http协议
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了http协议相关的知识,希望对你有一定的参考价值。
1.http服务
- http: Hyper Text Transfer Protocol, 80/tcp
- 常用 http/1.1
1.支持cache, MIME(支持传送多媒体文件), method
2.POST命令和HEAD命令 头信息是 ASCII 码,后面数据可为任何格式。服务器回应时会告诉客户 端,数据是什么格式,即Content-Type字段的作用。这些数据类型总称为 MIME 多用途互联网邮件扩展,每个值包括一级类型和二级类型,预定义的 类型,也可自定义类型
3.持久连接(persistent connection),即TCP连接默认不 关闭,可以被多个请求复用,不用声明Connection: keep-alive 。对于同一个域名,大多数浏览器允许同时建立6个持久连接
4.管道机制(pipelining),即在同一个TCP连接里,客户端 可以同时发送多个请求,进一步改进了HTTP协议的效率
5.支持GET、PUT、PATCH、OPTIONS、DELETE方法- 问题
1.同一个TCP连接里面,所有的数据通信是按次序进行的。服务器 只能顺序处理回应,前面的回应慢,会有许多请求排队,造成" 队头堵塞"(Head-of-line blocking) ?
为避免上述问题,两种方法:一是减少请求数,二是同时多开持 久连接。网页优化技巧,比如合并脚本和样式表、将图片嵌入 CSS代码、域名分片(domain sharding)等 ?
2.HTTP 协议不带有状态,每次请求都必须附上所有信息。请求的 很多字段都是重复的,浪费带宽,影响速度 - http请求基本过程
1、建立连接
2、接收请求
3、处理请求
4、访问资源
5、构建响应报文 头部
6、发送响应报文
7、记录日志
- 问题
- 方法介绍
GET:从服务器获取一个资源
HEAD:只从服务器获取文档的响应首部
POST:向服务器输入数据,通常会再由网关程序继续处理 例如提交用户密码或者信息
PUT:将请求的主体部分存储在服务器中,如上传文件
DELETE:请求删除服务器上指定的文档
TRACE:追踪请求到达服务器中间经过的代理服务器
OPTIONS:请求服务器返回对指定资源支持使用的请求方法 - 状态码介绍
1xx:100-101 信息提示 ?
2xx:200-206 成功 ?
3xx:300-305 重定向 ?
4xx:400-415 错误类信息,客户端错误 ?
5xx:500-505 错误类信息,服务器端错误
200: 成功,请求数据通过响应报文的entity-body部分发送;OK ?
301: 请求的URL指向的资源已经被删除;但在响应报文中通过首部 Location指明了资源现在所处的新位置;Moved Permanently ?
302: 响应报文Location指明资源临时新位置 Moved Temporarily
304:服务器上的资源未曾发生改变,使用本机缓存
401: 需要输入账号和密码认证方能访问资源;Unauthorized ?
403: 请求被禁止;Forbidden ?
404: 服务器无法找到客户端请求的资源;Not Found ?
500: 服务器内部错误;Internal Server Error ?
502: 代理服务器从后端服务器收到了一条伪响应,如无法连接到网关;Bad Gateway ? 无法连接到调度的服务器
503 – 服务不可用,临时服务器维护或过载,服务器无法处理请求 ?
504 – 网关超时
2.基于httpd实现网站用户访问控制
1.安装httpd服务
2.准备好主页
[[email protected] ~]#echo ‘welcome to here!‘ > /var/www/html/index.html3.启动服务
[[email protected] ~]#systemctl start httpd4.测试网页
5.利用htpasswd命令生成用户和密码,注意文件要能被apache账号读取
[[email protected] conf.d]#htpasswd -c /data/user dcrfan
New password:
Re-type new password:
Adding password for user dcrfan
[[email protected] conf.d]#htpasswd /data/user zhang
New password:
Re-type new password:
Adding password for user zhang
[[email protected] ~]#chown apache /data/user6.修改httpd配置文件
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride None
AuthType Basic #加密类型
AuthName "please input your name" #提示字符串
AuthUserFile "/data/user" #用户密码验证文件
Require user dcrfan #允许访问用户
</Directory>
[[email protected] conf.d]#systemctl restart httpd 7.测试网页
8.其他权限控制选项
Require all granted 允许所有主机访问:
Require all denied 拒绝所有主机访问
Require host HOSTNAME:授权特定主机访问
Require not host HOSTNAME:拒绝 特定主机访问
Require ip IPADDR:授权指定来源的IP访问
Require not ip IPADDR:拒绝特定的IP访问
?/不能有失败,至少有一个成功匹配才成功,即失败优先
<RequireAll>
Require all granted
Require not ip 172.16.1.1 拒绝特定IP
</RequireAll> ?
