Shulou(Shulou.com)06/03 Report--

What is HTTP?

Hypertext Transfer Protocol (HTTP) Protocol (RFC7230)

A stateless, application-layer, request / reply protocol that uses extensible semantics and self-describing message formats to interact flexibly with web-based hypertext information systems.

Second, HTTP request line and response line request line format (ABNF description) Request-line = method SP request-target SP HTTP-version CRLFHTTP common method (RFC7231) GET: the main method to obtain information, a large number of performance optimizations are aimed at this method, idempotent method HEAD: similar to GET method, but the server does not send BODY to obtain lead metadata, idempotent method POST: commonly used to submit HTML FORM forms, add resources, etc. PUT: update resources Idempotent method DELETE: delete resources, idempotent method CONNECT: establish tunnel tunnel OPTIONS: display the method supported by the server to access resources, idempotent method TRACE: echo the requests received by the server to locate the problem. Security risk Request-targetorigin-form: back-end request resource path, space-time pass / absolute-form: for forward proxy authority-form: for CONNECT method asterisk-form: for OPTIONS method HTTP-version version number development history HTTP/0.9: only GET is supported, obsolete HTTP/1.0:RFC1945,1996, commonly used in proxy servers (such as NGINX default configuration) HTTP/1.1:RFC2616 1999HTTP/2.0:2015.5 official release response line format (ABNF description) Status-line = HTTP-version SP status-code SP reason-phrase CRLF status-code = 3DIGIT Reason-phrase=* (HTAB/SP/VCHAR/obs-text) Status-code (response code) classification

Response Code Specification: RFC6585 (2012.4) RFC7231 (2014.6)

1xx: the request has been received and needs further processing. HTTP1.0 does not support it.

100 Continue: trigger 101Switch Protocols before uploading large files with Expect:100-continue header in the client request: protocol upgrade uses Upgrade: header trigger in the request initiated by the client. For example, upgrade websocket or http/2.0102 Processing:WedDAV request may contain many sub-requests for design file operations, and it takes a long time to complete the request. This code indicates that the server has received and is processing the request, but no response is available. This prevents the client from timeout and assumes that the request is lost.

2xx: successfully processed the request

200 OK: successfully returned response 201 Created: a new resource was successfully created on the server: the server received and started processing the request, but the request was not completed. Such a vague concept is deliberately designed to cover more scenes. For example, asynchronous' needs to be processed for a long time. 203 Non-Authoritative Information: when the proxy server modifies the original response packet of origin server (for example, changing the element value in HTML), the proxy server can inform the client of this fact by modifying 200203.It is convenient for the client to deal with this behavior accordingly. 203 responses can be cached. 204No Content: successfully executed the request without the response packet, implying that the client does not need to update the current page view 205Reset Content: successfully executed the request without the response packet, and indicating that the client needs to update the current page view 206Partial Content: the response code 207Multi-Status:RFC4918 when partial response content is returned when using the range protocol, and the status of multiple resources as XML in the WEBDAV protocol 208Already Reported:RFC5842 In order to avoid repeated escalation of resources under the 207 response code under the same set, the response code of the parent set can be used with 208

3xx: redirect resources that use Location to point to or resources in the cache. It is stipulated in RFC2068 that the number of client redirects should not exceed 5 times to prevent endless loops.

300Multiple Choices: resources can be expressed in a variety of ways, and it is up to the client to choose which one to access after it is returned to the client. Because of the lack of clear details, 301 Moved Permanently is rarely used: resources are permanently redirected to another URI 302 Found: resources are temporarily redirected to another URI 303 See Other: redirected to other resources, commonly used in responses such as POST/PUT: when the client has a cache that may expire, it carries cached identity etag, time and other information to ask the server whether the cache is still reusable However, 304C tells the client that the cache 307Temporary Redirect can be reused, but the request method after explicit redirection must be the same as the original request method and must not be changed. 308Permanent Redirect must not be changed, but the request method after explicit redirection must be the same as the original request method and must not be changed.

