HTTP is a protocol belonging to the object-oriented application layer, due to its simple, fast way for distributed hypermedia information system. It is proposed in 1990, after several years of use and development, has been continuously improved and expanded. Currently used in the WWW is the sixth version of the HTTP / 1.0, the standardization work underway in HTTP / 1.1, and HTTP-NG (Next Generation of HTTP) recommendations have been proposed.
The main characteristics of the HTTP protocol can be summarized as follows:
1. Supports client / server model.
2. simple and fast: a customer service request to the server, instead of sending the request method and path. Request method commonly used GET, HEAD, POST. Each method provides a different type of client contacts the server. Due to the simple HTTP protocol, HTTP server makes the program a small scale, so the communication is very fast.
3. Flexible: HTTP allows the transmission of any type of data object. It is the type of transmission being marked by Content-Type.
4. No connection: Meaning No limitation is attached only one request per connection. After the server processes client requests and receives the customer's response, i.e., disconnected. In this way it can save transmission time.
5. stateless: HTTP protocol is stateless protocol. No state is no protocol for transaction processing and memory. If the lack of state means that the subsequent processing required in front of the information, it must be retransmitted, which may result in the amount of data transmitted for each connection is increased. On the other hand, when it does not require previous information in response to a faster server.
A, HTTP protocol detailed the URL of the article
http (hypertext transfer protocol) is based on a request response mode, stateless, application layer protocols, often based on the TCP connection, the HTTP1.1 release mechanism is given continuously connected, most Web development, Web applications are built on top of the HTTP protocol.
HTTP URL (URL is a special type of URI, contains enough information for finding a resource) in the following format:
http://host[":"port][abs_path]
http pledged to locate network resources via the HTTP protocol; host have a legal Internet host domain name or IP address; port specify a port number is empty then the default port 80; abs_path specify the URI of the resource request; if the URL is not given abs_path, then when it as a request URI, must be given to "/" form, usually the job browser automatically help us to complete.
eg:
1, enter: www.guet.edu.cn
The browser automatically converted to: http: //www.guet.edu.cn/
2、http:192.168.0.116:8080/index.jsp
Two, HTTP protocol detailed articles of the request
http request consists of three parts, namely: a request line, header message, request body
1, the method begins with a request line symbol, separated by spaces, URI, and the protocol followed by the requested version, the following format: Method Request-URI HTTP-Version CRLF
Method represents a method wherein the request; Request-URI is a uniform resource identifier; HTTP-Version represents the HTTP protocol version request; CRLF represents carriage return and linefeed (CRLF except as an outer end, does not allow a separate character CR or LF) .
Request method (all methods all uppercase) There are various methods of interpretation of each as follows:
GET request access to resources identified by the Request-URI
POST data after adding a new resource identified by the Request-URI
HEAD request response message acquired by the resource identified by the Request-URI header
A PUT request server stores resources, and with its identity as a Request-URI
DELETE requests the server to delete the resource identified by the Request-URI
TRACE request to the server to send the request back to the information received, mainly used for testing or diagnosis
CONNECT reserved for future use
OPTIONS request to query the server performance, or other relevant resource needs and options
Application examples:
GET method: When you enter the URL of the way the browser address bar to access the web browser using GET method to get resources to the server, eg: GET /form.html HTTP / 1.1 (CRLF)
POST method requires the server to accept the requested data back attached to the request, to submit the form used.
eg:POST /reg.jsp HTTP/ (CRLF)
Accept:image/gif,image/x-xbit,... (CRLF)
...
HOST:www.guet.edu.cn (CRLF)
Content-Length:22 (CRLF)
Connection:Keep-Alive (CRLF)
Cache-Control:no-cache (CRLF)
(CRLF) // CRLF represent the message header over, before the message header
Data user = jeffrey & pwd = 1234 // This line following is submitted
HEAD method and the GET method is almost the same for the response part HEAD request, its HTTP header information contained in the GET request and information obtained is the same. With this method, without transferring the resource content, resource information can be obtained is identified by the Request-URI. The method used to test the effectiveness of a hyperlink, you can access, and whether a recent update.
2, the request header described below
3, request body (omitted)
Three, HTTP protocol detailed response to the article
After receiving and interpreting a request message, the server returns a HTTP response message.
