Nginx support for TLS ALPS extension for ACCEPT_CH?

Maxim Dounin mdounin at mdounin.ru
Tue Feb 27 19:44:34 UTC 2024 

Hello!

On Mon, Feb 26, 2024 at 06:13:42PM +0100, Matthias Saou wrote:

> On Mon, 26 Feb 2024 01:34:31 +0300
> Maxim Dounin <mdounin at mdounin.ru> wrote:
> 
> > [...]
> > As far as I understand, the Critical-CH header should be good 
> > enough for most use cases, except might be for statistical 
> > counters which often use just one HTTP request, and therefore 
> > another one will be a huge change.
> > 
> > If you are able to share, it would be great if you'll provide more 
> > details about your use case.
> 
> A very simple use case is basic contextual ads. Presenting a somewhat
> targeted ad with no user information, no session cookie, nothing more
> than what a single http request provides. This means using in real time
> things like the referer header, the accepted languages and the
> user-agent string.
> 
> The Mobile and Platform UA-CH headers do still provide the most
> critical information for this, so it's more about the corner cases: If
> an Android app is only compatible with Android 10 and up, you don't
> want to be advertising to users of Android 9 and below.

Thanks for the use case description.

> Delivering such a targeted ad currently requires only one http request.

You mean - only one http request, assuming the javascript code to 
show ads is previously loaded from another domain?  Note that 
loading the code from the same origin with appropriate Accept-CH 
header might be the way to go.

> But with a reduced User-Agent and the Platform-Version CH header
> missing, it's no longer possible. What can be tried is:
> 
> * Replying with the Critical-CH header. The client might then re-request
>   an ad... or not, which will skew things quite a bit.
> * Redirect the client in order to request the header. You expose
>   yourself to potential infinite redirection bugs and use more
>   resources because of the extra http request.

Yep, Critical-CH is, basically, a simpler alternative to 
error-prone redirects with Accept-CH.  It doesn't save a backend 
request though, in case the first response is not really used due 
to re-request with critical hints provided.

Another alternative might be to use Accept-CH, and do not show 
versions-specific ads to clients without platform version 
provided.  That is, such ads will be shown only to clients which 
did more than one request.  Might be good enough for a corner 
case.

> > > So it seems like as of right now, with recent Chrome & Edge clients,
> > > there is no way to have nginx receive more than the 3 default client
> > > hints during the first client http connection?
> > 
> > Yes, there is no support now (except the patch you've mentioned).
> 
> I *really* wanted to avoid having to dig that patch up and potentially
> have to switch TLS library just to make this work! :-)
> 
> I also wanted to avoid having to implement a redirection in nginx, but
> I think I will have to also try something like this out in case it does
> end up working reliably:
> 
> * If our parameter indicating we already redirected is missing,
> * And the UA-CH Mobile header is present,
> * And the UA-CH Platform-Version header is absent,
> * Then redirect to the same URL but appending our parameter indicating
>   we already redirected.
> 
> This way it could potentially still achieve triggering a single request
> to the backend nginx is using, that would include the Platform-Version
> if the client agreed to provide it.

Yep, looks correct and safe enough, in case the goal is to save 
backend requests.

-- 
Maxim Dounin
http://mdounin.ru/

More information about the nginx mailing list