4xx: client side error

400 Bad Request: the server thinks there is an error in the client, but cannot clearly determine which of the following errors to use. For example, HTTP request format error 401 Unauthorized: user authentication information is missing or incorrect, causing the server to fail to process request 407 Proxy Authentication Required: for requests that need to go through a proxy, authentication information fails to be verified by the proxy server. 403 Forbidden: the server understands the meaning of the request, but does not have the permission to execute the request. 404 Not Found: the server did not find the corresponding resource 410 Gone: the server did not find the corresponding resource And clearly know that the location can not find the resource permanently. Method Not Allowed: the server does not support the method method in the request line. Not Acceptable: the resource representation specified by the client does not exist (for example, there is a requirement for language or coding). The server returns the representation list for the client to choose 408 Request Timeout: server receives request timeout 409 Conflict: resource conflict For example, when uploading a file, a resource for version update already exists in the target location: 411 Length Required: if the request contains a packet and does not carry a Content-Length header, and does not belong to the chunk request Return 411412 Precondition Failed: the If-Unmodified-Since or If-None-Match header passed when reusing the cache is not satisfied 413 Payload Too Large/Request Entity Too Large: the requested packet body exceeds the maximum length that the server can handle 414 URI Too Long: the requested URI exceeds the maximum length accepted by the server 415 Unsupported Media Type: the file type uploaded is not supported by the server 416 Range Not Satisfiable: the packet body specified in the Range request cannot be provided 417 Expectation Failed: response code 421 Misdirected Request when the expected situation of the Expect request header cannot be satisfied: the server does not think this request should be sent to it Because he does not have the ability to handle 426 Upgrade Required: the server refuses to provide services based on the current HTTP protocol, and informs the client through the Upgrade header that the protocol must be upgraded to continue processing 428 Precondition Required: the conditional class header is missing in the user request, such as If-Match429 Too Many Requests: the client sends requests too fast. 431 Request Header Fields Too Large: the size of the requested HEADER header exceeds the limit of 451 Unavailable For Legal Reasons: RFC7725, and resources are not accessible due to legal reasons.

5xx: error occurred on the server side

500 Internal Server Error: server internal error And does not belong to the following error type 501 Not Implemented: the server does not support the functions needed to implement the request 502 Bad Gateway: the proxy server cannot obtain the legitimate response 503 Service Unavailable: the server resource is not ready to process the current request 504 Gateway Timeout: the proxy server cannot obtain the response from the upstream in time 505 HTTP Version Not Supported: the version of the HTTP protocol used in the request does not support 507 Insufficient Storage: the server does not have enough Space processing request 508 Loop Detected: access resource is detected cycle 511 Network Authentication Required: the proxy server finds that the client needs authentication in order to obtain network access. HTTP/1.11, connection header

Connection:keep-alive persistent connection (HTTP/1.1 uses persistent connection by default, keep-alive is meaningless)

Connection:close short connection

2. Host header

HTTP/1.1 specification requires that 400 error response codes be returned if the Host header is not passed.

The host header is used to route http messages on the server side

Host header and message routing

1. Establish a TCP connection to determine the IP address of the server 2, receive the request 3, find the virtual host to match the Host header and the domain name 4, find the processing code of the URI to match the URI5, execute the code to access the request 6, generate the HTTP response each middleware serial modification response based on the PF architecture 7, send the HTTP response 8, record the access log 3, and the header when the proxy server forwards the message

X-Forwarded-For: used for proxy server to pass IP

X-Real-IP: used to pass user IP

Max-Forwards: limit the maximum number of retweets of the Proxy proxy server, which is only valid for the TRACE/OPTIONS method

Via: indicates the name and version of the proxy server that passed

Cache-Control: prevents the proxy server from modifying the response packet

4. Request and response context headers

User-Agent: indicates the type information of the client, based on which the server can make a choice about the representation of the resource

Referer: the header that the browser automatically adds to requests from a page

From: mainly used for web crawlers, telling the server how to contact the person in charge of the crawler by email

Server: information that indicates the software used on the server to help clients locate problems or statistics

Allow: tells the client which methods are allowed to be executed by the resources corresponding to the URI on the server

Accept-Ranges: tells the client server whether the resource allows range requests (allows the server to send only part of the response packet to the client based on the client's request, and the client automatically combines the packets of multiple fragments into a complete, larger packet)

5. Content negotiation and resource representation

Accept-Encoding: content coding, mainly refers to compression algorithm negotiation

Accept-Language: language negotiation

Content-type: resource representation, media type, coding

Content-encoding: resource representation, content coding

Content-Language: resource representation, language

6. HTTP packet transfer header

Content-Length: use the Content-Length header to clearly indicate the length of the packet

Transfer-Encoding: indicates that the Chunk transmission method is used. Content-Length headers should be ignored when Transfer-Encoding headers are included.

