HTTP (Hyper Text Transfer Protocol): Hypertext Transfer Protocol, is a request and response based, stateless, application layer protocol;
HTTP is often implemented based on the TCP protocol of the transport layer. (HTTP1.0, HTTP1.1, HTTP2.0 are all TCP, HTTP3 is implemented based on UDP);
It can not only transmit text content (such as txt, html, css, etc.), but also transmit binary data such as pictures and audio;
HTTP2.0 uses multiplexing technology to make multiple HTTP requests share one TCP connection, improving network transmission efficiency! !
1.2 HTTP protocol format
HTTP messages are divided into request messages and response messages , each corresponding to a different protocol format;
The content after the blank line is the body, and the body part is allowed to be an empty string. If there is a body, there will be a Content-Length attribute in the header to identify the length of the body;
URL basic format: 协议名://主机地址:端口号/文件位置?查询字符串;
1.3 Methods supported by the HTTP protocol
1.3.1 GET method
The most commonly used HTTP method, used to obtain a resource on the server ;
GET requests can be sent in the following ways: 1) Directly enter the URL address in the browser address bar; 2) Link, img, script and other tags in HTML can also trigger GET requests; 3) Ajax in JavaScript can also construct GET requests;
GET request features:
The first part of the first line is GET;
The query string of the URL can be empty or not;
The header part has several key-value pair structures;
The body part is empty;
1.3.2 POST method
The more commonly used HTTP method is used to submit the data entered by the user to the server ;
POST requests can be sent in the following ways: 1) Form tags in HTML can also construct POST requests; 2) Ajax in JavaScript can also construct POST requests;
POST request features:
The first part of the first line is POST;
The query string of the URL is generally empty (or not empty);
The header part has several key-value pair structures;
The body part is generally not empty. The data format in the body is specified by the Content-Type in the header. The length of the body is specified by the Content-Length in the header;
1.3.3 Other HTTP methods
PUT is similar to POST, but it is idempotent and is generally used for updating
DELETE delete server specified resource
OPTIONS returns the request methods supported by the server
HEAD is similar to GET, except that the response body is not returned, only the response header is returned
TRACE echoes the request received by the server, which will be used in testing
CONNECT Reserved, not used yet
1.3.4 GET vs. POST
Semantics are different: GET is generally used to obtain data, and POST is generally used to submit data;
The body of GET is generally empty, and the data to be transferred is passed through the query string; the query string of POST is generally empty, and the data to be transferred is passed through the body;
GET requests are generally idempotent, and POST requests are generally not idempotent. (If multiple requests get the same result, the request is considered idempotent);
GET can be cached, but POST cannot be cached. (This is also idempotent);
1.4 Request message
The header format is a "key-value pair" structure;
Each key-value pair in the header occupies one line, and the key and value are separated by a semicolon;
There is a complete blank line after the end of the header, which is used to separate the header and the body;
Common headers:
masthead
meaning
Host
Indicates the address and port of the target host
Content-Length
request body length
Content-Type
Data format in the request body
User-Agent
Abbreviated as UA, which represents the properties of the browser/operating system
Refer
Indicates which page the page was redirected from
Cookie
browser cache
1.4.1 Content-Type: the data format in the request body
In what format does the request message expect the server to process the content in the request body;
application/x-www-form-urlencoded: form The data format submitted by the form form;
multipart/form-data: The data format submitted by the form form (add enctyped="multipart/form-data" to the form tag. It is usually used to submit pictures/files;
application/json: the data is in json format;
1.4.2 Cookie: browser cache
A string is stored in the cookie;
The string data may be written by the client (web page) through JS, or it may come from the server (the server returns data to the browser through the Set-Cookie field in the header of the HTTP response);
The function of "identity identification" can be realized through this field (Cookie+Session mechanism);
1.5 Response message
1.5.1 Status codes
Status code: Indicates the result status of an HTTP request, whether it is successful, or some other status.