/多个语句有一个成功,则成功,即成功优先
<RequireAny>
Require all denied
require ip 172.16.1.1 允许特定IP
</RequireAny>
3.基于httpd实现网站虚拟主机
建立测试文件主页
[[email protected] conf.d]#mkdir /var/www/html/{a,b,c}
[[email protected] conf.d]#echo "a">/var/www/html/a/index.html
[[email protected] conf.d]#echo "b">/var/www/html/b/index.html
[[email protected] conf.d]#echo "c">/var/www/html/c/index.html1.基于port实现虚拟主机
修改配置文件
[[email protected] conf.d]#vim port.conf
listen 808
listen 8080
<virtualhost 192.168.0.109:80>
servername www.a.com
documentroot "/var/www/html/a"
</virtualhost>
<virtualhost 192.168.0.109:808>
servername www.b.com
documentroot "/var/www/html/b"
</virtualhost>
<virtualhost 192.168.0.109:8080>
servername www.c.com
documentroot "/var/www/html/c"
</virtualhost>重启服务并查看端口
[[email protected] conf.d]#systemctl restart httpd
[[email protected] ~]#ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:111 *:*
LISTEN 0 128 *:41968 *:*
LISTEN 0 5 192.168.122.1:53 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 128 127.0.0.1:631 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 :::111 :::*
LISTEN 0 128 :::8080 :::*
LISTEN 0 128 :::80 :::*
LISTEN 0 128 :::22 :::*
LISTEN 0 128 ::1:631 :::*
LISTEN 0 100 ::1:25 :::*
LISTEN 0 128 :::53952 :::*
LISTEN 0 128 :::808 :::* 测试文件
[[email protected] ~]#curl 192.168.0.109
a
[[email protected] ~]#curl 192.168.0.109:808
b
[[email protected] ~]#curl 192.168.0.109:8080
c
~ 2.基于ip实现虚拟主机
修改配置文件
<virtualhost 192.168.0.109:80>
servername www.a.com
documentroot "/var/www/html/a"
</virtualhost>
<virtualhost 192.168.0.110:80>
servername www.b.com
documentroot "/var/www/html/b"
</virtualhost>
<virtualhost 192.168.0.111:80>
servername www.c.com
documentroot "/var/www/html/c"
</virtualhost>重启httpd服务
[[email protected] conf.d]#systemctl restart httpd为本机临时添加ip地址
[[email protected] ~]#ip address add 192.168.0.110/24 dev eth0
[[email protected] ~]#ip address add 192.168.0.111/24 dev eth0查看ip
[[email protected] ~]#ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:53:4d:b3 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.109/24 brd 192.168.0.255 scope global eth0
valid_lft forever preferred_lft forever
inet 192.168.0.110/24 scope global secondary eth0
valid_lft forever preferred_lft forever
inet 192.168.0.111/24 scope global secondary eth0
valid_lft forever preferred_lft forever
inet6 fe80::47f0:15a7:5a66:13c7/64 scope link
valid_lft forever preferred_lft forever测试
[[email protected] ~]#curl 192.168.0.109
a
[[email protected] ~]#curl 192.168.0.110
b
[[email protected] ~]#curl 192.168.0.111
c3.基于FQDN实现虚拟主机
修改配置文件并重启服务
<virtualhost *:80>
servername www.a.com
documentroot "/var/www/html/a"
</virtualhost>
<virtualhost *:80>
servername www.b.com
documentroot "/var/www/html/b"
</virtualhost>
<virtualhost *:80>
servername www.c.com
documentroot "/var/www/html/c"
</virtualhost>修改测试客户端host文件,让其能解析这三个地址
[[email protected] ~]#cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.0.109 www.a.com www.b.com www.c.com测试
[[email protected] ~]#curl www.a.com
a
[[email protected] ~]#curl www.b.com
b
[[email protected] ~]#curl www.c.com
c注意:一般虚拟机不要与main主机混用;因此,要使用虚拟主机, 一般先禁用main主机
禁用方法:注释中心主机的DocumentRoot指令即可
还可以定制各自日志文件
