nghttp2/doc/programmers-guide.rst

Programmers' Guide
==================

Includes
--------

To use the public APIs, include ``nghttp2/nghttp2.h``::

    #include <nghttp2/nghttp2.h>

The header files are also available online: :doc:`nghttp2.h` and
:doc:`nghttp2ver.h`.

Remarks
-------

Do not call `nghttp2_session_send()`, `nghttp2_session_mem_send()`,
`nghttp2_session_recv()` or `nghttp2_session_mem_recv()` from the
nghttp2 callback functions directly or indirectly. It will lead to the
crash.  You can submit requests or frames in the callbacks then call
these functions outside the callbacks.

`nghttp2_session_send()` and `nghttp2_session_mem_send()` send first
24 bytes of client magic string (MAGIC)
(:macro:`NGHTTP2_CLIENT_MAGIC`) on client configuration.  The
applications are responsible to send SETTINGS frame as part of
connection preface using `nghttp2_submit_settings()`.  Similarly,
`nghttp2_session_recv()` and `nghttp2_session_mem_recv()` consume
MAGIC on server configuration unless
`nghttp2_option_set_no_recv_client_magic()` is used with nonzero
option value.

.. _http-messaging:

HTTP Messaging
--------------

By default, nghttp2 library checks HTTP messaging rules described in
`HTTP/2 specification, section 8
<https://tools.ietf.org/html/draft-ietf-httpbis-http2-17#section-8>`_.
Everything described in that section is not validated however.  We
briefly describe what the library does in this area.  In the following
description, without loss of generality we omit CONTINUATION frame
since they must follow HEADERS frame and are processed atomically.  In
other words, they are just one big HEADERS frame.  To disable these
validations, use `nghttp2_option_set_no_http_messaging()`.

For HTTP request, including those carried by PUSH_PROMISE, HTTP
message starts with one HEADERS frame containing request headers.  It
is followed by zero or more DATA frames containing request body, which
is followed by zero or one HEADERS containing trailer headers.  The
request headers must include ":scheme", ":method" and ":path" pseudo
header fields unless ":method" is not "CONNECT".  ":authority" is
optional, but nghttp2 requires either ":authority" or "Host" header
field must be present.  If ":method" is "CONNECT", the request headers
must include ":method" and ":authority" and must omit ":scheme" and
":path".

For HTTP response, HTTP message starts with zero or more HEADERS
frames containing non-final response (status code 1xx).  They are
followed by one HEADERS frame containing final response headers
(non-1xx).  It is followed by zero or more DATA frames containing
response body, which is followed by zero or one HEADERS containing
trailer headers.  The non-final and final response headers must
contain ":status" pseudo header field containing 3 digits only.

All request and response headers must include exactly one valid value
for each pseudo header field.  Additionally nghttp2 requires all
request headers must not include more than one "Host" header field.

HTTP/2 prohibits connection-specific header fields.  The following
header fields must not appear: "Connection", "Keep-Alive",
"Proxy-Connection", "Transfer-Encoding" and "Upgrade".  Additionally,
"TE" header field must not include any value other than "trailers".

Each header field name and value must obey the field-name and
field-value production rules described in `RFC 7230, section
3.2. <https://tools.ietf.org/html/rfc7230#section-3.2>`_.
Additionally, all field name must be lower cased.  While the pseudo
header fields must satisfy these rules, we just ignore illegal regular
headers (this means that these header fields are not passed to
application callback).  This is because these illegal header fields
are floating around in existing internet and resetting stream just
because of this may break many web sites.  This is especially true if
we forward to or translate from HTTP/1 traffic.

For "http" or "https" URIs, ":path" pseudo header fields must start
with "/".  The only exception is OPTIONS request, in that case, "*" is
allowed in ":path" pseudo header field to represent system-wide
OPTIONS request.

With the above validations, nghttp2 library guarantees that header
field name passed to `nghttp2_on_header_callback()` is not empty.
Also required pseudo headers are all present and not empty.

nghttp2 enforces "Content-Length" validation as well.  All request or
response headers must not contain more than one "Content-Length"
header field.  If "Content-Length" header field is present, it must be
parsed as 64 bit signed integer.  The sum of data length in the
following DATA frames must match with the number in "Content-Length"
header field if it is present (this does not include padding bytes).

