HTTP

HTTP
!" #$%"r$"%&
'()%#'"*#+
,-(r#"r

1945 – THE MEMEX SYSTEM Microfilm management
1965 – HyperText Project Xanadu
1991 – HTTP 0.9 GET only
1996 – HTTP 1.0 Headers, MIME, …
1997 – HTTP 1.1 Flaw correction
1998 – HTTP-NG stopped
2015 – HTTP/2 RFC Publish date

What about HTTP-NG?
It was planned to replace HTTP-1.1…
Nah, HTTP-1.1 worked –
no one wanted to adapt
HTTP-NG and replace 1.1!
By now we don’t need it
anymore…

The Navigator
Berners-Lees’ “Biggest Mistake”
<scheme>://<user>:<password>@<host>:<port>
/<path>;<params>?<query>#<frag>

Small and safe alphabet
Readable by people
always complete
Encoding%20Bypasses%20limitations
Reserved Characters (most of them)
% / . .. # ? ; : $ , + @ & = { } | ^ [ ] ‘ < > “

Uniform resource name
stable name for an object
Persistend uRL
URN through URL
using a resource locator server
URN
PURL

Request
GET / HTTP/1.1
Host: www.namics.com
Accept: text/html
CLIENT Server
Response
HTTP/1.1 200 OK
Server: nginx/1.4.3
Content-Type: text/html;
Content-Length: 4323
GET / HTTP/1.1 Start line
Headers
Body
Host: www.namics.com [CRLF]
Accept: text/html [CRLF]
[CRLF]
HTTP/1.1 200 OK
Content-Type: text/html [CRLF]
Server: nginx/1.4.3 [CRLF]
[CRLF]
<html>…</html>
Plain ASCII
Plain ASCII

safe Methods
No action on server
GET
HEAD
PUT
POST
Patch
TRACE
Options
Delete
Message With
Body
Send data to server
HTTP/1.1 must implement this method
Inspect resource headers
Deposit data on server – inverse of get
Send input data for processing
Partially modify a resource
Echo back received message
Server capabilities
Delete a resource – not guaranteed

1xx 100-101 Informational
2xx 200-206 Successful
3xx 300-305 Redirection
4xx 400-415 Client error
5xx 500-505 Server error

You Should know the most important ones!
http://httpstatus.es
Statuses are primarily for agents (Browsers)
THE HTTP Protocol Version of the client
DetermineS HOW IT Processes STATUS CODES!

TRIVIA
Created Response also contains a Location Header
Multiple Choices Preferred URL in Location Header
Request Timeout Close the connection
Gone Resource one was on the server
Service currently unavailable
Motherfucking Snakes on the Motherfucking Plane
201
300
408
410
503
747

Everything is
Extendable
You may create your own headers, methods and status codes
You may not implement some methods or header logic

Headers are about Information
General Client and Server
Request Client Requests
Response Server Responses
Entity Describe Entity body
Extension Non-Standard

GENERAL Headers
Response Header from www.namics.com
HTTP/1.1 200 OK
Server: nginx/1.4.3
Date: Mon, 13 Oct 2014 16:18:08 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Via: 1.1 varnish
Content-Type: text/html; charset=utf-8
X-Mod-Pagespeed: 1.6.29.7-3343
Vary: Accept-Encoding
X-Powered-By: Secret Namics rocket technology
X-Varnish: 1491545138 1491540973
Age: 1110

Request Headers
Request Header From Chrome
GET / HTTP/1.1
Host: namics.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5
Accept: text/html,application/xhtml+xml,application/xml;
q=0.9,image/webp,*/*;q=0.8
Accept Headers
Capabilities + Preferences
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,de;q=0.6
Cookie: my_namics_SSL=1; LtpaToken=AAECAzU0M0I3RTlBNTQzQkZEMkFDTj1
q: Quality factor - Relative degree of preference

Response Headers
Response Header from www.namics.com
HTTP/1.1 200 OK
Date: Mon, 13 Oct 2014 16:18:08 GMT
Transfer-Encoding: chunked
Server: nginx/1.4.3
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Age: 1110
X-Mod-Pagespeed: 1.6.29.7-3343
X-Powered-By: Secret Namics rocket technology
X-Varnish: 1491545138 1491540973
Via: 1.1 varnish
Extension Headers
Fully Custom

- Reliable -
No damaged or
scrambled data!
G!"r"#$%%&!

HTTP
TSL OR SSL
TCP
IP
Network interfaces
Application Layer
Security Layer
Transport Layer
Network Layer
Data Link Layer
That’s Why!

