HTTP

Transcript

1. HTTP What every developer should know

2. A stateless, application layer protocol for communication between remote systems

   Yo, GET lol-cats.jpeg Here you go HTTP client HTTP server

3. Request GET / HTTP/1.1 Host: www.yahoo.com User-Agent: curl/7.49.1 Accept: */*

   HTTP method Resource Protocol version Headers

4. Methods Actions that client want to perform on a resource

   • OPTIONS Information about communication options for a resource • GET • HEAD Only get meta-information (headers) for resource • POST • PUT • DELETE • TRACE Trace the message through proxy servers to the server. • CONNECT Reserved method name

5. Which method will you use? • Search API for products

   • Create a new product • Update product status • API to bulk update products • API to which takes order id workbook as input and returns order details workbook

6. Response HTTP/1.1 200 OK Date: Tue, 20 Dec 2016 06:19:11

   GMT Content-Type: text/html; charset=utf-8 Content-Length: 82210 Connection: keep-alive Server: nginx/1.4.6 (Ubuntu) Set-Cookie: platform=WEB_SITE; Path=/ x-request-id: effde9fe-dd1f-43ad-8bf3-6d2226075f72 ETag: W/"14122-AilGmDfik0uMPEGEEmpsdw" Vary: Accept-Encoding Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true Access-Control-Allow-Methods: GET, OPTIONS Access-Control-Max-Age: 1728000 Access-Control-Allow-Headers: Version Status code Headers Body

7. Status Codes • 2XX Success 200: Ok, 201: Created, 202:

   Accepted, 204: No content, 
 206: Partial Content • 3XX Redirection 301: Moved permanently, 302: Moved temporarily,
 304: Not Modified • 4XX Client Error 400: Bad request, 401: Unauthorised, 403: Forbidden, 
 404: Not found, 405: Method not allowed • 5XX Server Error 500: Internal server error, 503: Service unavailable,
 504: Gateway timeout

8. HTTP /1.0 • Request may consist of multiple newline separated

   header fields. • Response object is prefixed with a response status line. • Request, response in human readable ASCII character strings • Connection is terminated after the document transfer is complete. Simplicity

9. TCP/IP Connection: 3 way handshake SYN, x = rand() SYN

   ACK, x+1, y=rand() ACK, x+1, y +1 If it takes x ms to send a packet from client to server, it takes at least 2x ms to setup a connection

10. First TCP/IP connection established Second TCP/IP connection established

11. HTTP /1.1 Version 1.1 added performance optimisations • Keep alive

    connections • Chunked encoding transfers dynamically generated content • Byte-range requests partial files, streaming • Caching mechanisms E-tag, Cache-Control

12. Keep-Alive Same TCP connection reused

13. Security Problems with HTTP • Authentication Is the server actually

    what it claims to be? • Privacy Confidential data can be seen by packet sniffers • Integrity Is the data tampered with?

14. Authentication: Chain of Trust “Hi, I am Bob” “Sorry, I

    don’t know you” “Oh, I am friend with Charles. Here, Charles gave me this” “Nice, Any friend of Charles is my friend too”

15. Certifying Authority and SSL Certificates • Operating systems and browsers

    are shipped with certificates of well known Certifying Authorities (file:///System/Library/Security/Certificates.bundle/Contents/Resources/ TrustStore.html ) • Organisations buy SSL certificates which bind a domain name with organisation’s identity • During TLS handshake server sends its certificate to client, which client validates using the well known CA’s public key availably locally • A valid certificate proves that the request is coming from the same domain name

16. Encryption • As part of TLS handshake, client and server

    agree on secret key used for encryption Secret key exchange
17. None

18. Message Authentication Code: MAC TLS protocol also provides its own

    message framing mechanism and signs each message with a message authentication code (MAC). The MAC algorithm is a one-way cryptographic hash function (effectively a checksum), the keys to which are negotiated by both connection peers.

19. HTTP/2 Primary goal of HTTP/2 is to reduce latency. It

    does this by • Full request/response multiplexing • Efficient compression of HTTP headers • Request prioritisation • Server push HTTP/2 doesn’t need any changes at the application layer.

20. Binary Framing Layer • Unlike the newline delimited plaintext HTTP/1.x

    protocol, all HTTP/2 communication is split into smaller messages and frames, each of which is encoded in binary format. • Stream A bidirectional flow of bytes within an established connection, which may carry 
 one or more messages • Message A complete sequence of frames that map to a logical request or response message. • Frame The smallest unit of communication in HTTP/2, each containing a frame header, which at a minimum identifies the stream to which the frame belongs.

21. Single TCP connection S1,D S1,H S2,H Frames S3,H S3,H •

    Client is concurrently sending data over stream 1 and stream 2 • Server is sending data for stream 3

22. Stream Prioritisation • Each stream may be assigned an integer

    weight between 1 and 256 • Each stream may be given an explicit dependency on another stream

23. Server Push S2,P S1,F1 S1,F2 S4,P S1, FN Stream 1:

    /page.html (client request) Stream 2: /script.js (push promise)
 Stream 4: /style.css (push promise)

24. References • High Performance Browser Networking by ILYA GRIGORIK https://hpbn.co/#toc

    • Wireshark https://www.wireshark.org/ • Updating curl for http2 https://simonecarletti.com/blog/2016/01/http2-curl-macosx/