Common status codes:
status code
meaning
200
OK, indicating successful access
404
Not Found, indicating that the server resource pointed to by the URL is not found
403
Forbidden, indicating that access is denied, and some pages require users to have certain permissions to access
405
Method Not Allowed, indicating that the server does not support the HTTP method used by the request
500
Internal Server Error, there is a problem with the internal processing code logic of the server
502
Bad Gateway, the gateway cannot be found
504
Gateway Timeout, when the server load is heavy, processing requests may time out
301
Move Permanently, permanent redirection, when the browser receives this response, subsequent requests will be automatically changed to the new address
302
Move Temporarily, temporary redirection, the Location field in the response header indicates which page to jump to
303
See Other, a temporary redirection that does not preserve the method
307
Temporary Redirect, temporary redirection of reserved methods
304
Not Modified, cache-related, if the server content has not been modified, only the content in the browser cache can be directly used
1.5.2 Response header
The header format is a "key-value pair" structure;
Each key-value pair in the header occupies one line, and the key and value are separated by a semicolon;
There is a complete blank line after the end of the header, which is used to separate the header and the body;
The format of the response header is basically the same as that of the request header;
The value of Content-Type in the response header has the following types:
2. HTTPS protocol
The HTTPS protocol introduces an encryption layer based on the HTTP protocol;
The contents of the HTTP protocol are transmitted in plain text in the form of text, resulting in some tampering during the transmission process;
Specific method: first use asymmetric encryption to transmit the secret key, and subsequent operations can directly use symmetric encryption! ! ;
2.1 Encryption-Decryption
Encryption Encrypt: Convert plaintext (plain) content to generate ciphertext (cipher);
Decrypt Decrypt: Transform the ciphertext to generate the original plaintext;
Encryption/decryption operations must use the secret key key;
2.1.1 Symmetric encryption
Symmetric encryption: the encryption and decryption processes use the same secret key;
cipher=Encrypt(plain,key);
Advantages of symmetric encryption: faster encryption! !
HTTPS only introduces symmetric encryption operations, and the server needs to maintain the corresponding secret key for each client, which is cumbersome and wastes resources;
Disadvantages of HTTPS using only symmetric encryption: the security of key transmission cannot be guaranteed! !
2.1.2 Asymmetric encryption
Asymmetric encryption: different keys are used for encryption and decryption;
plain=Decrypt(cipher,key);
Disadvantages of asymmetric encryption: slower operation speed;
Encryption-decryption process: method 1: use public key to encrypt, use private key to decrypt; method 2: use private key to encrypt, use public key to decrypt;
The secret key needed for asymmetric encryption is divided into public key and private key. The public key and private key are paired . The public key can be shared with everyone (such as the client), while the private key is only known to the server itself! !
If HTTPS wants the client to agree on the specific secret key to be used each time it requests the server, and the secret key needs to be encrypted for transmission, it needs to use asymmetric encryption;
There are still problems with HTTPS using asymmetric encryption + symmetric secret hybrid encryption: the reliability of the public key cannot be guaranteed, and how to obtain the public key;
2.2 Certificate
To ensure that the public key used in asymmetric encryption is safe and reliable, an authoritative organization is required to issue certification for the public key. When customers obtain the public key, they only need to verify whether the public key is issued by the authoritative organization. prove that the public key is secure;
The certificate authority (CA, Certificate Authority) is the above-mentioned authority, and the public keys of some trusted certificate authorities have been built into the operating system;
When an HTTPS website is established, it is necessary to apply for a certificate from the CA and obtain the corresponding private key of the CA institution;
When the client and server establish a connection, the server will send a certificate to the client ( encrypted with the private key of the CA institution ), which contains the identity information of the website, including: certificate issuing authority, certificate validity period, asymmetric Encrypt the public key , certificate owner, **digital signature (use such as MD5 encryption algorithm to encrypt the entire certificate to obtain the hash value)** and other information;
After the client receives the certificate, it will perform a series of verifications: 1) Check whether the certificate has expired; 2) Check whether the certificate issuing agency is trusted by the operating system; 3) Check whether the certificate has been tampered with: ① Use the public key pair of the corresponding CA agency The certificate is decrypted to obtain the certificate information, and the digital signature value hash1 is obtained; ② Use an encryption algorithm such as MD5 to encrypt the entire certificate to obtain the hash2 value; ③ Compare hash1 and hash2, if they are equal, it means that the certificate is safe and has not been tampered with ;
If the verification process proves that the certificate is safe, the public key corresponding to the asymmetric encryption to be used for subsequent data transmission is obtained from it;
2.3 HTTPS workflow
1) The communication parties establish a TCP connection;
2) The communication parties perform a four-way handshake to communicate the symmetric key required for formal data communication: (1) The client sends a connection establishment request; (2) The server responds to the connection request and returns the server certificate; (3) The client verifies The validity of the certificate, obtain the corresponding public key of the server, and encrypt and send the corresponding secret key for subsequent symmetric encryption; (4) The server receives the corresponding secret key for symmetric encryption, and sends a response message to inform the client that the secret key has been received;
3) Use symmetric encryption for encrypted communication; Note: HTTP/HTTPS protocols are currently implemented based on TCP protocol, so HTTP/HTTPS application messages must first establish a TCP connection before formally communicating! ! !
