Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about how to carry out HTTP/2 tools and applications based on Mac OS and Linux, which may not be well understood by many people. in order to make you understand better, the editor has summarized the following contents for you. I hope you can get something according to this article.

Because different environments are too complex, the following is only based on Mac OS and Linux to explain the tools and applications.

I. Overview of the software needed to build HTTP / 2 environment

The software to be installed is (for Mac users, please use homebrew to install. The installation method of Mac is shown in parentheses)

Curl (brew install nghttp2-with-nghttp2)

Linux installation

Wget https://curl.haxx.se/download/curl-7.48.0.tar.gz

Tar xvf curl-7.48.0.tar.gz & & cd curl-7.48.0

Then enter the following command, exit re-enter once, and version 7.48 succeeds:

$. / configure-with-nghttp2=/usr/local-with-ssl$ make$ sudo make install$ ldconfig$ usr/local/bin/curl-V

Nghttp2 (brew install nghttp2)

Installation URL

Sudo apt-get install gathers + make binutils autoconf automake autotools-dev libtool pkg-config\ zlib1g-dev libcunit1-dev libssl-dev libxml2-dev libev-dev libevent-dev libjansson-dev\ libjemalloc-dev cython python3-dev python-setuptools

Above is the installation dependency, after which you can compile:

$autoreconf-i$ automake$ autoconf$. / configure$ make$ sudo make installnginx (brew installnginx-devel)

Nginx (brew install nginx-devel)

Linux installation

Vim to / etc/apt/sources.list

Add the following two lines, of which $codename goes to the site to query, for example, Ubuntu 14.04 is trusty

Deb http://nginx.org/packages/mainline/ubuntu/ $codename nginxdeb-src http://nginx.org/packages/mainline/ubuntu/ $codename nginx

Then sudo apt-get update & & sudo apt-get install nginx can install the latest nginx that supports HTTP2.

Apache (brew install httpd24-with-http2) [this article focuses on nginx]

Linux installation

two。 Certificate 1. Self-issuing

Open the provided Demo file, terminal open the / keys path, type. / ca.sh http2test.com, you can also generate other domain names or pan-domain names (.xx.com). Note: you can also directly use the http2test.com certificate provided under the keys file without generating a certificate.

Let's Encrypt

Open the official website of Let's Encrypt, which explains how to issue a certificate if nginx has been started.

Steps:

First you need to clone the code: git clone https://github.com/letsencrypt/letsencrypt & & cd letsencrypt

Then. / letsencrypt-auto-- help performs some initialization work and displays supported commands

For example, if my web directory is under ~ / www, this step requires that the server has been built and the content in ~ / www can be accessed through example.com. If it is a dynamic website, you need to set up a mapping in the nginx layer to map / .well-known/acme-challenge to the directory you just set up, that is, ~ / www.

Location /. Well-known/acme-challenge {root / home/$username/www;}

(if the nginx has been installed, complete the following nginx section and then come back to set it. / letsencrypt-auto certonly-- webroot-w ~ / www-d example.com,example.com is the domain name you want to apply for the certificate, and then the certificate is issued successfully.

Then set the certificate information in nginx

Ssl_certificate / etc/letsencrypt/live/$example.com/fullchain.pem; ssl_certificate_key / etc/letsencrypt/live/$example.com/privkey.pem

Then sudo nginx-t & & sudo nginx-s reload can see it.

III. Basic tools

Curl

The basic usage of curl is:

Curl-v-o / dev/null-- http2 http://nghttp2.org

The reason for entering HTTP instead of HTTPS is that HTTP2's ClearText mode will be adopted here, and the 101change protocol will be used to negotiate an upgrade to HTTP2 protocol.

