1 // Copyright 2014 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
5 // TODO: turn off the serve goroutine when idle, so
6 // an idle conn only has the readFrames goroutine active. (which could
7 // also be optimized probably to pin less memory in crypto/tls). This
8 // would involve tracking when the serve goroutine is active (atomic
9 // int32 read/CAS probably?) and starting it up when frames arrive,
10 // and shutting it down when all handlers exit. the occasional PING
11 // packets could use time.AfterFunc to call sc.wakeStartServeLoop()
12 // (which is a no-op if already running) and then queue the PING write
13 // as normal. The serve loop would then exit in most cases (if no
14 // Handlers running) and not be woken up again until the PING packet
17 // TODO (maybe): add a mechanism for Handlers to going into
18 // half-closed-local mode (rw.(io.Closer) test?) but not exit their
19 // handler, and continue to be able to read from the
20 // Request.Body. This would be a somewhat semantic change from HTTP/1
21 // (or at least what we expose in net/http), so I'd probably want to
22 // add it there too. For now, this package says that returning from
23 // the Handler ServeHTTP function means you're both done reading and
24 // done writing, without a way to stop just one or the other.
50 "golang.org/x/net/http/httpguts"
51 "golang.org/x/net/http2/hpack"
55 prefaceTimeout = 10 * time.Second
56 firstSettingsTimeout = 2 * time.Second // should be in-flight with preface anyway
57 handlerChunkWriteSize = 4 << 10
58 defaultMaxStreams = 250 // TODO: make this 100 as the GFE seems to?
62 errClientDisconnected = errors.New("client disconnected")
63 errClosedBody = errors.New("body closed by handler")
64 errHandlerComplete = errors.New("http2: request body closed due to handler exiting")
65 errStreamClosed = errors.New("http2: stream closed")
68 var responseWriterStatePool = sync.Pool{
69 New: func() interface{} {
70 rws := &responseWriterState{}
71 rws.bw = bufio.NewWriterSize(chunkWriter{rws}, handlerChunkWriteSize)
79 testHookGetServerConn func(*serverConn)
80 testHookOnPanicMu *sync.Mutex // nil except in tests
81 testHookOnPanic func(sc *serverConn, panicVal interface{}) (rePanic bool)
84 // Server is an HTTP/2 server.
86 // MaxHandlers limits the number of http.Handler ServeHTTP goroutines
87 // which may run at a time over all connections.
88 // Negative or zero no limit.
92 // MaxConcurrentStreams optionally specifies the number of
93 // concurrent streams that each client may have open at a
94 // time. This is unrelated to the number of http.Handler goroutines
95 // which may be active globally, which is MaxHandlers.
96 // If zero, MaxConcurrentStreams defaults to at least 100, per
97 // the HTTP/2 spec's recommendations.
98 MaxConcurrentStreams uint32
100 // MaxReadFrameSize optionally specifies the largest frame
101 // this server is willing to read. A valid value is between
102 // 16k and 16M, inclusive. If zero or otherwise invalid, a
103 // default value is used.
104 MaxReadFrameSize uint32
106 // PermitProhibitedCipherSuites, if true, permits the use of
107 // cipher suites prohibited by the HTTP/2 spec.
108 PermitProhibitedCipherSuites bool
110 // IdleTimeout specifies how long until idle clients should be
111 // closed with a GOAWAY frame. PING frames are not considered
112 // activity for the purposes of IdleTimeout.
113 IdleTimeout time.Duration
115 // MaxUploadBufferPerConnection is the size of the initial flow
116 // control window for each connections. The HTTP/2 spec does not
117 // allow this to be smaller than 65535 or larger than 2^32-1.
118 // If the value is outside this range, a default value will be
120 MaxUploadBufferPerConnection int32
122 // MaxUploadBufferPerStream is the size of the initial flow control
123 // window for each stream. The HTTP/2 spec does not allow this to
124 // be larger than 2^32-1. If the value is zero or larger than the
125 // maximum, a default value will be used instead.
126 MaxUploadBufferPerStream int32
128 // NewWriteScheduler constructs a write scheduler for a connection.
129 // If nil, a default scheduler is chosen.
130 NewWriteScheduler func() WriteScheduler
132 // Internal state. This is a pointer (rather than embedded directly)
133 // so that we don't embed a Mutex in this struct, which will make the
134 // struct non-copyable, which might break some callers.
135 state *serverInternalState
138 func (s *Server) initialConnRecvWindowSize() int32 {
139 if s.MaxUploadBufferPerConnection > initialWindowSize {
140 return s.MaxUploadBufferPerConnection
145 func (s *Server) initialStreamRecvWindowSize() int32 {
146 if s.MaxUploadBufferPerStream > 0 {
147 return s.MaxUploadBufferPerStream
152 func (s *Server) maxReadFrameSize() uint32 {
153 if v := s.MaxReadFrameSize; v >= minMaxFrameSize && v <= maxFrameSize {
156 return defaultMaxReadFrameSize
159 func (s *Server) maxConcurrentStreams() uint32 {
160 if v := s.MaxConcurrentStreams; v > 0 {
163 return defaultMaxStreams
166 type serverInternalState struct {
168 activeConns map[*serverConn]struct{}
171 func (s *serverInternalState) registerConn(sc *serverConn) {
173 return // if the Server was used without calling ConfigureServer
176 s.activeConns[sc] = struct{}{}
180 func (s *serverInternalState) unregisterConn(sc *serverConn) {
182 return // if the Server was used without calling ConfigureServer
185 delete(s.activeConns, sc)
189 func (s *serverInternalState) startGracefulShutdown() {
191 return // if the Server was used without calling ConfigureServer
194 for sc := range s.activeConns {
195 sc.startGracefulShutdown()
200 // ConfigureServer adds HTTP/2 support to a net/http Server.
202 // The configuration conf may be nil.
204 // ConfigureServer must be called before s begins serving.
205 func ConfigureServer(s *http.Server, conf *Server) error {
207 panic("nil *http.Server")
212 conf.state = &serverInternalState{activeConns: make(map[*serverConn]struct{})}
213 if h1, h2 := s, conf; h2.IdleTimeout == 0 {
214 if h1.IdleTimeout != 0 {
215 h2.IdleTimeout = h1.IdleTimeout
217 h2.IdleTimeout = h1.ReadTimeout
220 s.RegisterOnShutdown(conf.state.startGracefulShutdown)
222 if s.TLSConfig == nil {
223 s.TLSConfig = new(tls.Config)
224 } else if s.TLSConfig.CipherSuites != nil {
225 // If they already provided a CipherSuite list, return
226 // an error if it has a bad order or is missing
227 // ECDHE_RSA_WITH_AES_128_GCM_SHA256 or ECDHE_ECDSA_WITH_AES_128_GCM_SHA256.
228 haveRequired := false
230 for i, cs := range s.TLSConfig.CipherSuites {
232 case tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
233 // Alternative MTI cipher to not discourage ECDSA-only servers.
234 // See http://golang.org/cl/30721 for further information.
235 tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
241 return fmt.Errorf("http2: TLSConfig.CipherSuites index %d contains an HTTP/2-approved cipher suite (%#04x), but it comes after unapproved cipher suites. With this configuration, clients that don't support previous, approved cipher suites may be given an unapproved one and reject the connection.", i, cs)
245 return fmt.Errorf("http2: TLSConfig.CipherSuites is missing an HTTP/2-required AES_128_GCM_SHA256 cipher.")
249 // Note: not setting MinVersion to tls.VersionTLS12,
250 // as we don't want to interfere with HTTP/1.1 traffic
251 // on the user's server. We enforce TLS 1.2 later once
252 // we accept a connection. Ideally this should be done
253 // during next-proto selection, but using TLS <1.2 with
254 // HTTP/2 is still the client's bug.
256 s.TLSConfig.PreferServerCipherSuites = true
259 for _, p := range s.TLSConfig.NextProtos {
260 if p == NextProtoTLS {
266 s.TLSConfig.NextProtos = append(s.TLSConfig.NextProtos, NextProtoTLS)
269 if s.TLSNextProto == nil {
270 s.TLSNextProto = map[string]func(*http.Server, *tls.Conn, http.Handler){}
272 protoHandler := func(hs *http.Server, c *tls.Conn, h http.Handler) {
273 if testHookOnConn != nil {
276 conf.ServeConn(c, &ServeConnOpts{
281 s.TLSNextProto[NextProtoTLS] = protoHandler
285 // ServeConnOpts are options for the Server.ServeConn method.
286 type ServeConnOpts struct {
287 // BaseConfig optionally sets the base configuration
288 // for values. If nil, defaults are used.
289 BaseConfig *http.Server
291 // Handler specifies which handler to use for processing
292 // requests. If nil, BaseConfig.Handler is used. If BaseConfig
293 // or BaseConfig.Handler is nil, http.DefaultServeMux is used.
297 func (o *ServeConnOpts) baseConfig() *http.Server {
298 if o != nil && o.BaseConfig != nil {
301 return new(http.Server)
304 func (o *ServeConnOpts) handler() http.Handler {
306 if o.Handler != nil {
309 if o.BaseConfig != nil && o.BaseConfig.Handler != nil {
310 return o.BaseConfig.Handler
313 return http.DefaultServeMux
316 // ServeConn serves HTTP/2 requests on the provided connection and
317 // blocks until the connection is no longer readable.
319 // ServeConn starts speaking HTTP/2 assuming that c has not had any
320 // reads or writes. It writes its initial settings frame and expects
321 // to be able to read the preface and settings frame from the
322 // client. If c has a ConnectionState method like a *tls.Conn, the
323 // ConnectionState is used to verify the TLS ciphersuite and to set
324 // the Request.TLS field in Handlers.
326 // ServeConn does not support h2c by itself. Any h2c support must be
327 // implemented in terms of providing a suitably-behaving net.Conn.
329 // The opts parameter is optional. If nil, default values are used.
330 func (s *Server) ServeConn(c net.Conn, opts *ServeConnOpts) {
331 baseCtx, cancel := serverConnBaseContext(c, opts)
336 hs: opts.baseConfig(),
339 remoteAddrStr: c.RemoteAddr().String(),
340 bw: newBufferedWriter(c),
341 handler: opts.handler(),
342 streams: make(map[uint32]*stream),
343 readFrameCh: make(chan readFrameResult),
344 wantWriteFrameCh: make(chan FrameWriteRequest, 8),
345 serveMsgCh: make(chan interface{}, 8),
346 wroteFrameCh: make(chan frameWriteResult, 1), // buffered; one send in writeFrameAsync
347 bodyReadCh: make(chan bodyReadMsg), // buffering doesn't matter either way
348 doneServing: make(chan struct{}),
349 clientMaxStreams: math.MaxUint32, // Section 6.5.2: "Initially, there is no limit to this value"
350 advMaxStreams: s.maxConcurrentStreams(),
351 initialStreamSendWindowSize: initialWindowSize,
352 maxFrameSize: initialMaxFrameSize,
353 headerTableSize: initialHeaderTableSize,
354 serveG: newGoroutineLock(),
358 s.state.registerConn(sc)
359 defer s.state.unregisterConn(sc)
361 // The net/http package sets the write deadline from the
362 // http.Server.WriteTimeout during the TLS handshake, but then
363 // passes the connection off to us with the deadline already set.
364 // Write deadlines are set per stream in serverConn.newStream.
365 // Disarm the net.Conn write deadline here.