CLIENT Server
COMMUNICATION
Create Socket
Bind socket to port 80
Accept Connections
DNS Lookup
Create Socket
Bind Socket
Connection
Handshake
Delay
SYN
SYN+ACK
Read
Process
ACK
GET / HTTP/1.1
HTTP/1.1 200 Ok
Data transfer
Close connection
Connection properties
Source IP, Source Port, Destination IP, Destination Port UNIQUE

Performance considerations
Considerable delay for
small Transactions
Performance depends on connection age
For 1 successfully received packet,
the sender can send 2 more
Bundles up large amounts of tcp data
for efficiency
Non-full size packets can only be sent if
all others are acknoleged
SYN/SYN+ACK
Handshake
TCP Slow Start
congestion control
feature
Nagle’s Algorithm

The Connection Header
HTTP/1.1 200 OK
Connection: myheader, close
Myheader: local information
CLIENT Server
Proxy
Myheader is a hop-by-hop header and not proxied
Messages are forwarded - each “Hop” must delete
header fields listed in the connection header
This allows protecting “local headers”

Connection Types
“Feel” faster - but still tcp performance issues
2 to 6 per client (browser) is current practice
HTTP/1.0+ experimental, deprecated but still used
Handled by keep-alive connection header
HTTP/1.1 Re-use connections for multiple requests
Active by default, explicitly close by header
Only works with correct Content-Length
Enqueue multiple requests over persistent
connection before response arrives
only for safe methods (not for “post”)
Parallel
Keep-Alive
Persistent
Pipelined

The Keep-Alive Problem
CLIENT Server
GET / HTTP/1.0
Host: www.namics.com
HTTP/1.0 200 OK
Content-type: text/html
Connection: keep-alive Connection: keep-alive
CLIENT Dumb Proxy Server
SHOULD NOT BE PASSED
Proxy waits for connection close
Ignore request - still waiting for close

Connection Close
It can happen anytime
If it happens, client should reopen
and retry once for methods
without side effects
(Get is ok, Post is not!)

A quick
HTTP/2 Breakout
Spdy Protocol

GoogleS’ Contribution
Speedy Open Networking Protocol
Focus on Performance
Base for HTTP/2 draft
HTTP - SPDY - TCP
1 TCP Connection
Multiplexing
Stream priorities
SSL by default
Compressed headers
… and more

HANDLING
STATELESSNESS
Coping with the “goldfish memory”

Enter cookies
First developed by netscape
Define new extension headers
Cookie, Cookie2, Set-Cookie, Set-Cookie2
Flavors are
session cookies and persistent cookies

DOMAIN ATTRIBUTE CONTROLS THE “VISIBILIY”
PATH ATTRIBUTE ALLOWS FINER-GRAINED
CONTROL
COOKIES ARE STATE INFORMATION
MAINTAINED BY THE CLIENT
COOKIES ARE NOT PART OF HTTP/1.1
SPECIFICATION

VERSION 0 - NETSCAPE COOKIES
Cookie: name1=value1
[; name2=value2]
Set-Cookie: name=value
[; expires=date]
[; path=path]
[; domain=domain] [; secure]
Request Header
Response Header

VERSION 1 – RFC2956 COOKIES
Descriptive text for cookies
Forced destruction support on browser exit
Max-age in relative seconds, not date
Rfc6265 lists them as deprecated
Controlled by Set-Cookie2 and Cookie2

Cookies + Caching
Short answer
“NO”

Cookies and Security
Cookies are a security risk
DNS Poisoning
Cross site scripting
Attacks
Vulnerable To

Cookies Alternatives
HTML5 Browser storage
Browser / canvas fingerprint
HTTP Authentication
ETAG Headers

The evil
a Javascript api to create zombie cookies
https://github.com/samyk/evercookie
uses every possible way to store cookies
and avoid deletion
FBI uses it to track TOR users
Spotify uses it

HTTP
CACHING
Pr"&"$%"* b. C/r#& $0% w""1
J

Things I’Ve missed…
Authorization and Security
Proxies and Gateways
Robots
Entities and Encodings
Content Negotiation
7xx status codes extension proposal
…

418
I’m a teapot
(http://tools.ietf.org/html/rfc2324)

HTTP

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (8)

Similaire à HTTP

Similaire à HTTP (20)

Plus de Daniel Kummer

Plus de Daniel Kummer (11)

Dernier

Dernier (20)

HTTP