What works:
- HTTP/2 over TLS1.2 with ALPN
- Request and response flow
- Headers are compressed and decompressed with HPACK
- Request body can be read by streams (if present)
- MVC template app with individual auth works fine
- PRIORITY frames are validated
- RST_STREAM frames are validated and abort streams
- SETTINGS frames are validated and ACKed
- PING frames are validated and ACKed
- GOAWAY frames stop connections
- WINDOW_UPDATE frames are validated
- CONTINUATION frames are sent for large header blocks
What doesn't work yet:
- Flow control in either direction
- It's not possible to encode a single header across more than one frame
- Affects only a very large header (name and value combined ~16KB long)
- Request trailers
- Response trailers
- Limits and timeouts in `KestrelServerLimits` are not enforced on HTTP/2
- HPACK use is very limited on the send side
- Literals are not Huffman-encoded
- Common headers (e.g. "server: Kestrel") are never indexed
- Honoring client settings
- Some error checking is still missing (e.g. validating incoming frame size)
- Added new options to allow configuring the maximum number of concurrent connections and upgraded connections.
- `KestrelServerLimits.MaxConcurrentConnections` defaults unlimited.
- `KestrelServerLimits.MaxConcurrentUpgradedConnections` defaults to unlimited.
- Calls to IHttpUpgradeFeature.UpgradeAsync() will throw when the MaxConcurrentUpgradedConnections limit has been reached.
- Kestrel will close new connections without response when MaxConcurrentConnections is reached.
Improves Kestrel to reject requests that don't conform to HTTP spec.
RFC 7230 section 5.4: "A server MUST respond with a 400 (Bad Request)
status code to any HTTP/1.1 request message that lacks a Host header
field and to any request message that contains more than one Host
header field or a Host header field with an invalid field-value."
See https://tools.ietf.org/html/rfc7230#section-5.4.
Other changes:
- update VS code settings to work better with CLI 2.0
- update tests that were subject to infinite hangs
This feature generates a unique ID per request. This unique ID can be
used in event source and logging.
Also, this change improves KestrelEventSource by moving it back into the
Kestrel.Core assembly and de-coupling from the Libuv transport. This
adds two new events, RequestStart and RequestStop, which can be used to
identify the correlation between connection ID and request trace
identifier.
Stephen Halter
Cesar Blum Silveira
Nate McMaster
Nate McMaster