366 if sc.hs.WriteTimeout != 0 {
367 sc.conn.SetWriteDeadline(time.Time{})
370 if s.NewWriteScheduler != nil {
371 sc.writeSched = s.NewWriteScheduler()
373 sc.writeSched = NewRandomWriteScheduler()
376 // These start at the RFC-specified defaults. If there is a higher
377 // configured value for inflow, that will be updated when we send a
378 // WINDOW_UPDATE shortly after sending SETTINGS.
379 sc.flow.add(initialWindowSize)
380 sc.inflow.add(initialWindowSize)
381 sc.hpackEncoder = hpack.NewEncoder(&sc.headerWriteBuf)
383 fr := NewFramer(sc.bw, c)
384 fr.ReadMetaHeaders = hpack.NewDecoder(initialHeaderTableSize, nil)
385 fr.MaxHeaderListSize = sc.maxHeaderListSize()
386 fr.SetMaxReadFrameSize(s.maxReadFrameSize())
389 if tc, ok := c.(connectionStater); ok {
390 sc.tlsState = new(tls.ConnectionState)
391 *sc.tlsState = tc.ConnectionState()
392 // 9.2 Use of TLS Features
393 // An implementation of HTTP/2 over TLS MUST use TLS
394 // 1.2 or higher with the restrictions on feature set
395 // and cipher suite described in this section. Due to
396 // implementation limitations, it might not be
397 // possible to fail TLS negotiation. An endpoint MUST
398 // immediately terminate an HTTP/2 connection that
399 // does not meet the TLS requirements described in
400 // this section with a connection error (Section
401 // 5.4.1) of type INADEQUATE_SECURITY.
402 if sc.tlsState.Version < tls.VersionTLS12 {
403 sc.rejectConn(ErrCodeInadequateSecurity, "TLS version too low")
407 if sc.tlsState.ServerName == "" {
408 // Client must use SNI, but we don't enforce that anymore,
409 // since it was causing problems when connecting to bare IP
410 // addresses during development.
412 // TODO: optionally enforce? Or enforce at the time we receive
413 // a new request, and verify the ServerName matches the :authority?
414 // But that precludes proxy situations, perhaps.
416 // So for now, do nothing here again.
419 if !s.PermitProhibitedCipherSuites && isBadCipher(sc.tlsState.CipherSuite) {
420 // "Endpoints MAY choose to generate a connection error
421 // (Section 5.4.1) of type INADEQUATE_SECURITY if one of
422 // the prohibited cipher suites are negotiated."
424 // We choose that. In my opinion, the spec is weak
425 // here. It also says both parties must support at least
426 // TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 so there's no
427 // excuses here. If we really must, we could allow an
428 // "AllowInsecureWeakCiphers" option on the server later.
429 // Let's see how it plays out first.
430 sc.rejectConn(ErrCodeInadequateSecurity, fmt.Sprintf("Prohibited TLS 1.2 Cipher Suite: %x", sc.tlsState.CipherSuite))
435 if hook := testHookGetServerConn; hook != nil {
441 func serverConnBaseContext(c net.Conn, opts *ServeConnOpts) (ctx context.Context, cancel func()) {
442 ctx, cancel = context.WithCancel(context.Background())
443 ctx = context.WithValue(ctx, http.LocalAddrContextKey, c.LocalAddr())
444 if hs := opts.baseConfig(); hs != nil {
445 ctx = context.WithValue(ctx, http.ServerContextKey, hs)
450 func (sc *serverConn) rejectConn(err ErrCode, debug string) {
451 sc.vlogf("http2: server rejecting conn: %v, %s", err, debug)
452 // ignoring errors. hanging up anyway.
453 sc.framer.WriteGoAway(0, err, []byte(debug))
458 type serverConn struct {
463 bw *bufferedWriter // writing to conn
465 baseCtx context.Context
467 doneServing chan struct{} // closed when serverConn.serve ends
468 readFrameCh chan readFrameResult // written by serverConn.readFrames
469 wantWriteFrameCh chan FrameWriteRequest // from handlers -> serve
470 wroteFrameCh chan frameWriteResult // from writeFrameAsync -> serve, tickles more frame writes
471 bodyReadCh chan bodyReadMsg // from handlers -> serve
472 serveMsgCh chan interface{} // misc messages & code to send to / run on the serve loop
473 flow flow // conn-wide (not stream-specific) outbound flow control
474 inflow flow // conn-wide inbound flow control
475 tlsState *tls.ConnectionState // shared by all handlers, like net/http
477 writeSched WriteScheduler
479 // Everything following is owned by the serve loop; use serveG.check():
480 serveG goroutineLock // used to verify funcs are on serve()
482 sawFirstSettings bool // got the initial SETTINGS frame after the preface
483 needToSendSettingsAck bool
484 unackedSettings int // how many SETTINGS have we sent without ACKs?
485 clientMaxStreams uint32 // SETTINGS_MAX_CONCURRENT_STREAMS from client (our PUSH_PROMISE limit)
486 advMaxStreams uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client
487 curClientStreams uint32 // number of open streams initiated by the client
488 curPushedStreams uint32 // number of open streams initiated by server push
489 maxClientStreamID uint32 // max ever seen from client (odd), or 0 if there have been no client requests
490 maxPushPromiseID uint32 // ID of the last push promise (even), or 0 if there have been no pushes
491 streams map[uint32]*stream
492 initialStreamSendWindowSize int32
494 headerTableSize uint32
495 peerMaxHeaderListSize uint32 // zero means unknown (default)
496 canonHeader map[string]string // http2-lower-case -> Go-Canonical-Case
497 writingFrame bool // started writing a frame (on serve goroutine or separate)
498 writingFrameAsync bool // started a frame on its own goroutine but haven't heard back on wroteFrameCh
499 needsFrameFlush bool // last frame write wasn't a flush
500 inGoAway bool // we've started to or sent GOAWAY
501 inFrameScheduleLoop bool // whether we're in the scheduleFrameWrite loop
502 needToSendGoAway bool // we need to schedule a GOAWAY frame write
504 shutdownTimer *time.Timer // nil until used
505 idleTimer *time.Timer // nil if unused
507 // Owned by the writeFrameAsync goroutine:
508 headerWriteBuf bytes.Buffer
509 hpackEncoder *hpack.Encoder
511 // Used by startGracefulShutdown.
512 shutdownOnce sync.Once
515 func (sc *serverConn) maxHeaderListSize() uint32 {
516 n := sc.hs.MaxHeaderBytes
518 n = http.DefaultMaxHeaderBytes
520 // http2's count is in a slightly different unit and includes 32 bytes per pair.
521 // So, take the net/http.Server value and pad it up a bit, assuming 10 headers.
522 const perFieldOverhead = 32 // per http2 spec
523 const typicalHeaders = 10 // conservative
524 return uint32(n + typicalHeaders*perFieldOverhead)
527 func (sc *serverConn) curOpenStreams() uint32 {
529 return sc.curClientStreams + sc.curPushedStreams
532 // stream represents a stream. This is the minimal metadata needed by
533 // the serve goroutine. Most of the actual stream state is owned by
534 // the http.Handler's goroutine in the responseWriter. Because the
535 // responseWriter's responseWriterState is recycled at the end of a
536 // handler, this struct intentionally has no pointer to the
537 // *responseWriter{,State} itself, as the Handler ending nils out the
538 // responseWriter's state field.
543 body *pipe // non-nil if expecting DATA frames
544 cw closeWaiter // closed wait stream transitions to closed state
548 // owned by serverConn's serve loop:
549 bodyBytes int64 // body bytes seen so far
550 declBodyBytes int64 // or -1 if undeclared
551 flow flow // limits writing from Handler to client
552 inflow flow // what the client is allowed to POST/etc to us
553 parent *stream // or nil
554 numTrailerValues int64
557 resetQueued bool // RST_STREAM queued for write; set by sc.resetStream
558 gotTrailerHeader bool // HEADER frame for trailers was seen
559 wroteHeaders bool // whether we wrote headers (not status 100)
560 writeDeadline *time.Timer // nil if unused
562 trailer http.Header // accumulated trailers
563 reqTrailer http.Header // handler's Request.Trailer
566 func (sc *serverConn) Framer() *Framer { return sc.framer }
567 func (sc *serverConn) CloseConn() error { return sc.conn.Close() }
568 func (sc *serverConn) Flush() error { return sc.bw.Flush() }
569 func (sc *serverConn) HeaderEncoder() (*hpack.Encoder, *bytes.Buffer) {
570 return sc.hpackEncoder, &sc.headerWriteBuf
573 func (sc *serverConn) state(streamID uint32) (streamState, *stream) {
575 // http://tools.ietf.org/html/rfc7540#section-5.1
576 if st, ok := sc.streams[streamID]; ok {
579 // "The first use of a new stream identifier implicitly closes all
580 // streams in the "idle" state that might have been initiated by
581 // that peer with a lower-valued stream identifier. For example, if
582 // a client sends a HEADERS frame on stream 7 without ever sending a
583 // frame on stream 5, then stream 5 transitions to the "closed"
584 // state when the first frame for stream 7 is sent or received."
586 if streamID <= sc.maxClientStreamID {
587 return stateClosed, nil
590 if streamID <= sc.maxPushPromiseID {
591 return stateClosed, nil
594 return stateIdle, nil
597 // setConnState calls the net/http ConnState hook for this connection, if configured.
598 // Note that the net/http package does StateNew and StateClosed for us.
599 // There is currently no plan for StateHijacked or hijacking HTTP/2 connections.
600 func (sc *serverConn) setConnState(state http.ConnState) {
601 if sc.hs.ConnState != nil {
602 sc.hs.ConnState(sc.conn, state)
606 func (sc *serverConn) vlogf(format string, args ...interface{}) {
608 sc.logf(format, args...)
612 func (sc *serverConn) logf(format string, args ...interface{}) {
613 if lg := sc.hs.ErrorLog; lg != nil {
614 lg.Printf(format, args...)
616 log.Printf(format, args...)
620 // errno returns v's underlying uintptr, else 0.
622 // TODO: remove this helper function once http2 can use build
623 // tags. See comment in isClosedConnError.
624 func errno(v error) uintptr {
625 if rv := reflect.ValueOf(v); rv.Kind() == reflect.Uintptr {
626 return uintptr(rv.Uint())
631 // isClosedConnError reports whether err is an error from use of a closed
632 // network connection.
633 func isClosedConnError(err error) bool {
638 // TODO: remove this string search and be more like the Windows
639 // case below. That might involve modifying the standard library
640 // to return better error types.
642 if strings.Contains(str, "use of closed network connection") {
646 // TODO(bradfitz): x/tools/cmd/bundle doesn't really support
647 // build tags, so I can't make an http2_windows.go file with
648 // Windows-specific stuff. Fix that and move this, once we
649 // have a way to bundle this into std's net/http somehow.
650 if runtime.GOOS == "windows" {
651 if oe, ok := err.(*net.OpError); ok && oe.Op == "read" {
652 if se, ok := oe.Err.(*os.SyscallError); ok && se.Syscall == "wsarecv" {
653 const WSAECONNABORTED = 10053
654 const WSAECONNRESET = 10054
655 if n := errno(se.Err); n == WSAECONNRESET || n == WSAECONNABORTED {
664 func (sc *serverConn) condlogf(err error, format string, args ...interface{}) {
668 if err == io.EOF || err == io.ErrUnexpectedEOF || isClosedConnError(err) || err == errPrefaceTimeout {
669 // Boring, expected errors.
670 sc.vlogf(format, args...)
672 sc.logf(format, args...)
