]>

Prahran Australia mnot@mnot.net https://www.mnot.net/

Internet-Draft This document specifies a format for describing the capabilities and configuration of a HTTP gateway (such as a content delivery network) to the origin server and any software on it (such as a content management system). About This Document Status information for this document may be found at . information can be found at . Source for this draft and an issue tracker can be found at .

Introduction To allow origin servers and tools that they use to be easily configured, this document defines a Gateway Description Format that describes the configuration of an HTTP gateway (commonly, a "reverse proxy" or content delivery network). It is intended to be generated by gateways and made available out-of-band to origin servers using them.

Notational Conventions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Gateway Description Format The Gateway Description Format is a JSON document. The root object SHOULD contain members with the following names and values:

• "generated": a string containing the date that the description was generated, in the Internet Date/Time Format described in
• "description": a string containing a human-readable description of the gateway

For example, a very simple (and not very helpful) description document: Processors SHOULD NOT fail if these members are not present. Additionally, the root object MAY contain any number of gateway descriptors; see . Unrecognised members of the root object MUST be ignored.

Gateway Descriptors The following subsections list OPTIONAL information that may be included in the root object of a gateway description document. New gateway descriptors may be introduced by updating this specification.

Site The "site" descriptor is a JSON object containing information about the HTTP server that the gateway exposes on behalf of the origin. It is a JSON object that contains zero or more of the following members:

• "exposed-origins": an array of strings containing Unicode serializations of origins () that are exposed by the gateway
• "backend-origins": an array of strings containing Unicode serializations of origins that the gateway uses as origin server(s) for the exposed origin(s)

For example: Note that this descriptor allows but is not sufficient to describe more complex arrangements; for example, different backend-origins for different URL path locations, or when one exposed-origin redirects all requests to the other.

Gateway Source Address Lists The "gateway-sourcelists" descriptor is a JSON array of strings containing one or more URLs that can be used to fetch gateway source address lists. Their URLs MUST have a scheme of "https". If multiple URLs are listed, their contents are combined to reconstruct the full list of source IP addresses for the gateway. Consumers SHOULD respect HTTP caching rules when fetching lists, refreshing their contents as necessary once they become stale. For example: Gateway source address lists are textual documents (with a RECOMMENDED media type of "text/plain") whose format is one entry per line, with all whitespace being ignored and all content on a line after the "#" being ignored. Each entry contains an IPv4 or IPv6 address block, using "/" notation. For example: ... contains three entries, "192.0.2.0/24", "198.51.100.0/24", and "2001:db8::/32".

Gateway Header Authentication The "gateway-header-auth" descriptor is a JSON array of two strings representing a HTTP header field name and value that it will send in all HTTP requests to the origin, allowing the origin to discriminate them from other requests. For example: would imply that the gateway would send this HTTP header field in all requests to the origin:

Forwarded Host The "forwarded-host" descriptor is a boolean that indicates whether the Host request header field sent by the gateway is that which it received (one of the exposed origins) if true, or that of the backend origin selected if false. For example: would imply that the gateway has rewritten the Host request header field will be rewritten to be that of the backend origin.

HTTP Methods Allowed The "methods-allow" descriptor is a JSON array of case-sensitive strings that indicate the HTTP methods that the gateway will accept in requests, forwarding them to the backend origin or handling them locally as appropriate. The value "*" indicates that unrecognised methods are forwarded to the backend origin server. For example:

Targeted Cache Control The "targeted-cc" descriptor is a JSON array of strings indicating the targeted cache-control header field(s) supported by the gateway, in order of precedence (i.e., first entry overrides later entries) For example:

Invalidation API The "invalidation-api" descriptor is a JSON object that contains information about the gateway's deployment of . These objects can contain the following members and values:

• "uri": a string conveying the URI of the Invalidation Resource ()
• "selectors": an array of strings indicating the selectors () that the Invalidation Resource supports
• "purge": a boolean indicating whether the Invalidation Resource supports the "purge" member in requests (see )
• "p95-latency": an integer indicating the number of milliseconds that 95% of invalidation requests should be fully applied to the scope indicated by the description.

For example: If the "api-auth" descriptor () is present, the authentication details there SHOULD be sent on all requests to the invalidation API.

API Authentication The "api-auth" descriptor is a string representing a Bearer HTTP authentication () to be used to authenticate the backend origin in interaction with Gateway APIs. For example:

Vendor Extensions The "vendor" descriptor is a JSON object that can be use for gateway- and vendor-specific extensions to the format. Its members' names MUST be in internet hostname format, associating a name associated with the gateway and/or its vendor. The contents of member values are under the control of that party. For example:

IANA Considerations TBD

Security Considerations TBD

Normative References The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document describes the overall architecture of HTTP, establishes common terminology, and defines aspects of the protocol that are shared by all versions. In this definition are core protocol elements, extensibility mechanisms, and the "http" and "https" Uniform Resource Identifier (URI) schemes. This document updates RFC 3864 and obsoletes RFCs 2818, 7231, 7232, 7233, 7235, 7538, 7615, 7694, and portions of 7230. This document specifies an HTTP-based API that gateway caches (such as those in reverse proxies and content delivery networks) can expose to allow origin servers to their invalidate stored responses. About This Document This note is to be removed before publishing as an RFC. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-nottingham-http-invalidation/. information can be found at https://mnot.github.io/I-D/. Source for this draft and an issue tracker can be found at https://github.com/mnot/I-D/labels/http-invalidation. This specification describes how to use bearer tokens in HTTP requests to access OAuth 2.0 protected resources. Any party in possession of a bearer token (a "bearer") can use it to get access to the associated resources (without demonstrating possession of a cryptographic key). To prevent misuse, bearer tokens need to be protected from disclosure in storage and in transport. [STANDARDS-TRACK] This specification defines a convention for HTTP response header fields that allow cache directives to be targeted at specific caches or classes of caches. It also defines one such header field, the CDN-Cache-Control response header field, which is targeted at content delivery network (CDN) caches. JavaScript Object Notation (JSON) is a lightweight, text-based, language-independent data interchange format. It was derived from the ECMAScript Programming Language Standard. JSON defines a small set of formatting rules for the portable representation of structured data. This document removes inconsistencies with other specifications of JSON, repairs specification errors, and offers experience-based interoperability guidance. In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. This document defines a date and time format for use in Internet protocols that is a profile of the ISO 8601 standard for representation of dates and times using the Gregorian calendar. This document defines the concept of an "origin", which is often used as the scope of authority or privilege by user agents. Typically, user agents isolate content retrieved from different origins to prevent malicious web site operators from interfering with the operation of benign web sites. In addition to outlining the principles that underlie the concept of origin, this document details how to determine the origin of a URI and how to serialize an origin into a string. It also defines an HTTP header field, named "Origin", that indicates which origins are associated with an HTTP request. [STANDARDS-TRACK]