Any deviation results in stream error of type PROTOCOL_ERROR.  If
error is found in PUSH_PROMISE frame, stream error is raised against
promised stream.
doc: Split API reference into smaller fine grained files Previously API reference is gigantic one rst file and it is a bit hard to use, especially when browsing similar functions. This commit splits API reference into smaller fine grained files. The macros, enums, types are now in its own file. Each API function has its own file now. API reference doc is now index to above documentation files. The apiref-header.rst is renamed as programmers-guide.rst and becomes standalone document. 2015-03-31 18:13:10 +02:00			`Programmers' Guide`
			`==================`
Added API reference generator script. Formatted the public APIs with Sphinx syntax. 2012-03-13 16:32:52 +01:00
			`Includes`
			`--------`

Rebranding nghttp2 2013-07-12 17:19:03 +02:00			To use the public APIs, include ``nghttp2/nghttp2.h``::
Added API reference generator script. Formatted the public APIs with Sphinx syntax. 2012-03-13 16:32:52 +01:00
Rebranding nghttp2 2013-07-12 17:19:03 +02:00			`#include <nghttp2/nghttp2.h>`
Add remarks about callbacks and spdylay_session_{recv,send} 2012-12-22 17:24:56 +01:00
doc: Include header files in documentation 2013-09-04 15:57:02 +02:00			The header files are also available online: :doc:`nghttp2.h` and
			:doc:`nghttp2ver.h`.

Add remarks about callbacks and spdylay_session_{recv,send} 2012-12-22 17:24:56 +01:00			`Remarks`
			`-------`

Update doc 2014-05-10 16:22:06 +02:00			Do not call `nghttp2_session_send()`, `nghttp2_session_mem_send()`,
			`nghttp2_session_recv()` or `nghttp2_session_mem_recv()` from the
			`nghttp2 callback functions directly or indirectly. It will lead to the`
			`crash. You can submit requests or frames in the callbacks then call`
Add nghttp2_session_mem_send() API function This function behaves like nghttp2_session_send(), but it does not use nghttp2_send_callback to send data. Instead, it returns the serialized data to trasmit and its length to the caller. 2014-02-18 15:23:11 +01:00			`these functions outside the callbacks.`
Update doc 2014-05-10 16:22:06 +02:00
Send 24 bytes client magic byte string by library Previously nghttp2_session_send() and nghttp2_session_mem_send() did not send 24 bytes client magic byte string (MAGIC). We made nghttp2_session_recv() and nghttp2_session_mem_recv() process MAGIC by default, so it is natural to make library send MAGIC as well. This commit makes nghttp2_session_send() and nghttp2_session_mem_send() send MAGIC. This commit also replace "connection preface" with "client magic", since we call MAGIC as "connection preface" but it is just a part of connection preface. NGHTTP2_CLIENT_CONNECTION_PREFACE macro was replaced with NGHTTP2_CLIENT_MAGIC. The already deprecated NGHTTP2_CLIENT_CONNECTION_HEADER macro was removed permanently. nghttp2_option_set_no_recv_client_preface() was renamed as nghttp2_option_set_no_recv_client_magic(). NGHTTP2_ERR_BAD_PREFACE was renamed as NGHTTP2_ERR_BAD_CLIENT_MAGIC. 2015-04-05 15:35:40 +02:00			`nghttp2_session_send()` and `nghttp2_session_mem_send()` send first
			`24 bytes of client magic string (MAGIC)`
			(:macro:`NGHTTP2_CLIENT_MAGIC`) on client configuration. The
			`applications are responsible to send SETTINGS frame as part of`
			connection preface using `nghttp2_submit_settings()`. Similarly,
			`nghttp2_session_recv()` and `nghttp2_session_mem_recv()` consume
			`MAGIC on server configuration unless`
			`nghttp2_option_set_no_recv_client_magic()` is used with nonzero
			`option value.`
Document HTTP Messaging enforcement performed by nghttp2 library 2015-02-20 15:06:14 +01:00
doc: Split API reference into smaller fine grained files Previously API reference is gigantic one rst file and it is a bit hard to use, especially when browsing similar functions. This commit splits API reference into smaller fine grained files. The macros, enums, types are now in its own file. Each API function has its own file now. API reference doc is now index to above documentation files. The apiref-header.rst is renamed as programmers-guide.rst and becomes standalone document. 2015-03-31 18:13:10 +02:00			`.. _http-messaging:`

Document HTTP Messaging enforcement performed by nghttp2 library 2015-02-20 15:06:14 +01:00			`HTTP Messaging`
			`--------------`