676 func (sc *serverConn) canonicalHeader(v string) string {
678 buildCommonHeaderMapsOnce()
679 cv, ok := commonCanonHeader[v]
683 cv, ok = sc.canonHeader[v]
687 if sc.canonHeader == nil {
688 sc.canonHeader = make(map[string]string)
690 cv = http.CanonicalHeaderKey(v)
691 sc.canonHeader[v] = cv
695 type readFrameResult struct {
696 f Frame // valid until readMore is called
699 // readMore should be called once the consumer no longer needs or
700 // retains f. After readMore, f is invalid and more frames can be
705 // readFrames is the loop that reads incoming frames.
706 // It takes care to only read one frame at a time, blocking until the
707 // consumer is done with the frame.
708 // It's run on its own goroutine.
709 func (sc *serverConn) readFrames() {
711 gateDone := gate.Done
713 f, err := sc.framer.ReadFrame()
715 case sc.readFrameCh <- readFrameResult{f, err, gateDone}:
716 case <-sc.doneServing:
721 case <-sc.doneServing:
724 if terminalReadFrameError(err) {
730 // frameWriteResult is the message passed from writeFrameAsync to the serve goroutine.
731 type frameWriteResult struct {
732 wr FrameWriteRequest // what was written (or attempted)
733 err error // result of the writeFrame call
736 // writeFrameAsync runs in its own goroutine and writes a single frame
737 // and then reports when it's done.
738 // At most one goroutine can be running writeFrameAsync at a time per
740 func (sc *serverConn) writeFrameAsync(wr FrameWriteRequest) {
741 err := wr.write.writeFrame(sc)
742 sc.wroteFrameCh <- frameWriteResult{wr, err}
745 func (sc *serverConn) closeAllStreamsOnConnClose() {
747 for _, st := range sc.streams {
748 sc.closeStream(st, errClientDisconnected)
752 func (sc *serverConn) stopShutdownTimer() {
754 if t := sc.shutdownTimer; t != nil {
759 func (sc *serverConn) notePanic() {
760 // Note: this is for serverConn.serve panicking, not http.Handler code.
761 if testHookOnPanicMu != nil {
762 testHookOnPanicMu.Lock()
763 defer testHookOnPanicMu.Unlock()
765 if testHookOnPanic != nil {
766 if e := recover(); e != nil {
767 if testHookOnPanic(sc, e) {
774 func (sc *serverConn) serve() {
777 defer sc.conn.Close()
778 defer sc.closeAllStreamsOnConnClose()
779 defer sc.stopShutdownTimer()
780 defer close(sc.doneServing) // unblocks handlers trying to send
783 sc.vlogf("http2: server connection from %v on %p", sc.conn.RemoteAddr(), sc.hs)
786 sc.writeFrame(FrameWriteRequest{
787 write: writeSettings{
788 {SettingMaxFrameSize, sc.srv.maxReadFrameSize()},
789 {SettingMaxConcurrentStreams, sc.advMaxStreams},
790 {SettingMaxHeaderListSize, sc.maxHeaderListSize()},
791 {SettingInitialWindowSize, uint32(sc.srv.initialStreamRecvWindowSize())},
796 // Each connection starts with intialWindowSize inflow tokens.
797 // If a higher value is configured, we add more tokens.
798 if diff := sc.srv.initialConnRecvWindowSize() - initialWindowSize; diff > 0 {
799 sc.sendWindowUpdate(nil, int(diff))
802 if err := sc.readPreface(); err != nil {
803 sc.condlogf(err, "http2: server: error reading preface from client %v: %v", sc.conn.RemoteAddr(), err)
806 // Now that we've got the preface, get us out of the
807 // "StateNew" state. We can't go directly to idle, though.
808 // Active means we read some data and anticipate a request. We'll
809 // do another Active when we get a HEADERS frame.
810 sc.setConnState(http.StateActive)
811 sc.setConnState(http.StateIdle)
813 if sc.srv.IdleTimeout != 0 {
814 sc.idleTimer = time.AfterFunc(sc.srv.IdleTimeout, sc.onIdleTimer)
815 defer sc.idleTimer.Stop()
818 go sc.readFrames() // closed by defer sc.conn.Close above
820 settingsTimer := time.AfterFunc(firstSettingsTimeout, sc.onSettingsTimer)
821 defer settingsTimer.Stop()
827 case wr := <-sc.wantWriteFrameCh:
828 if se, ok := wr.write.(StreamError); ok {
833 case res := <-sc.wroteFrameCh:
835 case res := <-sc.readFrameCh:
836 if !sc.processFrameFromReader(res) {
840 if settingsTimer != nil {
844 case m := <-sc.bodyReadCh:
845 sc.noteBodyRead(m.st, m.n)
846 case msg := <-sc.serveMsgCh:
847 switch v := msg.(type) {
849 v(loopNum) // for testing
852 case settingsTimerMsg:
853 sc.logf("timeout waiting for SETTINGS frames from %v", sc.conn.RemoteAddr())
856 sc.vlogf("connection is idle")
858 case shutdownTimerMsg:
859 sc.vlogf("GOAWAY close timer fired; closing conn from %v", sc.conn.RemoteAddr())
861 case gracefulShutdownMsg:
862 sc.startGracefulShutdownInternal()
864 panic("unknown timer")
866 case *startPushRequest:
869 panic(fmt.Sprintf("unexpected type %T", v))
873 // Start the shutdown timer after sending a GOAWAY. When sending GOAWAY
874 // with no error code (graceful shutdown), don't start the timer until
875 // all open streams have been completed.
876 sentGoAway := sc.inGoAway && !sc.needToSendGoAway && !sc.writingFrame
877 gracefulShutdownComplete := sc.goAwayCode == ErrCodeNo && sc.curOpenStreams() == 0
878 if sentGoAway && sc.shutdownTimer == nil && (sc.goAwayCode != ErrCodeNo || gracefulShutdownComplete) {
879 sc.shutDownIn(goAwayTimeout)
884 func (sc *serverConn) awaitGracefulShutdown(sharedCh <-chan struct{}, privateCh chan struct{}) {
886 case <-sc.doneServing:
892 type serverMessage int
894 // Message values sent to serveMsgCh.
896 settingsTimerMsg = new(serverMessage)
897 idleTimerMsg = new(serverMessage)
898 shutdownTimerMsg = new(serverMessage)
899 gracefulShutdownMsg = new(serverMessage)
902 func (sc *serverConn) onSettingsTimer() { sc.sendServeMsg(settingsTimerMsg) }
903 func (sc *serverConn) onIdleTimer() { sc.sendServeMsg(idleTimerMsg) }
904 func (sc *serverConn) onShutdownTimer() { sc.sendServeMsg(shutdownTimerMsg) }
906 func (sc *serverConn) sendServeMsg(msg interface{}) {
907 sc.serveG.checkNotOn() // NOT
909 case sc.serveMsgCh <- msg:
910 case <-sc.doneServing:
914 var errPrefaceTimeout = errors.New("timeout waiting for client preface")
916 // readPreface reads the ClientPreface greeting from the peer or
917 // returns errPrefaceTimeout on timeout, or an error if the greeting
919 func (sc *serverConn) readPreface() error {
920 errc := make(chan error, 1)
922 // Read the client preface
923 buf := make([]byte, len(ClientPreface))
924 if _, err := io.ReadFull(sc.conn, buf); err != nil {
926 } else if !bytes.Equal(buf, clientPreface) {
927 errc <- fmt.Errorf("bogus greeting %q", buf)
932 timer := time.NewTimer(prefaceTimeout) // TODO: configurable on *Server?
936 return errPrefaceTimeout
940 sc.vlogf("http2: server: client %v said hello", sc.conn.RemoteAddr())
947 var errChanPool = sync.Pool{
948 New: func() interface{} { return make(chan error, 1) },
951 var writeDataPool = sync.Pool{
952 New: func() interface{} { return new(writeData) },
955 // writeDataFromHandler writes DATA response frames from a handler on
957 func (sc *serverConn) writeDataFromHandler(stream *stream, data []byte, endStream bool) error {
958 ch := errChanPool.Get().(chan error)
959 writeArg := writeDataPool.Get().(*writeData)
960 *writeArg = writeData{stream.id, data, endStream}
961 err := sc.writeFrameFromHandler(FrameWriteRequest{
969 var frameWriteDone bool // the frame write is done (successfully or not)
972 frameWriteDone = true
973 case <-sc.doneServing:
974 return errClientDisconnected
976 // If both ch and stream.cw were ready (as might
977 // happen on the final Write after an http.Handler
978 // ends), prefer the write result. Otherwise this
979 // might just be us successfully closing the stream.
980 // The writeFrameAsync and serve goroutines guarantee
981 // that the ch send will happen before the stream.cw
985 frameWriteDone = true
987 return errStreamClosed
992 writeDataPool.Put(writeArg)
997 // writeFrameFromHandler sends wr to sc.wantWriteFrameCh, but aborts
998 // if the connection has gone away.
1000 // This must not be run from the serve goroutine itself, else it might
1001 // deadlock writing to sc.wantWriteFrameCh (which is only mildly
1002 // buffered and is read by serve itself). If you're on the serve
1003 // goroutine, call writeFrame instead.
1004 func (sc *serverConn) writeFrameFromHandler(wr FrameWriteRequest) error {
1005 sc.serveG.checkNotOn() // NOT
1007 case sc.wantWriteFrameCh <- wr:
1009 case <-sc.doneServing:
1010 // Serve loop is gone.
1011 // Client has closed their connection to the server.
1012 return errClientDisconnected
1016 // writeFrame schedules a frame to write and sends it if there's nothing
1017 // already being written.
1019 // There is no pushback here (the serve goroutine never blocks). It's
1020 // the http.Handlers that block, waiting for their previous frames to
1021 // make it onto the wire
1023 // If you're not on the serve goroutine, use writeFrameFromHandler instead.
1024 func (sc *serverConn) writeFrame(wr FrameWriteRequest) {
1027 // If true, wr will not be written and wr.done will not be signaled.
1028 var ignoreWrite bool
1030 // We are not allowed to write frames on closed streams. RFC 7540 Section
1031 // 5.1.1 says: "An endpoint MUST NOT send frames other than PRIORITY on
1032 // a closed stream." Our server never sends PRIORITY, so that exception
1035 // The serverConn might close an open stream while the stream's handler
1036 // is still running. For example, the server might close a stream when it
1037 // receives bad data from the client. If this happens, the handler might
1038 // attempt to write a frame after the stream has been closed (since the
1039 // handler hasn't yet been notified of the close). In this case, we simply
1040 // ignore the frame. The handler will notice that the stream is closed when
1041 // it waits for the frame to be written.
1043 // As an exception to this rule, we allow sending RST_STREAM after close.
1044 // This allows us to immediately reject new streams without tracking any
1045 // state for those streams (except for the queued RST_STREAM frame). This
1046 // may result in duplicate RST_STREAMs in some cases, but the client should
1048 if wr.StreamID() != 0 {
1049 _, isReset := wr.write.(StreamError)
1050 if state, _ := sc.state(wr.StreamID()); state == stateClosed && !isReset {
1055 // Don't send a 100-continue response if we've already sent headers.
1056 // See golang.org/issue/14030.
1057 switch wr.write.(type) {
1058 case *writeResHeaders:
1059 wr.stream.wroteHeaders = true
1060 case write100ContinueHeadersFrame:
1061 if wr.stream.wroteHeaders {
1062 // We do not need to notify wr.done because this frame is
1063 // never written with wr.done != nil.
1065 panic("wr.done != nil for write100ContinueHeadersFrame")
1072 sc.writeSched.Push(wr)
1074 sc.scheduleFrameWrite()
1077 // startFrameWrite starts a goroutine to write wr (in a separate
1078 // goroutine since that might block on the network), and updates the
1079 // serve goroutine's state about the world, updated from info in wr.