HTTP response is composed of three parts, namely: a status line, the message header, the response body
1, the status line has the form:
HTTP-Version Status-Code Reason-Phrase CRLF
Wherein, HTTP-Version indicates a version of the HTTP protocol server; Status-Code represents the server sends back a response status code; Reason-Phrase represent text description of the status code.
Status code has three numbers, the first number in response to the defined categories, and there are five possible values:
1xx: indication information - indicates a request has been received, processing continues
2xx: Success - indicates that the request has been successfully received, understood, accepted
3xx: Redirection - to fulfill the request must go a step further
4xx: Client Error - The request has a syntax error or a request can not be achieved
5xx: Server-side Error - The server failed to achieve a legitimate request
Common status codes, state description, description:
200 OK // client request was successful
400 Bad Request // client requests a syntax error, it can not be understood by the server
401 Unauthorized // unauthorized request, the status code must be used with the WWW-Authenticate header field
403 Forbidden // server receives the request, but refused to provide services
404 Not Found // requested resource does not exist, eg: enter the wrong URL
Unexpected error 500 Internal Server Error // server occurs
503 Server Unavailable // server is currently unable to process the client's request, may return to normal after a period of time
eg:HTTP/1.1 200 OK (CRLF)
2, in response to said header
3, the response body is returned by the server resource content
Detailed Four, HTTP protocol message headers papers
HTTP request message from the client to the server and the server to the client in response to the composition. Request and response messages are a start line (request message, the request line is the starting line, a response message, a status line is the starting line), the message header (optional), a blank line (CRLF line only), the message body (optional) components.
HTTP message header includes common header, a request header, response header, the header entity.
Each header field is a name + ":" + space + value composition, the name of a message header fields are case insensitive.
1, ordinary header
In general the header, there are few header field for all request and response messages, but not for the entity to be transmitted only for message transmission.
eg:
Cache-Control command is used to specify a cache, the instruction cache is unidirectional (buffer command response will not necessarily appear in the request), and a separate instruction cache (not affect a message caching mechanism further message processing ), similar to the header field HTTP1.0 use of Pragma.
Cache instruction request includes: no-cache (for indicating a request or response message can not cache), no-store, max-age, max-stale, min-fresh, only-if-cached;
Response instruction cache comprises: public, private, no-cache, no-store, no-transform, must-revalidate, proxy-revalidate, maxage, s-maxage.
eg: To indicate the IE browser (client) do not cache pages, server-side JSP program can be written as follows: response.sehHeader ( "Cache-Control", "no-cache");
//response.setHeader("Pragma","no-cache "); action corresponding to the above code, usually combined both //
This code will be set normal header fields in the response message sent: Cache-Control: no-cache
Date common header field indicates the date and time of message generation
Connection ordinary header field allows the sending options specified connection. For example, a continuous connection is specified, or designated "close" option, notification server, when the response is completed, close the connection
2, request header
It allows the client request header is transmitted to the server requests additional information, and the client's own information.
Common request header
Accept
Accept request header field is used to specify what type of information the client accepted. eg: Accept: image / gif, indicates that the client wishes to receive resources GIF image format; Accept: text / html, indicates that the client wishes to accept html text.
Accept-Charset
Accept-Charset request header field for specifying the characters accepted by the client. eg: Accept-Charset:. iso-8859-1, gb2312 If this field is not set in the request message, the default character set can be any acceptable.
Accept-Encoding
Accept-Encoding request header field is similar to Accept, but it is acceptable for specifying content encoding. eg: Accept-Encoding:. gzip.deflate If the request is not set this field to the message server assumes that the client for encoding various contents are acceptable.
Accept-Language
Accept-Language request header field is similar to Accept, but it is used to specify a natural language. eg: Accept-Language:. zh-cn If the request is not set in the message header field, the server assumes that the client can accept a variety of languages.
Authorization
Authorization request header field is mainly used to prove the client has permission to view a resource. When a browser to access a page, if the server receives a response code of 401 (unauthorized), may send a request Authorization request header field contains, it requires the server to be verified.