			`By default, nghttp2 library checks HTTP messaging rules described in`
			`HTTP/2 specification, section 8
			<https://tools.ietf.org/html/draft-ietf-httpbis-http2-17#section-8>`_.
			`Everything described in that section is not validated however. We`
			`briefly describe what the library does in this area. In the following`
			`description, without loss of generality we omit CONTINUATION frame`
			`since they must follow HEADERS frame and are processed atomically. In`
Add nghttp2_option_set_no_http_messaging() API function This API function with nonzero \|val\| parameter disables HTTP Messaging validation in nghttp2 library, so that application can use nghttp2 library for non-HTTP use. 2015-02-20 15:26:56 +01:00			`other words, they are just one big HEADERS frame. To disable these`
			validations, use `nghttp2_option_set_no_http_messaging()`.
Document HTTP Messaging enforcement performed by nghttp2 library 2015-02-20 15:06:14 +01:00
			`For HTTP request, including those carried by PUSH_PROMISE, HTTP`
			`message starts with one HEADERS frame containing request headers. It`
			`is followed by zero or more DATA frames containing request body, which`
			`is followed by zero or one HEADERS containing trailer headers. The`
			`request headers must include ":scheme", ":method" and ":path" pseudo`
			`header fields unless ":method" is not "CONNECT". ":authority" is`
			`optional, but nghttp2 requires either ":authority" or "Host" header`
			`field must be present. If ":method" is "CONNECT", the request headers`
			`must include ":method" and ":authority" and must omit ":scheme" and`
			`":path".`

			`For HTTP response, HTTP message starts with zero or more HEADERS`
			`frames containing non-final response (status code 1xx). They are`
			`followed by one HEADERS frame containing final response headers`
			`(non-1xx). It is followed by zero or more DATA frames containing`
			`response body, which is followed by zero or one HEADERS containing`
			`trailer headers. The non-final and final response headers must`
			`contain ":status" pseudo header field containing 3 digits only.`

			`All request and response headers must include exactly one valid value`
			`for each pseudo header field. Additionally nghttp2 requires all`
			`request headers must not include more than one "Host" header field.`

Update doc 2015-02-24 15:53:12 +01:00			`HTTP/2 prohibits connection-specific header fields. The following`
			`header fields must not appear: "Connection", "Keep-Alive",`
			`"Proxy-Connection", "Transfer-Encoding" and "Upgrade". Additionally,`
			`"TE" header field must not include any value other than "trailers".`

Document HTTP Messaging enforcement performed by nghttp2 library 2015-02-20 15:06:14 +01:00			`Each header field name and value must obey the field-name and`
			field-value production rules described in `RFC 7230, section
			3.2. <https://tools.ietf.org/html/rfc7230#section-3.2>`_.
Update doc 2015-02-24 06:48:58 +01:00			`Additionally, all field name must be lower cased. While the pseudo`
			`header fields must satisfy these rules, we just ignore illegal regular`
			`headers (this means that these header fields are not passed to`
			`application callback). This is because these illegal header fields`
			`are floating around in existing internet and resetting stream just`
			`because of this may break many web sites. This is especially true if`
			`we forward to or translate from HTTP/1 traffic.`
Document HTTP Messaging enforcement performed by nghttp2 library 2015-02-20 15:06:14 +01:00
Update doc 2015-03-21 15:09:17 +01:00			`For "http" or "https" URIs, ":path" pseudo header fields must start`
			`with "/". The only exception is OPTIONS request, in that case, "*" is`
			`allowed in ":path" pseudo header field to represent system-wide`
			`OPTIONS request.`

Add nghttp2_option_set_no_http_messaging() API function This API function with nonzero \|val\| parameter disables HTTP Messaging validation in nghttp2 library, so that application can use nghttp2 library for non-HTTP use. 2015-02-20 15:26:56 +01:00			`With the above validations, nghttp2 library guarantees that header`
			field name passed to `nghttp2_on_header_callback()` is not empty.
			`Also required pseudo headers are all present and not empty.`

Document HTTP Messaging enforcement performed by nghttp2 library 2015-02-20 15:06:14 +01:00			`nghttp2 enforces "Content-Length" validation as well. All request or`
			`response headers must not contain more than one "Content-Length"`
			`header field. If "Content-Length" header field is present, it must be`
			`parsed as 64 bit signed integer. The sum of data length in the`
			`following DATA frames must match with the number in "Content-Length"`
			`header field if it is present (this does not include padding bytes).`

			`Any deviation results in stream error of type PROTOCOL_ERROR. If`
			`error is found in PUSH_PROMISE frame, stream error is raised against`
			`promised stream.`