1080 func (sc *serverConn) startFrameWrite(wr FrameWriteRequest) {
1082 if sc.writingFrame {
1083 panic("internal error: can only be writing one frame at a time")
1089 case stateHalfClosedLocal:
1090 switch wr.write.(type) {
1091 case StreamError, handlerPanicRST, writeWindowUpdate:
1092 // RFC 7540 Section 5.1 allows sending RST_STREAM, PRIORITY, and WINDOW_UPDATE
1093 // in this state. (We never send PRIORITY from the server, so that is not checked.)
1095 panic(fmt.Sprintf("internal error: attempt to send frame on a half-closed-local stream: %v", wr))
1098 panic(fmt.Sprintf("internal error: attempt to send frame on a closed stream: %v", wr))
1101 if wpp, ok := wr.write.(*writePushPromise); ok {
1103 wpp.promisedID, err = wpp.allocatePromisedID()
1105 sc.writingFrameAsync = false
1106 wr.replyToWriter(err)
1111 sc.writingFrame = true
1112 sc.needsFrameFlush = true
1113 if wr.write.staysWithinBuffer(sc.bw.Available()) {
1114 sc.writingFrameAsync = false
1115 err := wr.write.writeFrame(sc)
1116 sc.wroteFrame(frameWriteResult{wr, err})
1118 sc.writingFrameAsync = true
1119 go sc.writeFrameAsync(wr)
1123 // errHandlerPanicked is the error given to any callers blocked in a read from
1124 // Request.Body when the main goroutine panics. Since most handlers read in the
1125 // main ServeHTTP goroutine, this will show up rarely.
1126 var errHandlerPanicked = errors.New("http2: handler panicked")
1128 // wroteFrame is called on the serve goroutine with the result of
1129 // whatever happened on writeFrameAsync.
1130 func (sc *serverConn) wroteFrame(res frameWriteResult) {
1132 if !sc.writingFrame {
1133 panic("internal error: expected to be already writing a frame")
1135 sc.writingFrame = false
1136 sc.writingFrameAsync = false
1140 if writeEndsStream(wr.write) {
1143 panic("internal error: expecting non-nil stream")
1147 // Here we would go to stateHalfClosedLocal in
1148 // theory, but since our handler is done and
1149 // the net/http package provides no mechanism
1150 // for closing a ResponseWriter while still
1151 // reading data (see possible TODO at top of
1152 // this file), we go into closed state here
1153 // anyway, after telling the peer we're
1154 // hanging up on them. We'll transition to
1155 // stateClosed after the RST_STREAM frame is
1157 st.state = stateHalfClosedLocal
1158 // Section 8.1: a server MAY request that the client abort
1159 // transmission of a request without error by sending a
1160 // RST_STREAM with an error code of NO_ERROR after sending
1161 // a complete response.
1162 sc.resetStream(streamError(st.id, ErrCodeNo))
1163 case stateHalfClosedRemote:
1164 sc.closeStream(st, errHandlerComplete)
1167 switch v := wr.write.(type) {
1169 // st may be unknown if the RST_STREAM was generated to reject bad input.
1170 if st, ok := sc.streams[v.StreamID]; ok {
1171 sc.closeStream(st, v)
1173 case handlerPanicRST:
1174 sc.closeStream(wr.stream, errHandlerPanicked)
1178 // Reply (if requested) to unblock the ServeHTTP goroutine.
1179 wr.replyToWriter(res.err)
1181 sc.scheduleFrameWrite()
1184 // scheduleFrameWrite tickles the frame writing scheduler.
1186 // If a frame is already being written, nothing happens. This will be called again
1187 // when the frame is done being written.
1189 // If a frame isn't being written we need to send one, the best frame
1190 // to send is selected, preferring first things that aren't
1191 // stream-specific (e.g. ACKing settings), and then finding the
1192 // highest priority stream.
1194 // If a frame isn't being written and there's nothing else to send, we
1195 // flush the write buffer.
1196 func (sc *serverConn) scheduleFrameWrite() {
1198 if sc.writingFrame || sc.inFrameScheduleLoop {
1201 sc.inFrameScheduleLoop = true
1202 for !sc.writingFrameAsync {
1203 if sc.needToSendGoAway {
1204 sc.needToSendGoAway = false
1205 sc.startFrameWrite(FrameWriteRequest{
1206 write: &writeGoAway{
1207 maxStreamID: sc.maxClientStreamID,
1208 code: sc.goAwayCode,
1213 if sc.needToSendSettingsAck {
1214 sc.needToSendSettingsAck = false
1215 sc.startFrameWrite(FrameWriteRequest{write: writeSettingsAck{}})
1218 if !sc.inGoAway || sc.goAwayCode == ErrCodeNo {
1219 if wr, ok := sc.writeSched.Pop(); ok {
1220 sc.startFrameWrite(wr)
1224 if sc.needsFrameFlush {
1225 sc.startFrameWrite(FrameWriteRequest{write: flushFrameWriter{}})
1226 sc.needsFrameFlush = false // after startFrameWrite, since it sets this true
1231 sc.inFrameScheduleLoop = false
1234 // startGracefulShutdown gracefully shuts down a connection. This
1235 // sends GOAWAY with ErrCodeNo to tell the client we're gracefully
1236 // shutting down. The connection isn't closed until all current
1237 // streams are done.
1239 // startGracefulShutdown returns immediately; it does not wait until
1240 // the connection has shut down.
1241 func (sc *serverConn) startGracefulShutdown() {
1242 sc.serveG.checkNotOn() // NOT
1243 sc.shutdownOnce.Do(func() { sc.sendServeMsg(gracefulShutdownMsg) })
1246 // After sending GOAWAY, the connection will close after goAwayTimeout.
1247 // If we close the connection immediately after sending GOAWAY, there may
1248 // be unsent data in our kernel receive buffer, which will cause the kernel
1249 // to send a TCP RST on close() instead of a FIN. This RST will abort the
1250 // connection immediately, whether or not the client had received the GOAWAY.
1252 // Ideally we should delay for at least 1 RTT + epsilon so the client has
1253 // a chance to read the GOAWAY and stop sending messages. Measuring RTT
1254 // is hard, so we approximate with 1 second. See golang.org/issue/18701.
1256 // This is a var so it can be shorter in tests, where all requests uses the
1257 // loopback interface making the expected RTT very small.
1259 // TODO: configurable?
1260 var goAwayTimeout = 1 * time.Second
1262 func (sc *serverConn) startGracefulShutdownInternal() {
1263 sc.goAway(ErrCodeNo)
1266 func (sc *serverConn) goAway(code ErrCode) {
1272 sc.needToSendGoAway = true
1273 sc.goAwayCode = code
1274 sc.scheduleFrameWrite()
1277 func (sc *serverConn) shutDownIn(d time.Duration) {
1279 sc.shutdownTimer = time.AfterFunc(d, sc.onShutdownTimer)
1282 func (sc *serverConn) resetStream(se StreamError) {
1284 sc.writeFrame(FrameWriteRequest{write: se})
1285 if st, ok := sc.streams[se.StreamID]; ok {
1286 st.resetQueued = true
1290 // processFrameFromReader processes the serve loop's read from readFrameCh from the
1291 // frame-reading goroutine.
1292 // processFrameFromReader returns whether the connection should be kept open.
1293 func (sc *serverConn) processFrameFromReader(res readFrameResult) bool {
1297 if err == ErrFrameTooLarge {
1298 sc.goAway(ErrCodeFrameSize)
1299 return true // goAway will close the loop
1301 clientGone := err == io.EOF || err == io.ErrUnexpectedEOF || isClosedConnError(err)
1303 // TODO: could we also get into this state if
1304 // the peer does a half close
1305 // (e.g. CloseWrite) because they're done
1306 // sending frames but they're still wanting
1307 // our open replies? Investigate.
1308 // TODO: add CloseWrite to crypto/tls.Conn first
1309 // so we have a way to test this? I suppose
1310 // just for testing we could have a non-TLS mode.
1316 sc.vlogf("http2: server read frame %v", summarizeFrame(f))
1318 err = sc.processFrame(f)
1324 switch ev := err.(type) {
1328 case goAwayFlowError:
1329 sc.goAway(ErrCodeFlowControl)
1331 case ConnectionError:
1332 sc.logf("http2: server connection error from %v: %v", sc.conn.RemoteAddr(), ev)
1333 sc.goAway(ErrCode(ev))
1334 return true // goAway will handle shutdown
1337 sc.vlogf("http2: server closing client connection; error reading frame from client %s: %v", sc.conn.RemoteAddr(), err)
1339 sc.logf("http2: server closing client connection: %v", err)
1345 func (sc *serverConn) processFrame(f Frame) error {
1348 // First frame received must be SETTINGS.
1349 if !sc.sawFirstSettings {
1350 if _, ok := f.(*SettingsFrame); !ok {
1351 return ConnectionError(ErrCodeProtocol)
1353 sc.sawFirstSettings = true
1356 switch f := f.(type) {
1357 case *SettingsFrame:
1358 return sc.processSettings(f)
1359 case *MetaHeadersFrame:
1360 return sc.processHeaders(f)
1361 case *WindowUpdateFrame:
1362 return sc.processWindowUpdate(f)
1364 return sc.processPing(f)
1366 return sc.processData(f)
1367 case *RSTStreamFrame:
1368 return sc.processResetStream(f)
1369 case *PriorityFrame:
1370 return sc.processPriority(f)
1372 return sc.processGoAway(f)
1373 case *PushPromiseFrame:
1374 // A client cannot push. Thus, servers MUST treat the receipt of a PUSH_PROMISE
1375 // frame as a connection error (Section 5.4.1) of type PROTOCOL_ERROR.
1376 return ConnectionError(ErrCodeProtocol)
1378 sc.vlogf("http2: server ignoring frame: %v", f.Header())
1383 func (sc *serverConn) processPing(f *PingFrame) error {
1386 // 6.7 PING: " An endpoint MUST NOT respond to PING frames
1387 // containing this flag."
1390 if f.StreamID != 0 {
1391 // "PING frames are not associated with any individual
1392 // stream. If a PING frame is received with a stream
1393 // identifier field value other than 0x0, the recipient MUST
1394 // respond with a connection error (Section 5.4.1) of type
1396 return ConnectionError(ErrCodeProtocol)
1398 if sc.inGoAway && sc.goAwayCode != ErrCodeNo {
1401 sc.writeFrame(FrameWriteRequest{write: writePingAck{f}})
1405 func (sc *serverConn) processWindowUpdate(f *WindowUpdateFrame) error {
1408 case f.StreamID != 0: // stream-level flow control
1409 state, st := sc.state(f.StreamID)
1410 if state == stateIdle {
1411 // Section 5.1: "Receiving any frame other than HEADERS
1412 // or PRIORITY on a stream in this state MUST be
1413 // treated as a connection error (Section 5.4.1) of
1414 // type PROTOCOL_ERROR."
1415 return ConnectionError(ErrCodeProtocol)
1418 // "WINDOW_UPDATE can be sent by a peer that has sent a
1419 // frame bearing the END_STREAM flag. This means that a
1420 // receiver could receive a WINDOW_UPDATE frame on a "half
1421 // closed (remote)" or "closed" stream. A receiver MUST
1422 // NOT treat this as an error, see Section 5.1."