Host (transmission request, the header field is required)
Host request header field is mainly used to specify the requested resource Internet host and port number, which is usually extracted from the HTTP URL, eg:
We enter in your browser: http: //www.guet.edu.cn/index.html
Request message sent by the browser, it will contain Host request header field, as follows:
Host: I www.guet.edu.cn
Here the default port number 80, if the port number is specified, then becomes: Host: www.guet.edu.cn: specify the port number
User-Agent
We landed Internet forums, you often will see some welcome message, which lists your name and version of the operating system, name and version of browser you use, this is often a lot of people feel very magical, in fact, the server application is available from the User-Agent header field to the request information. User-Agent request header field allows the client to its operating system, browser, and other attribute tells the server. However, the header field is not required, if you write a browser ourselves, do not use User-Agent request header field, then the server will not know our message.
Example request header:
GET /form.html HTTP/1.1 (CRLF)
Accept:image/gif,image/x-xbitmap,image/jpeg,application/x-shockwave-flash,application/vnd.ms-excel,application/vnd.ms-powerpoint,application/msword,*/* (CRLF)
Accept-Language:zh-cn (CRLF)
Accept-Encoding:gzip,deflate (CRLF)
If-Modified-Since:Wed,05 Jan 2007 11:21:25 GMT (CRLF)
If-None-Match:W/"80b1a4c018f3c41:8317" (CRLF)
User-Agent:Mozilla/4.0(compatible;MSIE6.0;Windows NT 5.0) (CRLF)
Host:www.guet.edu.cn (CRLF)
Connection:Keep-Alive (CRLF)
(CRLF)
3, response header
Transmitting the server response header is not allowed in response to the additional information in the status line, and information about the information and resources identified by the Request-URI of the server to be accessed next.
Common response header
Location
Location response header field receiver for redirecting to a new location. Location response header field used to replace the domain name in time.
Server
Server response header field contains server software to process the information request. Header field is the User-Agent request corresponds. Here is
Server example of a response header field:
Server:Apache-Coyote/1.1
WWW-Authenticate
When the WWW-Authenticate response header field must be included in 401 (unauthorized) response message, the client receives the 401 response message, when, and transmits Authorization header field requests the server to be verified, the server response header contains header area.
eg: WWW-Authenticate: Basic realm = "! Basic Auth Test" // server can be seen on the requested resource uses basic authentication mechanism.
4, the entity header
Request and response messages may be transmitted one entity. An entity by the entity header field, and entity body composition, but does not mean that the entity header fields and entities to send the text to be together, you can send only entity header field. Entity headers defined on the entity body: meta-information resources (eg whether the entity body) and request identified.
Common entity header
Content-Encoding
Content-Encoding header field is used as a solid media type modifier that indicates the value of the encoding has been applied to the entity body of the additional content, thus to obtain the media type of the referenced Content-Type header field, to employ the appropriate the decoding mechanism. Content-Encoding compression method for recording such documents, eg: Content-Encoding: gzip
Content-Language
Content-Language entity header field describes the natural language resources used. This field is not set is considered an entity content will be available to all languages read
者。eg:Content-Language:da
Content-Length
Content-Length entity header field indicates the length of the entity body of a decimal number is stored in bytes to represent.
Content-Type
Content-Type header field term entity to a specified recipient entity body of the media type. eg:
Content-Type:text/html;charset=ISO-8859-1
Content-Type:text/html;charset=GB2312
Last-Modified
And time of last modification date Last-Modified entity header field for indicating the resources.
Expires
Expires entity header field gives the date and time response expired. In order for a proxy server or browser updates the cache after a period of time (when accessing the page was visited again, loaded directly from the cache, faster response times and reduce server load) of the page, we can use Expires entity header fields specified page time expired. eg: Expires: Thu, 15 Sep 2006 16:23:12 GMT
HTTP1.1 the client and the cache must be other illegal date format (including zero) considered to have expired. eg: In order for the browser not to cache pages, we can also use Expires entity header fields, set to 0, jsp program as follows: response.setDateHeader ( "Expires", "0");
Fifth, use telnet to observe the communication process http protocol
Purpose and principles:
Using MS telnet facility, by manual input mode http request information, request to the server, the server receives, interprets, and after receiving the request, returns a response that will be displayed on the telnet window, thereby deepen the sense that it understanding the communication process of the http protocol.