ErrorLog "logs/host.example.com-error_log"
TransferLog "logs/host.example.com-access_log"
4.基于httpd实现网站https加密
要实现https加密需要搭建CA服务器实现加密通讯,安装mod_ssl模块,服务以443端口监听
1.在192.168.0.112搭建ca
[[email protected] ~]# (umask 066; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.......................................+++
.......+++
e is 65537 (0x10001)
[[email protected] ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7200 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:gd
Locality Name (eg, city) [Default City]:gz
Organization Name (eg, company) [Default Company Ltd]:dcrfan
Organizational Unit Name (eg, section) []:dcrfan.cn
Common Name (eg, your name or your server‘s hostname) []:dcrfan
Email Address []:
[[email protected] ~]# echo 01 > /etc/pki/CA/serial
[[email protected] ~]# touch /etc/pki/CA/index.txt2.在192.168.0.109生成密钥
[email protected] ~]# (umask 066; openssl genrsa -out /etc/httpd/httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
.............................................................................................+++
.............................+++
e is 65537 (0x10001)
[[email protected] ~]# openssl req -new -key /etc/httpd/httpd.key -out /etc/httpd/httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:gd
Locality Name (eg, city) [Default City]:gz
Organization Name (eg, company) [Default Company Ltd]:dcrfan
Organizational Unit Name (eg, section) []:dcrfan.cn
Common Name (eg, your name or your server‘s hostname) []:www.a.com #与网站域名一致
Email Address []:
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[[email protected] ~]#scp /etc/httpd/httpd.csr 192.168.0.112:/data/3.在192.168.0.112签名证书
[[email protected] ~]# openssl ca -in /data/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 160
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Feb 7 02:40:31 2019 GMT
Not After : Jul 17 02:40:31 2019 GMT
Subject:
countryName = cn
stateOrProvinceName = gd
organizationName = dcrfan
organizationalUnitName = dcrfan.cn
commonName = www.a.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
48:30:32:22:C2:7F:68:A5:45:C6:99:3B:46:B5:6B:08:7F:94:86:DB
X509v3 Authority Key Identifier:
keyid:29:BE:1C:83:B6:3E:49:D0:12:3F:80:A5:64:CB:17:02:8C:43:3B:1A
Certificate is to be certified until Jul 17 02:40:31 2019 GMT (160 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[[email protected] ~]# scp /etc/pki/CA/certs/httpd.crt /etc/pki/CA/cacert.pem 192.168.0.109:/etc/httpd/4.安装模块
[[email protected] ~]#yum install mod_ssl5.修改httpd配置文件
[[email protected] ~]#ls /etc/httpd
cacert.pem conf conf.d conf.modules.d httpd.crt httpd.csr httpd.key logs modules run[[email protected] ~]#vim /etc/httpd/conf.d/ssl.conf
DocumentRoot "/var/www/html/"
ServerName www.a.com
SSLCertificateFile /etc/httpd/cacert.pem #指定ca证书位置
SSLCertificateKeyFile /etc/httpd/httpd.key #指定自己的私钥位置
SSLCACertificateFile /etc/httpd/httpd.crt #指定ca签名的证书位置6.实现HSTS,让网址自动应用https
vim /etc/httpd/conf/httpd.conf
Header always set Strict-Transport-Security "maxage=31536000"
RewriteEngine on
RewriteRule ^(/.*)$ https://%{HTTP_HOST}$1 [redirect=302] 7.修改测试服务器/etc/hosts
192.168.0.109 www.a.com
8.测试(在浏览器添加ca证书)
以上是关于http协议的主要内容,如果未能解决你的问题,请参考以下文章