1425 if !st.flow.add(int32(f.Increment)) {
1426 return streamError(f.StreamID, ErrCodeFlowControl)
1428 default: // connection-level flow control
1429 if !sc.flow.add(int32(f.Increment)) {
1430 return goAwayFlowError{}
1433 sc.scheduleFrameWrite()
1437 func (sc *serverConn) processResetStream(f *RSTStreamFrame) error {
1440 state, st := sc.state(f.StreamID)
1441 if state == stateIdle {
1442 // 6.4 "RST_STREAM frames MUST NOT be sent for a
1443 // stream in the "idle" state. If a RST_STREAM frame
1444 // identifying an idle stream is received, the
1445 // recipient MUST treat this as a connection error
1446 // (Section 5.4.1) of type PROTOCOL_ERROR.
1447 return ConnectionError(ErrCodeProtocol)
1451 sc.closeStream(st, streamError(f.StreamID, f.ErrCode))
1456 func (sc *serverConn) closeStream(st *stream, err error) {
1458 if st.state == stateIdle || st.state == stateClosed {
1459 panic(fmt.Sprintf("invariant; can't close stream in state %v", st.state))
1461 st.state = stateClosed
1462 if st.writeDeadline != nil {
1463 st.writeDeadline.Stop()
1466 sc.curPushedStreams--
1468 sc.curClientStreams--
1470 delete(sc.streams, st.id)
1471 if len(sc.streams) == 0 {
1472 sc.setConnState(http.StateIdle)
1473 if sc.srv.IdleTimeout != 0 {
1474 sc.idleTimer.Reset(sc.srv.IdleTimeout)
1476 if h1ServerKeepAlivesDisabled(sc.hs) {
1477 sc.startGracefulShutdownInternal()
1480 if p := st.body; p != nil {
1481 // Return any buffered unread bytes worth of conn-level flow control.
1482 // See golang.org/issue/16481
1483 sc.sendWindowUpdate(nil, p.Len())
1485 p.CloseWithError(err)
1487 st.cw.Close() // signals Handler's CloseNotifier, unblocks writes, etc
1488 sc.writeSched.CloseStream(st.id)
1491 func (sc *serverConn) processSettings(f *SettingsFrame) error {
1494 sc.unackedSettings--
1495 if sc.unackedSettings < 0 {
1496 // Why is the peer ACKing settings we never sent?
1497 // The spec doesn't mention this case, but
1498 // hang up on them anyway.
1499 return ConnectionError(ErrCodeProtocol)
1503 if f.NumSettings() > 100 || f.HasDuplicates() {
1504 // This isn't actually in the spec, but hang up on
1505 // suspiciously large settings frames or those with
1506 // duplicate entries.
1507 return ConnectionError(ErrCodeProtocol)
1509 if err := f.ForeachSetting(sc.processSetting); err != nil {
1512 sc.needToSendSettingsAck = true
1513 sc.scheduleFrameWrite()
1517 func (sc *serverConn) processSetting(s Setting) error {
1519 if err := s.Valid(); err != nil {
1523 sc.vlogf("http2: server processing setting %v", s)
1526 case SettingHeaderTableSize:
1527 sc.headerTableSize = s.Val
1528 sc.hpackEncoder.SetMaxDynamicTableSize(s.Val)
1529 case SettingEnablePush:
1530 sc.pushEnabled = s.Val != 0
1531 case SettingMaxConcurrentStreams:
1532 sc.clientMaxStreams = s.Val
1533 case SettingInitialWindowSize:
1534 return sc.processSettingInitialWindowSize(s.Val)
1535 case SettingMaxFrameSize:
1536 sc.maxFrameSize = int32(s.Val) // the maximum valid s.Val is < 2^31
1537 case SettingMaxHeaderListSize:
1538 sc.peerMaxHeaderListSize = s.Val
1540 // Unknown setting: "An endpoint that receives a SETTINGS
1541 // frame with any unknown or unsupported identifier MUST
1542 // ignore that setting."
1544 sc.vlogf("http2: server ignoring unknown setting %v", s)
1550 func (sc *serverConn) processSettingInitialWindowSize(val uint32) error {
1552 // Note: val already validated to be within range by
1553 // processSetting's Valid call.
1555 // "A SETTINGS frame can alter the initial flow control window
1556 // size for all current streams. When the value of
1557 // SETTINGS_INITIAL_WINDOW_SIZE changes, a receiver MUST
1558 // adjust the size of all stream flow control windows that it
1559 // maintains by the difference between the new value and the
1561 old := sc.initialStreamSendWindowSize
1562 sc.initialStreamSendWindowSize = int32(val)
1563 growth := int32(val) - old // may be negative
1564 for _, st := range sc.streams {
1565 if !st.flow.add(growth) {
1566 // 6.9.2 Initial Flow Control Window Size
1567 // "An endpoint MUST treat a change to
1568 // SETTINGS_INITIAL_WINDOW_SIZE that causes any flow
1569 // control window to exceed the maximum size as a
1570 // connection error (Section 5.4.1) of type
1571 // FLOW_CONTROL_ERROR."
1572 return ConnectionError(ErrCodeFlowControl)
1578 func (sc *serverConn) processData(f *DataFrame) error {
1580 if sc.inGoAway && sc.goAwayCode != ErrCodeNo {
1585 // "If a DATA frame is received whose stream is not in "open"
1586 // or "half closed (local)" state, the recipient MUST respond
1587 // with a stream error (Section 5.4.2) of type STREAM_CLOSED."
1588 id := f.Header().StreamID
1589 state, st := sc.state(id)
1590 if id == 0 || state == stateIdle {
1591 // Section 5.1: "Receiving any frame other than HEADERS
1592 // or PRIORITY on a stream in this state MUST be
1593 // treated as a connection error (Section 5.4.1) of
1594 // type PROTOCOL_ERROR."
1595 return ConnectionError(ErrCodeProtocol)
1597 if st == nil || state != stateOpen || st.gotTrailerHeader || st.resetQueued {
1598 // This includes sending a RST_STREAM if the stream is
1599 // in stateHalfClosedLocal (which currently means that
1600 // the http.Handler returned, so it's done reading &
1601 // done writing). Try to stop the client from sending
1604 // But still enforce their connection-level flow control,
1605 // and return any flow control bytes since we're not going
1607 if sc.inflow.available() < int32(f.Length) {
1608 return streamError(id, ErrCodeFlowControl)
1610 // Deduct the flow control from inflow, since we're
1611 // going to immediately add it back in
1612 // sendWindowUpdate, which also schedules sending the
1614 sc.inflow.take(int32(f.Length))
1615 sc.sendWindowUpdate(nil, int(f.Length)) // conn-level
1617 if st != nil && st.resetQueued {
1618 // Already have a stream error in flight. Don't send another.
1621 return streamError(id, ErrCodeStreamClosed)
1624 panic("internal error: should have a body in this state")
1627 // Sender sending more than they'd declared?
1628 if st.declBodyBytes != -1 && st.bodyBytes+int64(len(data)) > st.declBodyBytes {
1629 st.body.CloseWithError(fmt.Errorf("sender tried to send more than declared Content-Length of %d bytes", st.declBodyBytes))
1630 // RFC 7540, sec 8.1.2.6: A request or response is also malformed if the
1631 // value of a content-length header field does not equal the sum of the
1632 // DATA frame payload lengths that form the body.
1633 return streamError(id, ErrCodeProtocol)
1636 // Check whether the client has flow control quota.
1637 if st.inflow.available() < int32(f.Length) {
1638 return streamError(id, ErrCodeFlowControl)
1640 st.inflow.take(int32(f.Length))
1643 wrote, err := st.body.Write(data)
1645 return streamError(id, ErrCodeStreamClosed)
1647 if wrote != len(data) {
1648 panic("internal error: bad Writer")
1650 st.bodyBytes += int64(len(data))
1653 // Return any padded flow control now, since we won't
1654 // refund it later on body reads.
1655 if pad := int32(f.Length) - int32(len(data)); pad > 0 {
1656 sc.sendWindowUpdate32(nil, pad)
1657 sc.sendWindowUpdate32(st, pad)
1660 if f.StreamEnded() {
1666 func (sc *serverConn) processGoAway(f *GoAwayFrame) error {
1668 if f.ErrCode != ErrCodeNo {
1669 sc.logf("http2: received GOAWAY %+v, starting graceful shutdown", f)
1671 sc.vlogf("http2: received GOAWAY %+v, starting graceful shutdown", f)
1673 sc.startGracefulShutdownInternal()
1674 // http://tools.ietf.org/html/rfc7540#section-6.8
1675 // We should not create any new streams, which means we should disable push.
1676 sc.pushEnabled = false
1680 // isPushed reports whether the stream is server-initiated.
1681 func (st *stream) isPushed() bool {
1685 // endStream closes a Request.Body's pipe. It is called when a DATA
1686 // frame says a request body is over (or after trailers).
1687 func (st *stream) endStream() {
1691 if st.declBodyBytes != -1 && st.declBodyBytes != st.bodyBytes {
1692 st.body.CloseWithError(fmt.Errorf("request declared a Content-Length of %d but only wrote %d bytes",
1693 st.declBodyBytes, st.bodyBytes))
1695 st.body.closeWithErrorAndCode(io.EOF, st.copyTrailersToHandlerRequest)
1696 st.body.CloseWithError(io.EOF)
1698 st.state = stateHalfClosedRemote
1701 // copyTrailersToHandlerRequest is run in the Handler's goroutine in
1702 // its Request.Body.Read just before it gets io.EOF.
1703 func (st *stream) copyTrailersToHandlerRequest() {
1704 for k, vv := range st.trailer {
1705 if _, ok := st.reqTrailer[k]; ok {
1706 // Only copy it over it was pre-declared.
1707 st.reqTrailer[k] = vv
1712 // onWriteTimeout is run on its own goroutine (from time.AfterFunc)
1713 // when the stream's WriteTimeout has fired.
1714 func (st *stream) onWriteTimeout() {
1715 st.sc.writeFrameFromHandler(FrameWriteRequest{write: streamError(st.id, ErrCodeInternal)})
1718 func (sc *serverConn) processHeaders(f *MetaHeadersFrame) error {
1725 // http://tools.ietf.org/html/rfc7540#section-5.1.1
1726 // Streams initiated by a client MUST use odd-numbered stream
1727 // identifiers. [...] An endpoint that receives an unexpected
1728 // stream identifier MUST respond with a connection error
1729 // (Section 5.4.1) of type PROTOCOL_ERROR.
1731 return ConnectionError(ErrCodeProtocol)
1733 // A HEADERS frame can be used to create a new stream or
1734 // send a trailer for an open one. If we already have a stream
1735 // open, let it process its own HEADERS frame (trailers at this
1736 // point, if it's valid).
1737 if st := sc.streams[f.StreamID]; st != nil {
1739 // We're sending RST_STREAM to close the stream, so don't bother
1740 // processing this frame.
1743 // RFC 7540, sec 5.1: If an endpoint receives additional frames, other than
1744 // WINDOW_UPDATE, PRIORITY, or RST_STREAM, for a stream that is in
1745 // this state, it MUST respond with a stream error (Section 5.4.2) of
1746 // type STREAM_CLOSED.
1747 if st.state == stateHalfClosedRemote {
1748 return streamError(id, ErrCodeStreamClosed)
1750 return st.processTrailerHeaders(f)
1753 // [...] The identifier of a newly established stream MUST be
1754 // numerically greater than all streams that the initiating
1755 // endpoint has opened or reserved. [...] An endpoint that
1756 // receives an unexpected stream identifier MUST respond with
1757 // a connection error (Section 5.4.1) of type PROTOCOL_ERROR.