Experimental Procedure:
1, open telnet
1.1 Open telnet
Run -> cmd -> telnet
1.2 Open telnet echoing
set localecho
2, connected to the server and sends a request
Open 2.1 www.guet.edu.cn 80 // Note the port number can not be omitted
HEAD /index.asp HTTP/1.0
Host: I www.guet.edu.cn
/ * We can transform the request method, request Guilin electronic home page content, type the message as follows * /
open www.guet.edu.cn 80
GET /index.asp HTTP / 1.0 // request content resources
Host: I www.guet.edu.cn
Open 2.2 www.sina.com.cn 80 // input telnet directly at the command prompt www.sina.com.cn 80
HEAD /index.asp HTTP/1.0
Host: www.sina.com.cn
3 results:
3.1 2.1 request response information is obtained:
HTTP / 1.1 200 OK // request was successful
Server: Microsoft-IIS / 5.0 // web server
Date: Thu, 08 Mar 200707: 17: 51 GMT
Connection: Keep-Alive
Content-Length: 23330
Content-Type: text/html
Expries: Thu,08 Mar 2007 07:16:51 GMT
Set-Cookie: ASPSESSIONIDQAQBQQQB=BEJCDGKADEDJKLKKAJEOIMMH; path=/
Cache-control: private
// resource content omitted
3.2 2.2 request response information is obtained:
HTTP / 1.0 404 Not Found // request failed
Date: Thu, 08 Mar 2007 07:50:50 GMT
Server: Apache/2.0.54 <Unix>
Last-Modified: Thu, 30 Nov 2006 11:35:41 GMT
ETag: "6277a-415-e7c76980"
Accept-Ranges: bytes
X-Powered-By: mod_xlayout_jh/0.0.1vhs.markII.remix
Vary: Accept-Encoding
Content-Type: text/html
X-Cache: MISS from zjm152-78.sina.com.cn
Via: 1.0 zjm152-78.sina.com.cn:80<squid/2.6.STABLES-20061207>
X-Cache: MISS from th-143.sina.com.cn
Connection: close
Lost connection with host
Press any key to continue ...
Note 4: 1, input error, the request will not be successful.
2, header fields are not case sensitive.
3, deeper understanding of the HTTP protocol, you can see RFC2616, in http://www.letf.org/rfc find the file on.
4, developers must master daemon http protocol
HTTPS
HTTPS (full name: Hyper Text Transfer Protocol over Secure Socket Layer , or Hypertext Transfer Protocol Secure, https), is safe for the target HTTP channel, simply, is a safe version of HTTP. I.e. HTTP added SSL layer, SSL security infrastructure is HTTPS, thus requires detailed encrypted SSL. It is a URI scheme (abstract identifier system), syntax similar to HTTP : system. HTTP data for secure transmission. https: URL indicates that it uses the HTTP, HTTPS but there is a default different from the HTTP port and an encryption / authentication layer (between the HTTP and TCP). This system was originally developed by Netscape for corporate (Netscape), and its built-in browser Netscape Navigator, provides authentication and encryption communication method. It is now widely used in the World Wide Web on security-sensitive communications, such as transaction payments.
The difference between HTTP and HTTPS
Hypertext Transfer Protocol (HTTP) protocol is used between the Web browser and the web server to transmit information. HTTP protocol is sent in plain text content, data encryption does not provide any way, if an attacker intercepts the transmission of messages between the Web browser and the web server, it can directly read the information in it, and therefore not suitable for the transmission of some HTTP protocol sensitive information such as credit card numbers, passwords and so on.
To address this shortcoming HTTP protocol, we need to use another protocol: Secure Sockets Layer Hypertext Transfer Protocol HTTPS. To secure data transmission, HTTPS added on the basis of the SSL protocol HTTP, SSL relies on certificates to verify the identity of the server and encrypt communication between the browser and the server.
The main difference between HTTPS and HTTP as the following four points:
A, https protocol ca need to apply for a certificate, the certificate is generally free little need to pay.
Two, http is the hypertext transfer protocol , information is transmitted in the clear, https is to have security of ssl encrypted transmission protocol.
Three, http and https using an entirely different connection, with the port are not the same, the former is 80, which is 443.
Fourth, the http connection is very simple, is stateless; is constructed by the HTTPS protocol SSL + HTTP encrypted transmission protocol, authentication of network protocols , security than the http protocol.
