Lie down at night and listen to the wind and rain
Tiema Glacier Dreams
University teachers once said that there are three heavenly books in the computer field: data structure, computer composition principle and computer network. So the network is also a technology that we must understand and master when we are engaged in computer development. In this paper, I will use popular language to describe the network with the network knowledge that we understand.
Network Seven-Layer Model
Ports accessing network services, such as HTTP transport'hello, world'
Provide data format conversion
Establish end connections and provide access verification such as SSL/TLS authentication
UDP/TCP + ‘hello，world’
IP + UDP/TCP + ‘hello，world’
data link layer
MAC address + IP + UDP / TCP +'hello, world'+ tail
Transmission Binary 010101001
** Request message includes: ** Request method URL Protocol Version HTTP 1.0 Header field name Request Body (POST Request) ** Response messages include: ** Edition Status code Phrase Header field name Response entity
Representatives access resources Characteristic: Security: Should not cause any state changes on the server side Idempotent: The same result as many requests Cacheable: Proxy servers can cache
Representation Processing Resources Characteristic: Unsafe Unequal Uncachable
Failure of client request address and parameter reference
Connection Establishment Process
Three shakes and four waves
Every request requires a TCP connection.
Does not save the information and status of the recorded user
Solving the problem of HTTP connectionless
Generate multiple HTTP requests on the same TCP
Connection:keep-live Time: 20 does not need to establish TCP connection again in a certain period of time Max: Maximum number of requests in connection time
Judge the end of a request?
Content-length Empty chunked
- Solving HTTP stateless problem
Solution: Cookie / Session
Differences between HTTPS and HTTP
Adding SSL/TLS authentication between application layer and transport layer Access to Multi-party Information: SSL/TLS Authentication at the Session Layer
HTTPS Link Establishment Process
- Client – > Server: Send supported TLS version number, supported encryption algorithm, random number C
- Server – > Client: Agreed encryption algorithm, random number S, server certificate (including public key)
- Client Verification Certificate
- Client assembles session keys
- Client encrypts the pre-master key through the server’s public key
- Server decrypts the required primary key by key
- Server assembles session keys
- Client sends encrypted handshake message (validation)
- Server sends encrypted handshake messages (validation)
Encryption of HTTPS
- Asymmetric encryption (time-consuming) is used to establish connections
- Symmetric encryption is used in subsequent communication processes
- Private key encryption and public key decryption
- Public Key Encryption and Private Key Decryption
- Public key: In the network transmission, the key is stored in the server, so asymmetric encryption is relatively safe.
- A secret key is transmitted in the network, which is unsafe.
TCP Control Transfer Protocol
Establish a connection (three handshakes) before data starts to transmit Release the connection after data transfer (four waves)
No error, no loss, no repetition, arrival in sequence, overtime retransmit
Byte Stream Oriented
It automatically transfers the byte size according to TCP itself and is not controlled by the sender. Maximum transmission unit = 1500 = 20 IP headers + 20 TCP headers + data
Sliding Window Protocol
Slow Start, Congestion Avoidance Exponential Regular Growth (Number of Messages: 1, 2, 4, 8, 16) Achieving threshold initial value: starting to add up Network congestion: Multiplication reduced to a new threshold Fast Recovery, Fast Retransmit
Sliding Window Protocol
When the sending window sends messages at a fast rate, because the receiving window of the server is relatively small, In this case, the receiving window corrects or adjusts the sending rate of the sender by changing the window value to the TCP header field.
UDP User Data Protocol
Connectionless: No connection process required Maximum capacity transmission: no guarantee of sequential arrival Packet Oriented: Not Separated
Multiplexing and Sharing
Mapping domain name to IP address, parsing request in UDP datagram and plaintext form Using DNS Protocol to Request 53 Ports of DNS Server
DNS parsing process
- Client requests DNS server for domain name resolution through DNS protocol - The DNS server returns the corresponding IP to the client - Client gets IP and sends network request to server
DNS parsing query mode
Ask and return in turn: Client - > Local DNS - > Root DNS - > Top DNS - > Permission DNS
Client: Local DNS, Root DNS, Top DNS, Permission DNS interrogate each other
** Cause there is a third party phishing DNS server in the public network that intercepts our DNS parsing request and returns us the wrong IP**
How to Solve DNS Hijacking
DNS parsing: using DNS protocol to request to port 53 of DNS server HTTP DNS parsing: Using HTTP protocol to parse the 80 ports of DNS server, there will be no DNS parsing and no DNS hijacking. http://126.96.36.199/d?dn=www.xiaozhu.com&ip=172.18.134.109
Client <-(Long Connected Channel)> Long Connected Server (Proxy Server)<-> API Server Client's HTTP request is parsed by proxy server through intranet private line, thus avoiding the problem of public network DNS parsing hijacking.
The relationship between DNS hijacking and HTTP?
It doesn’t matter.
Because DNS parsing occurs before HTTP establishes a connection Because DNS parses UDP datagrams used for requests, port number 53
DNS parse forwarding
Client - > China Mobile DNS - > China Telecom DNS - > China Unicom DNS, due to protocol constraints, resulting in each DNS analyzer pushing each other off, resulting in slow DNS resolution, resulting in slow network requests.
Compensation for HTTP statelessness, such as when client sends a request, the request fails to remember the user again
Used to record user status, distinguish users, state saved in the client
How to ensure cookie security?
Encryption of cookies Carry cookies only on HTTPS (recommended) Set cookie to HTTPonly to prevent cross-site scripting attacks
How to modify cookies
New cookies override old cookies Coverage rules: name, path, domian need to be consistent with the original cookie
How to delete cookies
New cookies override old cookies Coverage rules: name, path, domian need to be consistent with the original cookie Set expire for cookies = a certain point in the past or maxAge = 0
User status is recorded, user is distinguished and saved on the server side.
Workflow Client sends a message to server, which records user status and generates session ID Pass it to client by existing cookies