1758 if id <= sc.maxClientStreamID {
1759 return ConnectionError(ErrCodeProtocol)
1761 sc.maxClientStreamID = id
1763 if sc.idleTimer != nil {
1767 // http://tools.ietf.org/html/rfc7540#section-5.1.2
1768 // [...] Endpoints MUST NOT exceed the limit set by their peer. An
1769 // endpoint that receives a HEADERS frame that causes their
1770 // advertised concurrent stream limit to be exceeded MUST treat
1771 // this as a stream error (Section 5.4.2) of type PROTOCOL_ERROR
1772 // or REFUSED_STREAM.
1773 if sc.curClientStreams+1 > sc.advMaxStreams {
1774 if sc.unackedSettings == 0 {
1775 // They should know better.
1776 return streamError(id, ErrCodeProtocol)
1778 // Assume it's a network race, where they just haven't
1779 // received our last SETTINGS update. But actually
1780 // this can't happen yet, because we don't yet provide
1781 // a way for users to adjust server parameters at
1783 return streamError(id, ErrCodeRefusedStream)
1786 initialState := stateOpen
1787 if f.StreamEnded() {
1788 initialState = stateHalfClosedRemote
1790 st := sc.newStream(id, 0, initialState)
1792 if f.HasPriority() {
1793 if err := checkPriority(f.StreamID, f.Priority); err != nil {
1796 sc.writeSched.AdjustStream(st.id, f.Priority)
1799 rw, req, err := sc.newWriterAndRequest(st, f)
1803 st.reqTrailer = req.Trailer
1804 if st.reqTrailer != nil {
1805 st.trailer = make(http.Header)
1807 st.body = req.Body.(*requestBody).pipe // may be nil
1808 st.declBodyBytes = req.ContentLength
1810 handler := sc.handler.ServeHTTP
1812 // Their header list was too long. Send a 431 error.
1813 handler = handleHeaderListTooLong
1814 } else if err := checkValidHTTP2RequestHeaders(req.Header); err != nil {
1815 handler = new400Handler(err)
1818 // The net/http package sets the read deadline from the
1819 // http.Server.ReadTimeout during the TLS handshake, but then
1820 // passes the connection off to us with the deadline already
1821 // set. Disarm it here after the request headers are read,
1822 // similar to how the http1 server works. Here it's
1823 // technically more like the http1 Server's ReadHeaderTimeout
1824 // (in Go 1.8), though. That's a more sane option anyway.
1825 if sc.hs.ReadTimeout != 0 {
1826 sc.conn.SetReadDeadline(time.Time{})
1829 go sc.runHandler(rw, req, handler)
1833 func (st *stream) processTrailerHeaders(f *MetaHeadersFrame) error {
1836 if st.gotTrailerHeader {
1837 return ConnectionError(ErrCodeProtocol)
1839 st.gotTrailerHeader = true
1840 if !f.StreamEnded() {
1841 return streamError(st.id, ErrCodeProtocol)
1844 if len(f.PseudoFields()) > 0 {
1845 return streamError(st.id, ErrCodeProtocol)
1847 if st.trailer != nil {
1848 for _, hf := range f.RegularFields() {
1849 key := sc.canonicalHeader(hf.Name)
1850 if !httpguts.ValidTrailerHeader(key) {
1851 // TODO: send more details to the peer somehow. But http2 has
1852 // no way to send debug data at a stream level. Discuss with
1854 return streamError(st.id, ErrCodeProtocol)
1856 st.trailer[key] = append(st.trailer[key], hf.Value)
1863 func checkPriority(streamID uint32, p PriorityParam) error {
1864 if streamID == p.StreamDep {
1865 // Section 5.3.1: "A stream cannot depend on itself. An endpoint MUST treat
1866 // this as a stream error (Section 5.4.2) of type PROTOCOL_ERROR."
1867 // Section 5.3.3 says that a stream can depend on one of its dependencies,
1868 // so it's only self-dependencies that are forbidden.
1869 return streamError(streamID, ErrCodeProtocol)
1874 func (sc *serverConn) processPriority(f *PriorityFrame) error {
1878 if err := checkPriority(f.StreamID, f.PriorityParam); err != nil {
1881 sc.writeSched.AdjustStream(f.StreamID, f.PriorityParam)
1885 func (sc *serverConn) newStream(id, pusherID uint32, state streamState) *stream {
1888 panic("internal error: cannot create stream with id 0")
1891 ctx, cancelCtx := context.WithCancel(sc.baseCtx)
1897 cancelCtx: cancelCtx,
1900 st.flow.conn = &sc.flow // link to conn-level counter
1901 st.flow.add(sc.initialStreamSendWindowSize)
1902 st.inflow.conn = &sc.inflow // link to conn-level counter
1903 st.inflow.add(sc.srv.initialStreamRecvWindowSize())
1904 if sc.hs.WriteTimeout != 0 {
1905 st.writeDeadline = time.AfterFunc(sc.hs.WriteTimeout, st.onWriteTimeout)
1909 sc.writeSched.OpenStream(st.id, OpenStreamOptions{PusherID: pusherID})
1911 sc.curPushedStreams++
1913 sc.curClientStreams++
1915 if sc.curOpenStreams() == 1 {
1916 sc.setConnState(http.StateActive)
1922 func (sc *serverConn) newWriterAndRequest(st *stream, f *MetaHeadersFrame) (*responseWriter, *http.Request, error) {
1926 method: f.PseudoValue("method"),
1927 scheme: f.PseudoValue("scheme"),
1928 authority: f.PseudoValue("authority"),
1929 path: f.PseudoValue("path"),
1932 isConnect := rp.method == "CONNECT"
1934 if rp.path != "" || rp.scheme != "" || rp.authority == "" {
1935 return nil, nil, streamError(f.StreamID, ErrCodeProtocol)
1937 } else if rp.method == "" || rp.path == "" || (rp.scheme != "https" && rp.scheme != "http") {
1938 // See 8.1.2.6 Malformed Requests and Responses:
1940 // Malformed requests or responses that are detected
1941 // MUST be treated as a stream error (Section 5.4.2)
1942 // of type PROTOCOL_ERROR."
1944 // 8.1.2.3 Request Pseudo-Header Fields
1945 // "All HTTP/2 requests MUST include exactly one valid
1946 // value for the :method, :scheme, and :path
1947 // pseudo-header fields"
1948 return nil, nil, streamError(f.StreamID, ErrCodeProtocol)
1951 bodyOpen := !f.StreamEnded()
1952 if rp.method == "HEAD" && bodyOpen {
1953 // HEAD requests can't have bodies
1954 return nil, nil, streamError(f.StreamID, ErrCodeProtocol)
1957 rp.header = make(http.Header)
1958 for _, hf := range f.RegularFields() {
1959 rp.header.Add(sc.canonicalHeader(hf.Name), hf.Value)
1961 if rp.authority == "" {
1962 rp.authority = rp.header.Get("Host")
1965 rw, req, err := sc.newWriterAndRequestNoBody(st, rp)
1967 return nil, nil, err
1970 if vv, ok := rp.header["Content-Length"]; ok {
1971 req.ContentLength, _ = strconv.ParseInt(vv[0], 10, 64)
1973 req.ContentLength = -1
1975 req.Body.(*requestBody).pipe = &pipe{
1976 b: &dataBuffer{expected: req.ContentLength},
1982 type requestParam struct {
1984 scheme, authority, path string
1988 func (sc *serverConn) newWriterAndRequestNoBody(st *stream, rp requestParam) (*responseWriter, *http.Request, error) {
1991 var tlsState *tls.ConnectionState // nil if not scheme https
1992 if rp.scheme == "https" {
1993 tlsState = sc.tlsState
1996 needsContinue := rp.header.Get("Expect") == "100-continue"
1998 rp.header.Del("Expect")
2000 // Merge Cookie headers into one "; "-delimited value.
2001 if cookies := rp.header["Cookie"]; len(cookies) > 1 {
2002 rp.header.Set("Cookie", strings.Join(cookies, "; "))
2006 var trailer http.Header
2007 for _, v := range rp.header["Trailer"] {
2008 for _, key := range strings.Split(v, ",") {
2009 key = http.CanonicalHeaderKey(strings.TrimSpace(key))
2011 case "Transfer-Encoding", "Trailer", "Content-Length":
2012 // Bogus. (copy of http1 rules)
2016 trailer = make(http.Header)
2022 delete(rp.header, "Trailer")
2025 var requestURI string
2026 if rp.method == "CONNECT" {
2027 url_ = &url.URL{Host: rp.authority}
2028 requestURI = rp.authority // mimic HTTP/1 server behavior
2031 url_, err = url.ParseRequestURI(rp.path)
2033 return nil, nil, streamError(st.id, ErrCodeProtocol)
2035 requestURI = rp.path
2038 body := &requestBody{
2041 needsContinue: needsContinue,
2043 req := &http.Request{
2046 RemoteAddr: sc.remoteAddrStr,
2048 RequestURI: requestURI,
2057 req = req.WithContext(st.ctx)
2059 rws := responseWriterStatePool.Get().(*responseWriterState)
2061 *rws = responseWriterState{} // zero all the fields
2064 rws.bw.Reset(chunkWriter{rws})
2069 rw := &responseWriter{rws: rws}
2073 // Run on its own goroutine.
2074 func (sc *serverConn) runHandler(rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) {
2077 rw.rws.stream.cancelCtx()
2080 sc.writeFrameFromHandler(FrameWriteRequest{
2081 write: handlerPanicRST{rw.rws.stream.id},
2082 stream: rw.rws.stream,
2084 // Same as net/http:
2085 if e != nil && e != http.ErrAbortHandler {
2086 const size = 64 << 10
2087 buf := make([]byte, size)
2088 buf = buf[:runtime.Stack(buf, false)]
2089 sc.logf("http2: panic serving %v: %v\n%s", sc.conn.RemoteAddr(), e, buf)
2099 func handleHeaderListTooLong(w http.ResponseWriter, r *http.Request) {
2100 // 10.5.1 Limits on Header Block Size:
2101 // .. "A server that receives a larger header block than it is
2102 // willing to handle can send an HTTP 431 (Request Header Fields Too
2103 // Large) status code"
2104 const statusRequestHeaderFieldsTooLarge = 431 // only in Go 1.6+
2105 w.WriteHeader(statusRequestHeaderFieldsTooLarge)
2106 io.WriteString(w, "<h1>HTTP Error 431</h1><p>Request Header Field(s) Too Large</p>")
2109 // called from handler goroutines.
2111 func (sc *serverConn) writeHeaders(st *stream, headerData *writeResHeaders) error {
2112 sc.serveG.checkNotOn() // NOT on
2114 if headerData.h != nil {
2115 // If there's a header map (which we don't own), so we have to block on
2116 // waiting for this frame to be written, so an http.Flush mid-handler
2117 // writes out the correct value of keys, before a handler later potentially
2119 errc = errChanPool.Get().(chan error)
2121 if err := sc.writeFrameFromHandler(FrameWriteRequest{
2131 errChanPool.Put(errc)
2133 case <-sc.doneServing:
2134 return errClientDisconnected
2136 return errStreamClosed
2142 // called from handler goroutines.
2143 func (sc *serverConn) write100ContinueHeaders(st *stream) {
2144 sc.writeFrameFromHandler(FrameWriteRequest{
2145 write: write100ContinueHeadersFrame{st.id},
2150 // A bodyReadMsg tells the server loop that the http.Handler read n
2151 // bytes of the DATA from the client on the given stream.
2152 type bodyReadMsg struct {
2157 // called from handler goroutines.
2158 // Notes that the handler for the given stream ID read n bytes of its body
2159 // and schedules flow control tokens to be sent.