Note: In the micro-channel applets which are limited to only the https protocol, search engine rankings are included on the priority https
HTTPS Trust Host
Https, the server must request from the CA (Certificate Authority) server use a type of certificate proof for. The certificate is only for the time corresponding to the server, the client can trust this host. So all of the banking system website, applications are a key part of https. Customers trust the certificate, so trust the host. In fact, doing so is inefficient, but banks are more focused on safety. This makes no sense LAN internal server to provide services at. LAN server certificates used either self-published or released from public places, its clients are our own people, so the LAN clients will certainly trust the server.
Leak HTTPS communication and process data from being tampered
1. https general sense, that is, the server has a certificate.
a) The main purpose is to ensure that the server is the server he claims, the same with the first point.
b) the server and client between all communications are encrypted.
I. Specifically, a client generates a symmetric key , key exchange, i.e. handshake process in a general sense by the certificate server.
ii. Then all exchanges of information on all encrypted. Even if a third party interception, it did not make any sense, because he did not have the key, of course, there is no tampering with little meaning.
2. In the case of a few clients have requested, we will ask the client must also have a certificate.
a) where the client certificate, in fact, expressed similar personal information when, in addition to username / password, there is a CA certified identity. Because personal certificate can not be simulated in general is someone else, all this can deeper to confirm their identity.
b) Most Personal Banking Professional Edition is the practice, the specific certificate may be to take the U disk (ie, U Shield) as a carrier for a backup.
HTTPS-ssl
SSL (Secure Sockets Layer Secure Sockets Layer), and its successor, Transport Layer Security (Transport Layer Security, TLS) to provide security and data integrity of a secure communications protocol for the network. TLS and SSL encrypted network connection at the transport layer.
SSL (Secure Socket Layer) was developed by Netscape to protect the security of data transmission in the Internet, the use of data encryption (Encryption) technology to ensure that data can not be intercepted and eavesdropping on the transmission network in the process. The general specifications for the 40 bit of common safety standards, the United States already introduced higher safety standard of 128 bit, but exit restrictions. As long as above the 3.0 versions of IE or Netscape browser can support SSL.
The current version is 3.0. It has been widely used Web browser authentication and encrypted data transmission between the server.
Located SSL protocol TCP / IP protocol between the various application layer protocol for data communications to provide security support. SSL protocol can be divided into two layers: SSL Record Protocol (SSL Record Protocol): it is based on a reliable transport protocol (e.g., TCP), to provide high-level protocol data encapsulation , compression, encryption support basic functions. SSL handshake protocol (SSL Handshake Protocol): It is built on top of the SSL Record protocol for data transmission before the actual start of communication between the two sides authentication, negotiate an encryption algorithm, encryption key exchange and so on.
HTTPS-SSL protocol provides services What are the main
1) to authenticate the user and the server, make sure to send data to the correct client and server
2) the way the encrypted data to prevent data from being stolen
3) maintain data integrity to ensure that data is not changed during transmission.
Workflow SSL protocol
Server authentication phase:
1) The client sends a start message "Hello" to start a new session connection to the server;
2) The server determines whether the customer's information need to generate a new master key, as needed in response to the server of the client "Hello" message will contain the master key generation information required;
3) The customer response information received from the server, generating a master key, and with the server's public key encryption to the server after;
4) server to restore the master key, and returned to the customer a certified master key with information, in order to allow client authentication server.
HTTPS user authentication phase
Prior to this, the server has passed client authentication , this stage mainly to complete the certification to customers. Certified server to send a question to the customer, the customer then (return numbers to ask questions and post their public key) signature, so as to provide authentication to the server.
SSL protocol from the services provided and work processes can be seen, the basis of the SSL protocol is running a business-to- consumer information confidentiality commitment, which is conducive to business to the detriment of consumers. In e-commerce the initial stage, due to the operation of most e-commerce companies is high credibility of large companies, so this problem has not been fully exposed. But with the development of electronic commerce, small and medium companies are also involved, so that the electronic payment single authentication problems in the process of more and more prominent. Although by SSL3.0 in digital signatures and digital certificates can be achieved browser and Web server authentication between the two sides, but there are still some issues SSL protocol, for example, can only provide authentication between both parties in the transaction of the client and server, in the multi-party electronic transactions, SSL secure transmission protocol and can not coordinate and trust between the parties. In this case, Visa and MasterCard are two credit card public organizations to develop the SET protocol for online credit card provides a global standard pay.