataB []byte, dataS string) (n int, err error) {
2529 panic("Write called after Handler finished")
2531 if !rws.wroteHeader {
2534 if !bodyAllowedForStatus(rws.status) {
2535 return 0, http.ErrBodyNotAllowed
2537 rws.wroteBytes += int64(len(dataB)) + int64(len(dataS)) // only one can be set
2538 if rws.sentContentLen != 0 && rws.wroteBytes > rws.sentContentLen {
2539 // TODO: send a RST_STREAM
2540 return 0, errors.New("http2: handler wrote more than declared Content-Length")
2544 return rws.bw.Write(dataB)
2546 return rws.bw.WriteString(dataS)
2550 func (w *responseWriter) handlerDone() {
2553 rws.handlerDone = true
2557 // Only recycle the pool if all prior Write calls to
2558 // the serverConn goroutine completed successfully. If
2559 // they returned earlier due to resets from the peer
2560 // there might still be write goroutines outstanding
2561 // from the serverConn referencing the rws memory. See
2563 responseWriterStatePool.Put(rws)
2569 ErrRecursivePush = errors.New("http2: recursive push not allowed")
2570 ErrPushLimitReached = errors.New("http2: push would exceed peer's SETTINGS_MAX_CONCURRENT_STREAMS")
2573 // pushOptions is the internal version of http.PushOptions, which we
2574 // cannot include here because it's only defined in Go 1.8 and later.
2575 type pushOptions struct {
2580 func (w *responseWriter) push(target string, opts pushOptions) error {
2583 sc.serveG.checkNotOn()
2585 // No recursive pushes: "PUSH_PROMISE frames MUST only be sent on a peer-initiated stream."
2586 // http://tools.ietf.org/html/rfc7540#section-6.6
2588 return ErrRecursivePush
2592 if opts.Method == "" {
2595 if opts.Header == nil {
2596 opts.Header = http.Header{}
2598 wantScheme := "http"
2599 if w.rws.req.TLS != nil {
2600 wantScheme = "https"
2603 // Validate the request.
2604 u, err := url.Parse(target)
2609 if !strings.HasPrefix(target, "/") {
2610 return fmt.Errorf("target must be an absolute URL or an absolute path: %q", target)
2612 u.Scheme = wantScheme
2613 u.Host = w.rws.req.Host
2615 if u.Scheme != wantScheme {
2616 return fmt.Errorf("cannot push URL with scheme %q from request with scheme %q", u.Scheme, wantScheme)
2619 return errors.New("URL must have a host")
2622 for k := range opts.Header {
2623 if strings.HasPrefix(k, ":") {
2624 return fmt.Errorf("promised request headers cannot include pseudo header %q", k)
2626 // These headers are meaningful only if the request has a body,
2627 // but PUSH_PROMISE requests cannot have a body.
2628 // http://tools.ietf.org/html/rfc7540#section-8.2
2629 // Also disallow Host, since the promised URL must be absolute.
2630 switch strings.ToLower(k) {
2631 case "content-length", "content-encoding", "trailer", "te", "expect", "host":
2632 return fmt.Errorf("promised request headers cannot include %q", k)
2635 if err := checkValidHTTP2RequestHeaders(opts.Header); err != nil {
2639 // The RFC effectively limits promised requests to GET and HEAD:
2640 // "Promised requests MUST be cacheable [GET, HEAD, or POST], and MUST be safe [GET or HEAD]"
2641 // http://tools.ietf.org/html/rfc7540#section-8.2
2642 if opts.Method != "GET" && opts.Method != "HEAD" {
2643 return fmt.Errorf("method %q must be GET or HEAD", opts.Method)
2646 msg := &startPushRequest{
2648 method: opts.Method,
2650 header: cloneHeader(opts.Header),
2651 done: errChanPool.Get().(chan error),
2655 case <-sc.doneServing:
2656 return errClientDisconnected
2658 return errStreamClosed
2659 case sc.serveMsgCh <- msg:
2663 case <-sc.doneServing:
2664 return errClientDisconnected
2666 return errStreamClosed
2667 case err := <-msg.done:
2668 errChanPool.Put(msg.done)
2673 type startPushRequest struct {
2681 func (sc *serverConn) startPush(msg *startPushRequest) {
2684 // http://tools.ietf.org/html/rfc7540#section-6.6.
2685 // PUSH_PROMISE frames MUST only be sent on a peer-initiated stream that
2686 // is in either the "open" or "half-closed (remote)" state.
2687 if msg.parent.state != stateOpen && msg.parent.state != stateHalfClosedRemote {
2688 // responseWriter.Push checks that the stream is peer-initiaed.
2689 msg.done <- errStreamClosed
2693 // http://tools.ietf.org/html/rfc7540#section-6.6.
2694 if !sc.pushEnabled {
2695 msg.done <- http.ErrNotSupported
2699 // PUSH_PROMISE frames must be sent in increasing order by stream ID, so
2700 // we allocate an ID for the promised stream lazily, when the PUSH_PROMISE
2701 // is written. Once the ID is allocated, we start the request handler.