2160 func (sc *serverConn) noteBodyReadFromHandler(st *stream, n int, err error) {
2161 sc.serveG.checkNotOn() // NOT on
2164 case sc.bodyReadCh <- bodyReadMsg{st, n}:
2165 case <-sc.doneServing:
2170 func (sc *serverConn) noteBodyRead(st *stream, n int) {
2172 sc.sendWindowUpdate(nil, n) // conn-level
2173 if st.state != stateHalfClosedRemote && st.state != stateClosed {
2174 // Don't send this WINDOW_UPDATE if the stream is closed
2176 sc.sendWindowUpdate(st, n)
2180 // st may be nil for conn-level
2181 func (sc *serverConn) sendWindowUpdate(st *stream, n int) {
2183 // "The legal range for the increment to the flow control
2184 // window is 1 to 2^31-1 (2,147,483,647) octets."
2185 // A Go Read call on 64-bit machines could in theory read
2186 // a larger Read than this. Very unlikely, but we handle it here
2187 // rather than elsewhere for now.
2188 const maxUint31 = 1<<31 - 1
2189 for n >= maxUint31 {
2190 sc.sendWindowUpdate32(st, maxUint31)
2193 sc.sendWindowUpdate32(st, int32(n))
2196 // st may be nil for conn-level
2197 func (sc *serverConn) sendWindowUpdate32(st *stream, n int32) {
2203 panic("negative update")
2209 sc.writeFrame(FrameWriteRequest{
2210 write: writeWindowUpdate{streamID: streamID, n: uint32(n)},
2215 ok = sc.inflow.add(n)
2217 ok = st.inflow.add(n)
2220 panic("internal error; sent too many window updates without decrements?")
2224 // requestBody is the Handler's Request.Body type.
2225 // Read and Close may be called concurrently.
2226 type requestBody struct {
2229 closed bool // for use by Close only
2230 sawEOF bool // for use by Read only
2231 pipe *pipe // non-nil if we have a HTTP entity message body
2232 needsContinue bool // need to send a 100-continue
2235 func (b *requestBody) Close() error {
2236 if b.pipe != nil && !b.closed {
2237 b.pipe.BreakWithError(errClosedBody)
2243 func (b *requestBody) Read(p []byte) (n int, err error) {
2244 if b.needsContinue {
2245 b.needsContinue = false
2246 b.conn.write100ContinueHeaders(b.stream)
2248 if b.pipe == nil || b.sawEOF {
2251 n, err = b.pipe.Read(p)
2255 if b.conn == nil && inTests {
2258 b.conn.noteBodyReadFromHandler(b.stream, n, err)
2262 // responseWriter is the http.ResponseWriter implementation. It's
2263 // intentionally small (1 pointer wide) to minimize garbage. The
2264 // responseWriterState pointer inside is zeroed at the end of a
2265 // request (in handlerDone) and calls on the responseWriter thereafter
2266 // simply crash (caller's mistake), but the much larger responseWriterState
2267 // and buffers are reused between multiple requests.
2268 type responseWriter struct {
2269 rws *responseWriterState
2272 // Optional http.ResponseWriter interfaces implemented.
2274 _ http.CloseNotifier = (*responseWriter)(nil)
2275 _ http.Flusher = (*responseWriter)(nil)
2276 _ stringWriter = (*responseWriter)(nil)
2279 type responseWriterState struct {
2280 // immutable within a request:
2283 body *requestBody // to close at end of request, if DATA frames didn't
2286 // TODO: adjust buffer writing sizes based on server config, frame size updates from peer, etc
2287 bw *bufio.Writer // writing to a chunkWriter{this *responseWriterState}
2289 // mutated by http.Handler goroutine:
2290 handlerHeader http.Header // nil until called
2291 snapHeader http.Header // snapshot of handlerHeader at WriteHeader time
2292 trailers []string // set in writeChunk
2293 status int // status code passed to WriteHeader
2294 wroteHeader bool // WriteHeader called (explicitly or implicitly). Not necessarily sent to user yet.
2295 sentHeader bool // have we sent the header frame?
2296 handlerDone bool // handler has finished
2297 dirty bool // a Write failed; don't reuse this responseWriterState
2299 sentContentLen int64 // non-zero if handler set a Content-Length header
2302 closeNotifierMu sync.Mutex // guards closeNotifierCh
2303 closeNotifierCh chan bool // nil until first used
2306 type chunkWriter struct{ rws *responseWriterState }
2308 func (cw chunkWriter) Write(p []byte) (n int, err error) { return cw.rws.writeChunk(p) }
2310 func (rws *responseWriterState) hasTrailers() bool { return len(rws.trailers) != 0 }
2312 // declareTrailer is called for each Trailer header when the
2313 // response header is written. It notes that a header will need to be
2314 // written in the trailers at the end of the response.
2315 func (rws *responseWriterState) declareTrailer(k string) {
2316 k = http.CanonicalHeaderKey(k)
2317 if !httpguts.ValidTrailerHeader(k) {
2318 // Forbidden by RFC 7230, section 4.1.2.
2319 rws.conn.logf("ignoring invalid trailer %q", k)
2322 if !strSliceContains(rws.trailers, k) {
2323 rws.trailers = append(rws.trailers, k)
2327 // writeChunk writes chunks from the bufio.Writer. But because
2328 // bufio.Writer may bypass its chunking, sometimes p may be
2329 // arbitrarily large.
2331 // writeChunk is also responsible (on the first chunk) for sending the
2333 func (rws *responseWriterState) writeChunk(p []byte) (n int, err error) {
2334 if !rws.wroteHeader {
2335 rws.writeHeader(200)
2338 isHeadResp := rws.req.Method == "HEAD"
2339 if !rws.sentHeader {
2340 rws.sentHeader = true
2341 var ctype, clen string
2342 if clen = rws.snapHeader.Get("Content-Length"); clen != "" {
2343 rws.snapHeader.Del("Content-Length")
2344 clen64, err := strconv.ParseInt(clen, 10, 64)
2345 if err == nil && clen64 >= 0 {
2346 rws.sentContentLen = clen64
2351 if clen == "" && rws.handlerDone && bodyAllowedForStatus(rws.status) && (len(p) > 0 || !isHeadResp) {
2352 clen = strconv.Itoa(len(p))
2354 _, hasContentType := rws.snapHeader["Content-Type"]
2355 if !hasContentType && bodyAllowedForStatus(rws.status) && len(p) > 0 {
2356 ctype = http.DetectContentType(p)
2359 if _, ok := rws.snapHeader["Date"]; !ok {
2360 // TODO(bradfitz): be faster here, like net/http? measure.
2361 date = time.Now().UTC().Format(http.TimeFormat)
2364 for _, v := range rws.snapHeader["Trailer"] {
2365 foreachHeaderElement(v, rws.declareTrailer)
2368 // "Connection" headers aren't allowed in HTTP/2 (RFC 7540, 8.1.2.2),
2369 // but respect "Connection" == "close" to mean sending a GOAWAY and tearing
2370 // down the TCP connection when idle, like we do for HTTP/1.
2371 // TODO: remove more Connection-specific header fields here, in addition
2373 if _, ok := rws.snapHeader["Connection"]; ok {
2374 v := rws.snapHeader.Get("Connection")
2375 delete(rws.snapHeader, "Connection")
2377 rws.conn.startGracefulShutdown()
2381 endStream := (rws.handlerDone && !rws.hasTrailers() && len(p) == 0) || isHeadResp
2382 err = rws.conn.writeHeaders(rws.stream, &writeResHeaders{
2383 streamID: rws.stream.id,
2384 httpResCode: rws.status,
2386 endStream: endStream,
2388 contentLength: clen,
2402 if len(p) == 0 && !rws.handlerDone {
2406 if rws.handlerDone {
2407 rws.promoteUndeclaredTrailers()
2410 endStream := rws.handlerDone && !rws.hasTrailers()
2411 if len(p) > 0 || endStream {
2412 // only send a 0 byte DATA frame if we're ending the stream.
2413 if err := rws.conn.writeDataFromHandler(rws.stream, p, endStream); err != nil {
2419 if rws.handlerDone && rws.hasTrailers() {
2420 err = rws.conn.writeHeaders(rws.stream, &writeResHeaders{
2421 streamID: rws.stream.id,
2422 h: rws.handlerHeader,
2423 trailers: rws.trailers,
2434 // TrailerPrefix is a magic prefix for ResponseWriter.Header map keys
2435 // that, if present, signals that the map entry is actually for
2436 // the response trailers, and not the response headers. The prefix
2437 // is stripped after the ServeHTTP call finishes and the values are
2438 // sent in the trailers.
2440 // This mechanism is intended only for trailers that are not known
2441 // prior to the headers being written. If the set of trailers is fixed
2442 // or known before the header is written, the normal Go trailers mechanism
2444 // https://golang.org/pkg/net/http/#ResponseWriter
2445 // https://golang.org/pkg/net/http/#example_ResponseWriter_trailers
2446 const TrailerPrefix = "Trailer:"
2448 // promoteUndeclaredTrailers permits http.Handlers to set trailers
2449 // after the header has already been flushed. Because the Go
2450 // ResponseWriter interface has no way to set Trailers (only the
2451 // Header), and because we didn't want to expand the ResponseWriter
2452 // interface, and because nobody used trailers, and because RFC 7230
2453 // says you SHOULD (but not must) predeclare any trailers in the
2454 // header, the official ResponseWriter rules said trailers in Go must
2455 // be predeclared, and then we reuse the same ResponseWriter.Header()
2456 // map to mean both Headers and Trailers. When it's time to write the
2457 // Trailers, we pick out the fields of Headers that were declared as
2458 // trailers. That worked for a while, until we found the first major
2459 // user of Trailers in the wild: gRPC (using them only over http2),
2460 // and gRPC libraries permit setting trailers mid-stream without
2461 // predeclarnig them. So: change of plans. We still permit the old
2462 // way, but we also permit this hack: if a Header() key begins with
2463 // "Trailer:", the suffix of that key is a Trailer. Because ':' is an
2464 // invalid token byte anyway, there is no ambiguity. (And it's already
2465 // filtered out) It's mildly hacky, but not terrible.
2467 // This method runs after the Handler is done and promotes any Header
2468 // fields to be trailers.
2469 func (rws *responseWriterState) promoteUndeclaredTrailers() {
2470 for k, vv := range rws.handlerHeader {
2471 if !strings.HasPrefix(k, TrailerPrefix) {
2474 trailerKey := strings.TrimPrefix(k, TrailerPrefix)
2475 rws.declareTrailer(trailerKey)
2476 rws.handlerHeader[http.CanonicalHeaderKey(trailerKey)] = vv
2479 if len(rws.trailers) > 1 {
2480 sorter := sorterPool.Get().(*sorter)
2481 sorter.SortStrings(rws.trailers)
2482 sorterPool.Put(sorter)
2486 func (w *responseWriter) Flush() {
2489 panic("Header called after Handler finished")
2491 if rws.bw.Buffered() > 0 {
2492 if err := rws.bw.Flush(); err != nil {
2493 // Ignore the error. The frame writer already knows.
2497 // The bufio.Writer won't call chunkWriter.Write
2498 // (writeChunk with zero bytes, so we have to do it
2499 // ourselves to force the HTTP response header and/or
2500 // final DATA frame (with END_STREAM) to be sent.