TE header: the client is requesting whether or not to accept the Trailer header

Trailer header: the server tells the next chunk packet which Trailer header will be transmitted

The following headers are not allowed in Trailer values: headers for framing (e.g. Transfer-Encoding and Content-Length) for routing purposes (e.g. Host) request modifier headers (e.g. control and conditional classes, such as Cache-Control, Max-Forwards, or TE) authentication headers (such as Authorization or Set-Cookie) Content-Encoding, Content-Type, Content-Range And Trailer itself 7, Content-Disposition header (RFC6266)

Disposition-type = "inline" | "attachment" | disp-ext-type

Inline: specifies that the package body is displayed inline in inline as part of the page.

Attachment: specify the browser to download the package as an attachment

In the multipart/form-data type reply, it can be used in the body part of the submessage

8. Cookie and Set-Cookie headers

Multiple name/value name-value pairs can be stored in the Cookie-header:Cookie header

Set-Cookie:Set-Cookie headers can only pass one name/value name-value pair at a time, and multiple headers can be included in the response

9. Cross-domain request resource request header

Access-Control-Request-Method: in the preflight pre-check request (OPTIONS), tell the server which methods will be used for the next request

Access-Control-Request-Headers: in the preflight pre-check request (OPTIONS), tell the server which headers will be passed in the next request

10. Cross-domain request resource response header

Access-Control-Allow-Methods: in the response to a preflight pre-check request, inform the client of the method allowed for subsequent requests

Access-Control-Allow-Headers: in the response to a preflight pre-check request, tell the client which headers are allowed for subsequent requests

Access-Control-Max-Age: in the response to a preflight pre-check request, tell the client how long the response information can be cached

Access-Control-Expose-Headers: tells the browser which response headers are available to the client. By default, only Cache-Control., Content-Language, Content-Type, Expires, Last-Modified, and Pragma are available.

Access-Control-Allow-Origin: tells the browser which domains are allowed to access the current resource, and * means all domains are allowed. To avoid cache confusion, you need to carry Vary: Origin in the response

Access-Control-Allow-Credentials: tells the browser whether Credentials can be exposed to the client. Credentials contains cookie, authorization class headers, TLS certificates, and so on.

11. Validator response header

Etag: gives the label of the current resource representation

Last-Modified: indicates the last modification time of the corresponding resource representation

12. Verify request and response headers

Authentication request

If the cache response contains a Last-Modified header

If-Unmodified-SinceIf-Modified-SinceIf-Range

If the cache response contains an Etag header

If-None-MatchIf-MatchIf-Range13, cache-related headers

Age:Age represents the number of seconds that have elapsed since the response was sent from the source server (or verify the expired cache) to the time the response was sent using the cache

Cache-Control: cache control header

The value of Cache-Control header in the request

Max-age: tells the server that the client will not accept the cache Max-stale whose Age exceeds max-age seconds: tells the server that when the cache is no longer fresh, but the number of obsolete seconds does not exceed max-stale, the client is going to use it. If there is no value after max-stale, the client can use Min-fresh no matter how long it expires: tell the server that Age caches at least after min-fresh seconds before using No-cache: tell the server that you cannot directly use the existing cache as a response return You can use the existing cache No-store only if you get the verification return code from the upstream server with the cache condition: tell each proxy server not to cache the response to the request (there are actually many proxy servers that do not comply with this rule) No-transform: tell the proxy server not to modify the contents of the message packet Only-if-cached: tell the server to return only cached responses, otherwise 504 error codes will be returned if there is no cache

The value of Cache-Control header in the response

Must-revalidate: tells the client that once the cache expires, it must verify with the server before using Proxy-revalidate: similar to Must-revalidate, but it is only valid for the shared cache of the proxy server: No-cache: tells the client that the cached response cannot be used directly, and the 304error code must be verified on the source server before use. If you specify headers after no-cache, you can use cache Max-age directly if the subsequent requests and responses of the client do not contain these headers: tell the client that cache Age expires after max-age seconds: similar to max-age, but only for shared cache, and priority is higher than max-age and Expirespublic: whether private cache or shared cache The response can be cached private: it means that the response cannot be used as a shared cache by the proxy server. If the header is specified after private, the proxy server is told that the specified header cannot be cached, but other parts of the No-store can be cached: tell all downstream nodes not to cache the response No-transform: tell the proxy server not to modify the contents of the message packet body 14, redirect the header

Location: when the browser receives the redirect response code, it needs to read the value of the Location header of the response header, get the new URI and then jump to the page

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.