2702 allocatePromisedID := func() (uint32, error) {
2705 // Check this again, just in case. Technically, we might have received
2706 // an updated SETTINGS by the time we got around to writing this frame.
2707 if !sc.pushEnabled {
2708 return 0, http.ErrNotSupported
2710 // http://tools.ietf.org/html/rfc7540#section-6.5.2.
2711 if sc.curPushedStreams+1 > sc.clientMaxStreams {
2712 return 0, ErrPushLimitReached
2715 // http://tools.ietf.org/html/rfc7540#section-5.1.1.
2716 // Streams initiated by the server MUST use even-numbered identifiers.
2717 // A server that is unable to establish a new stream identifier can send a GOAWAY
2718 // frame so that the client is forced to open a new connection for new streams.
2719 if sc.maxPushPromiseID+2 >= 1<<31 {
2720 sc.startGracefulShutdownInternal()
2721 return 0, ErrPushLimitReached
2723 sc.maxPushPromiseID += 2
2724 promisedID := sc.maxPushPromiseID
2726 // http://tools.ietf.org/html/rfc7540#section-8.2.
2727 // Strictly speaking, the new stream should start in "reserved (local)", then
2728 // transition to "half closed (remote)" after sending the initial HEADERS, but
2729 // we start in "half closed (remote)" for simplicity.
2730 // See further comments at the definition of stateHalfClosedRemote.
2731 promised := sc.newStream(promisedID, msg.parent.id, stateHalfClosedRemote)
2732 rw, req, err := sc.newWriterAndRequestNoBody(promised, requestParam{
2734 scheme: msg.url.Scheme,
2735 authority: msg.url.Host,
2736 path: msg.url.RequestURI(),
2737 header: cloneHeader(msg.header), // clone since handler runs concurrently with writing the PUSH_PROMISE
2740 // Should not happen, since we've already validated msg.url.
2741 panic(fmt.Sprintf("newWriterAndRequestNoBody(%+v): %v", msg.url, err))
2744 go sc.runHandler(rw, req, sc.handler.ServeHTTP)
2745 return promisedID, nil
2748 sc.writeFrame(FrameWriteRequest{
2749 write: &writePushPromise{
2750 streamID: msg.parent.id,
2754 allocatePromisedID: allocatePromisedID,
2761 // foreachHeaderElement splits v according to the "#rule" construction
2762 // in RFC 2616 section 2.1 and calls fn for each non-empty element.
2763 func foreachHeaderElement(v string, fn func(string)) {
2764 v = textproto.TrimString(v)
2768 if !strings.Contains(v, ",") {
2772 for _, f := range strings.Split(v, ",") {
2773 if f = textproto.TrimString(f); f != "" {
2779 // From http://httpwg.org/specs/rfc7540.html#rfc.section.8.1.2.2
2780 var connHeaders = []string{
2784 "Transfer-Encoding",
2788 // checkValidHTTP2RequestHeaders checks whether h is a valid HTTP/2 request,
2789 // per RFC 7540 Section 8.1.2.2.
2790 // The returned error is reported to users.
2791 func checkValidHTTP2RequestHeaders(h http.Header) error {
2792 for _, k := range connHeaders {
2793 if _, ok := h[k]; ok {
2794 return fmt.Errorf("request header %q is not valid in HTTP/2", k)
2798 if len(te) > 0 && (len(te) > 1 || (te[0] != "trailers" && te[0] != "")) {
2799 return errors.New(`request header "TE" may only be "trailers" in HTTP/2`)
2804 func new400Handler(err error) http.HandlerFunc {
2805 return func(w http.ResponseWriter, r *http.Request) {
2806 http.Error(w, err.Error(), http.StatusBadRequest)
2810 // ValidTrailerHeader reports whether name is a valid header field name to appear
2812 // See: http://tools.ietf.org/html/rfc7230#section-4.1.2
2813 func ValidTrailerHeader(name string) bool {
2814 name = http.CanonicalHeaderKey(name)
2815 if strings.HasPrefix(name, "If-") || badTrailer[name] {
2821 var badTrailer = map[string]bool{
2822 "Authorization": true,
2823 "Cache-Control": true,
2825 "Content-Encoding": true,
2826 "Content-Length": true,
2827 "Content-Range": true,
2828 "Content-Type": true,
2832 "Max-Forwards": true,
2834 "Proxy-Authenticate": true,
2835 "Proxy-Authorization": true,
2836 "Proxy-Connection": true,
2841 "Transfer-Encoding": true,
2842 "Www-Authenticate": true,
2845 // h1ServerKeepAlivesDisabled reports whether hs has its keep-alives
2846 // disabled. See comments on h1ServerShutdownChan above for why
2847 // the code is written this way.
2848 func h1ServerKeepAlivesDisabled(hs *http.Server) bool {
2849 var x interface{} = hs
2853 if hs, ok := x.(I); ok {
2854 return !hs.doKeepAlives()