2505 func (w *responseWriter) CloseNotify() <-chan bool {
2508 panic("CloseNotify called after Handler finished")
2510 rws.closeNotifierMu.Lock()
2511 ch := rws.closeNotifierCh
2513 ch = make(chan bool, 1)
2514 rws.closeNotifierCh = ch
2517 cw.Wait() // wait for close
2521 rws.closeNotifierMu.Unlock()
2525 func (w *responseWriter) Header() http.Header {
2528 panic("Header called after Handler finished")
2530 if rws.handlerHeader == nil {
2531 rws.handlerHeader = make(http.Header)
2533 return rws.handlerHeader
2536 // checkWriteHeaderCode is a copy of net/http's checkWriteHeaderCode.
2537 func checkWriteHeaderCode(code int) {
2538 // Issue 22880: require valid WriteHeader status codes.
2539 // For now we only enforce that it's three digits.
2540 // In the future we might block things over 599 (600 and above aren't defined
2541 // at http://httpwg.org/specs/rfc7231.html#status.codes)
2542 // and we might block under 200 (once we have more mature 1xx support).
2543 // But for now any three digits.
2545 // We used to send "HTTP/1.1 000 0" on the wire in responses but there's
2546 // no equivalent bogus thing we can realistically send in HTTP/2,
2547 // so we'll consistently panic instead and help people find their bugs
2548 // early. (We can't return an error from WriteHeader even if we wanted to.)
2549 if code < 100 || code > 999 {
2550 panic(fmt.Sprintf("invalid WriteHeader code %v", code))
2554 func (w *responseWriter) WriteHeader(code int) {
2557 panic("WriteHeader called after Handler finished")
2559 rws.writeHeader(code)
2562 func (rws *responseWriterState) writeHeader(code int) {
2563 if !rws.wroteHeader {
2564 checkWriteHeaderCode(code)
2565 rws.wroteHeader = true
2567 if len(rws.handlerHeader) > 0 {
2568 rws.snapHeader = cloneHeader(rws.handlerHeader)
2573 func cloneHeader(h http.Header) http.Header {
2574 h2 := make(http.Header, len(h))
2575 for k, vv := range h {
2576 vv2 := make([]string, len(vv))
2583 // The Life Of A Write is like this:
2585 // * Handler calls w.Write or w.WriteString ->
2586 // * -> rws.bw (*bufio.Writer) ->
2587 // * (Handler might call Flush)
2588 // * -> chunkWriter{rws}
2589 // * -> responseWriterState.writeChunk(p []byte)
2590 // * -> responseWriterState.writeChunk (most of the magic; see comment there)
2591 func (w *responseWriter) Write(p []byte) (n int, err error) {
2592 return w.write(len(p), p, "")
2595 func (w *responseWriter) WriteString(s string) (n int, err error) {
2596 return w.write(len(s), nil, s)
2599 // either dataB or dataS is non-zero.
2600 func (w *responseWriter) write(lenData int, dataB []byte, dataS string) (n int, err error) {
2603 panic("Write called after Handler finished")
2605 if !rws.wroteHeader {
2608 if !bodyAllowedForStatus(rws.status) {
2609 return 0, http.ErrBodyNotAllowed
2611 rws.wroteBytes += int64(len(dataB)) + int64(len(dataS)) // only one can be set
2612 if rws.sentContentLen != 0 && rws.wroteBytes > rws.sentContentLen {
2613 // TODO: send a RST_STREAM
2614 return 0, errors.New("http2: handler wrote more than declared Content-Length")
2618 return rws.bw.Write(dataB)
2620 return rws.bw.WriteString(dataS)
2624 func (w *responseWriter) handlerDone() {
2627 rws.handlerDone = true
2631 // Only recycle the pool if all prior Write calls to
2632 // the serverConn goroutine completed successfully. If
2633 // they returned earlier due to resets from the peer
2634 // there might still be write goroutines outstanding
2635 // from the serverConn referencing the rws memory. See
2637 responseWriterStatePool.Put(rws)
2643 ErrRecursivePush = errors.New("http2: recursive push not allowed")
2644 ErrPushLimitReached = errors.New("http2: push would exceed peer's SETTINGS_MAX_CONCURRENT_STREAMS")
2647 var _ http.Pusher = (*responseWriter)(nil)
2649 func (w *responseWriter) Push(target string, opts *http.PushOptions) error {
2652 sc.serveG.checkNotOn()
2654 // No recursive pushes: "PUSH_PROMISE frames MUST only be sent on a peer-initiated stream."
2655 // http://tools.ietf.org/html/rfc7540#section-6.6
2657 return ErrRecursivePush
2661 opts = new(http.PushOptions)
2665 if opts.Method == "" {
2668 if opts.Header == nil {
2669 opts.Header = http.Header{}
2671 wantScheme := "http"
2672 if w.rws.req.TLS != nil {
2673 wantScheme = "https"
2676 // Validate the request.
2677 u, err := url.Parse(target)
2682 if !strings.HasPrefix(target, "/") {
2683 return fmt.Errorf("target must be an absolute URL or an absolute path: %q", target)
2685 u.Scheme = wantScheme
2686 u.Host = w.rws.req.Host
2688 if u.Scheme != wantScheme {
2689 return fmt.Errorf("cannot push URL with scheme %q from request with scheme %q", u.Scheme, wantScheme)
2692 return errors.New("URL must have a host")
2695 for k := range opts.Header {
2696 if strings.HasPrefix(k, ":") {
2697 return fmt.Errorf("promised request headers cannot include pseudo header %q", k)
2699 // These headers are meaningful only if the request has a body,
2700 // but PUSH_PROMISE requests cannot have a body.
2701 // http://tools.ietf.org/html/rfc7540#section-8.2
2702 // Also disallow Host, since the promised URL must be absolute.
2703 switch strings.ToLower(k) {
2704 case "content-length", "content-encoding", "trailer", "te", "expect", "host":
2705 return fmt.Errorf("promised request headers cannot include %q", k)
2708 if err := checkValidHTTP2RequestHeaders(opts.Header); err != nil {
2712 // The RFC effectively limits promised requests to GET and HEAD:
2713 // "Promised requests MUST be cacheable [GET, HEAD, or POST], and MUST be safe [GET or HEAD]"
2714 // http://tools.ietf.org/html/rfc7540#section-8.2
2715 if opts.Method != "GET" && opts.Method != "HEAD" {
2716 return fmt.Errorf("method %q must be GET or HEAD", opts.Method)
2719 msg := &startPushRequest{
2721 method: opts.Method,
2723 header: cloneHeader(opts.Header),
2724 done: errChanPool.Get().(chan error),
2728 case <-sc.doneServing:
2729 return errClientDisconnected
2731 return errStreamClosed
2732 case sc.serveMsgCh <- msg:
2736 case <-sc.doneServing:
2737 return errClientDisconnected
2739 return errStreamClosed
2740 case err := <-msg.done:
2741 errChanPool.Put(msg.done)
2746 type startPushRequest struct {
2754 func (sc *serverConn) startPush(msg *startPushRequest) {
2757 // http://tools.ietf.org/html/rfc7540#section-6.6.
2758 // PUSH_PROMISE frames MUST only be sent on a peer-initiated stream that
2759 // is in either the "open" or "half-closed (remote)" state.
2760 if msg.parent.state != stateOpen && msg.parent.state != stateHalfClosedRemote {
2761 // responseWriter.Push checks that the stream is peer-initiaed.
2762 msg.done <- errStreamClosed
2766 // http://tools.ietf.org/html/rfc7540#section-6.6.
2767 if !sc.pushEnabled {
2768 msg.done <- http.ErrNotSupported
2772 // PUSH_PROMISE frames must be sent in increasing order by stream ID, so
2773 // we allocate an ID for the promised stream lazily, when the PUSH_PROMISE
2774 // is written. Once the ID is allocated, we start the request handler.
2775 allocatePromisedID := func() (uint32, error) {
2778 // Check this again, just in case. Technically, we might have received
2779 // an updated SETTINGS by the time we got around to writing this frame.
2780 if !sc.pushEnabled {
2781 return 0, http.ErrNotSupported
2783 // http://tools.ietf.org/html/rfc7540#section-6.5.2.
2784 if sc.curPushedStreams+1 > sc.clientMaxStreams {
2785 return 0, ErrPushLimitReached
2788 // http://tools.ietf.org/html/rfc7540#section-5.1.1.
2789 // Streams initiated by the server MUST use even-numbered identifiers.
2790 // A server that is unable to establish a new stream identifier can send a GOAWAY
2791 // frame so that the client is forced to open a new connection for new streams.
2792 if sc.maxPushPromiseID+2 >= 1<<31 {
2793 sc.startGracefulShutdownInternal()
2794 return 0, ErrPushLimitReached
2796 sc.maxPushPromiseID += 2
2797 promisedID := sc.maxPushPromiseID
2799 // http://tools.ietf.org/html/rfc7540#section-8.2.
2800 // Strictly speaking, the new stream should start in "reserved (local)", then
2801 // transition to "half closed (remote)" after sending the initial HEADERS, but
2802 // we start in "half closed (remote)" for simplicity.
2803 // See further comments at the definition of stateHalfClosedRemote.
2804 promised := sc.newStream(promisedID, msg.parent.id, stateHalfClosedRemote)
2805 rw, req, err := sc.newWriterAndRequestNoBody(promised, requestParam{
2807 scheme: msg.url.Scheme,
2808 authority: msg.url.Host,
2809 path: msg.url.RequestURI(),
2810 header: cloneHeader(msg.header), // clone since handler runs concurrently with writing the PUSH_PROMISE
2813 // Should not happen, since we've already validated msg.url.
2814 panic(fmt.Sprintf("newWriterAndRequestNoBody(%+v): %v", msg.url, err))
2817 go sc.runHandler(rw, req, sc.handler.ServeHTTP)
2818 return promisedID, nil
2821 sc.writeFrame(FrameWriteRequest{
2822 write: &writePushPromise{
2823 streamID: msg.parent.id,
2827 allocatePromisedID: allocatePromisedID,
2834 // foreachHeaderElement splits v according to the "#rule" construction
2835 // in RFC 7230 section 7 and calls fn for each non-empty element.
2836 func foreachHeaderElement(v string, fn func(string)) {
2837 v = textproto.TrimString(v)
2841 if !strings.Contains(v, ",") {
2845 for _, f := range strings.Split(v, ",") {
2846 if f = textproto.TrimString(f); f != "" {
2852 // From http://httpwg.org/specs/rfc7540.html#rfc.section.8.1.2.2
2853 var connHeaders = []string{
2857 "Transfer-Encoding",
2861 // checkValidHTTP2RequestHeaders checks whether h is a valid HTTP/2 request,
2862 // per RFC 7540 Section 8.1.2.2.
2863 // The returned error is reported to users.
2864 func checkValidHTTP2RequestHeaders(h http.Header) error {
2865 for _, k := range connHeaders {
2866 if _, ok := h[k]; ok {
2867 return fmt.Errorf("request header %q is not valid in HTTP/2", k)
2871 if len(te) > 0 && (len(te) > 1 || (te[0] != "trailers" && te[0] != "")) {
2872 return errors.New(`request header "TE" may only be "trailers" in HTTP/2`)
2877 func new400Handler(err error) http.HandlerFunc {
2878 return func(w http.ResponseWriter, r *http.Request) {
2879 http.Error(w, err.Error(), http.StatusBadRequest)
2883 // h1ServerKeepAlivesDisabled reports whether hs has its keep-alives
2884 // disabled. See comments on h1ServerShutdownChan above for why
2885 // the code is written this way.
2886 func h1ServerKeepAlivesDisabled(hs *http.Server) bool {
2887 var x interface{} = hs
2891 if hs, ok := x.(I); ok {
2892 return !hs.doKeepAlives()