HTTP Quick Start

Posted on | Edited on | In

最近在做migrating Squid to Envoy的工作,其中涉及到了很多HTTP的内容。趁着这次机会深入学习一下,还有就是一些proxy的内容,已经单独拿出来总结了。

Introduction

非常不错的Tutorial, 把各部分都讲得很详细: MDN web docs: HTTP

很快速的把基础部分过了一下: HTTP Crash Course & Exploration The typical HTTP format:

1
2
3
4
METHOD PATH PROTOCOL
HEADERS

BODY

HTTP status code:

  • 1xx, informational
  • 2xx, success
  • 3xx, redirect
  • 4xx, client error
  • 5xx, server error

HTTP/2, faster and more efficient & secure, request and response multiplexing.

Other Tools

  1. httpbin: A simple HTTP/HTTPS Request & Response Service.
  2. ip4.me: check your public IPv4 address.
  3. noip.com, free hostame + domain <-> public IP mapping. 如果要配置这个hostname对应到router的public IP, 需要设置router把这个流量转移到自己的笔记本某个端口上。

CONNECT Method

Connect主要是用在建立Tunnel. Tunneling can allow communication using a protocol that normally wouldn’t be supported on the restricted network. Tunnel 只是一个通道,里面可以支持一些传输协议, 并不是说tunnel 必须是ssl/tls. 举个例子,你通过一个forward proxy 访问一个服务器,使用HTTPS协议,假设Proxy是一个善良的中间人,它并不知道加密后的流量内容是什么,就不可能像HTTP一样去窥探,拆解packet,于是client会发送一个CONNECT HTTP请求,设立一个Tunnel经过proxy和server进行通信。

–>> When should one use CONNECT With SSL(HTTPS), only the two remote end-points understand the requests, and the proxy cannot decipher them. Hence, all it does is open that tunnel using CONNECT, and lets the two end-points (webserver and client) talk to each other directly.

–>> MDN web docs: CONNECT Some proxy servers might need authority to create a tunnel. See also the Proxy-Authorization header.

For example, the CONNECT method can be used to access websites that use SSL (HTTPS). The client asks an HTTP Proxy server to tunnel the TCP connection to the desired destination. The server then proceeds to make the connection on behalf of the client. Once the connection has been established by the server, the Proxy server continues to proxy the TCP stream to and from the client.

这篇文章很不错: –>> MDN web docs: proxy servers and tunneling There are two types of proxies: forward proxies (or tunnel, or gateway) and reverse proxies (used to control and protect access to a server for load-balancing, authentication, decryption or caching).

Forward proxies can hide the identities of clients whereas reverse proxies can hide the identities of servers.

The HTTP protocol specifies a request method called CONNECT. It starts two-way communications with the requested resource and can be used to open a tunnel. This is how a client behind an HTTP proxy can access websites using SSL (i.e. HTTPS, port 443). Note, however, that not all proxy servers support the CONNECT method or limit it to port 443 only.

Basic Authorization

这里提一下authz and authn的区别:

  • authz: authorization,授权, what are allowed to do.
  • authn: authentication, 鉴权, who you are.

这里是讲了HTTP 基本的authz操作. https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication HTTP provides a general framework for access control and authentication. This page is an introduction to the HTTP framework for authentication, and shows how to restrict access to your server using the HTTP “Basic” schema.

The Basic authz is not secure, send in plain text, although base64. can be decode for example:

1
echo <base64 string> | base64 --decode

But if over https, the traffic is encrypted. You can demonstrate it in wireshark locally. Is BASIC-Auth secure if done over HTTPS?

0%