Connected to nghttp2.org (106.186.112.116) port 80 (# 0) > GET / HTTP/1.1 > Host: nghttp2.org > User-Agent: curl/7.48.0 > Accept: * / * > Connection: Upgrade, HTTP2-Settings > Upgrade: H3C > HTTP2-Settings: AAMAAABkAAQAAP__ >

< HTTP/1.1 101 Switching Protocols< Connection: Upgrade< Upgrade: h3c* Received 101* Using HTTP2, server supports multi-use* Connection state changed (HTTP/2 confirmed)* TCP_NODELAY set* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=21* Connection state changed (MAX_CONCURRENT_STREAMS updated)!< HTTP/2.0 200< date:Sun, 10 Apr 2016 16:52:43 GMT< content-type:text/html< content-length:6646< last-modified:Sun, 03 Apr 2016 06:53:14 GMT< etag:"5700bdda-19f6"< link:; rel=preload; as=stylesheet< accept-ranges:bytes< x-backend-header-rtt:0.000625< server:nghttpx nghttp2/1.10.0-DEV< via:2 nghttpx< x-frame-options:SAMEORIGIN< x-xss-protection:1; mode=block< x-content-type-options:nosniff GET / HTTP/1.1>

Host: mail.qq.com > User-Agent: curl/7.48.0 > Accept: * / * > Connection: Upgrade, HTTP2-Settings > Upgrade: H3C > HTTP2-Settings: AAMAAABkAAQAAP__ >

< HTTP/1.1 302 Found< Server: TWS< Connection: close< Date: Sun, 10 Apr 2016 16:58:48 GMT< Content-Type: text/html; charset=GB18030< Location: https://mail.qq.com/cgi-bin/loginpage< Content-Length: 0 Protocol ->

SSL configures a readable file address, and then in the environment variable, such as Mac is ~ / .bashprofile:

The address just configured by export SSLKEYLOGFILE=$ source ~ / .bashprofile

Open Firefox or Chrome through Terminal so that you can use the environment variable SSLKEYLOGFILE:

Open-a Google\ Chrome

The limitation of this method is that it can only be used on the computer, and only Chrome and Firefox can be used.

Another method is to configure the RSA private key, but the limitation of this method is that many encryption methods are not supported, and this method must record the complete TLS handshake process, so it is recommended to start listening before opening the browser.

After the decryption method is configured, use a browser to open the newly running HTTP2 Demo, https://http2test.com/examples/dashboard/, then filter out the input http2 and enter, and you can see the filtered HTTP2 package.

Fiddler

Fiddler decrypts HTTPS using the method of man-in-the-middle attack, the client accesses the fiddler proxy server, and then the fiddler proxy server simulates the client to access the website. Then, you need to install the root authentication certificate of Fiddler and enable HTTPS decryption.

For Fiddler, each machine actually issues a different root certificate, so be sure to install the certificate through the Fiddler configuration page (after configuring the agent, open the website http://ipv4.fiddler:8888, and then click FiddlerRoot Certificate in the figure to download and install)

For iOS and some higher versions of Android, some of the information in the certificate is necessary, there are two ways.

(1) use the settings shown in the figure (iOS 9 test is available)

(2) install and use Fiddler CertMaker plug-in

Then one of the points to be introduced is FiddlerScript, which is a very powerful feature. If you need to apply the previous method of debugging HTTP to HTTPS, you need to have these settings. And then I will continue to update the debug section of Fiddler, please collect it. Setting HTTPS-> HTTP; HTTPS-> File; in the rule of Willow can take effect.

If you need HTTPS-> HTTPS or HTTPS-> HTTP, you can use the method linked above, or you can set oSession ["x-replywithtunnel"] = "FakeTunnel".

If (oSession.HostnameIs ("app.yourdomain.com")) {/ / Handle CONNECT Tunnelsif (oSession.HTTPMethodIs ("CONNECT")) {oSession ["x-replywithtunnel"] = "FakeTunnel"; return;} oSession.fullUrl = "http://somedomain:someport" + oSession.PathAndQuery;}"

Part of SSL / TLS Tips 1. Active use of certificates to improve performance

First, let's take a look at the locally built HTTPS services:

The first case is that the same IP, but different domain names, and different certificates are used: the domain name shown in the first picture is http2test.com, and the domain name shown in the second picture is http2.icese7en.com. They also use different certificates. You can see that the TCP Stream column has different serial numbers (the same serial number indicates that they are using the same TCP connection).

The second case is that the domain name of the same IP is different, but the certificate used is the same: the domain name of the first picture is cdn1.http2test.com, the domain name of the second picture is cdn2.http2test.com, and the certificate they use (the third picture) is the pan-domain name * .http2test.com. Their TCP Stream serial number is 30 and the same TCP connection is reused.

So, if the domain name is different, or even a sub-domain name, can it be optimized through this point? Yes, through the subjectAltName in the certificate, we can manage multiple different domain names in the certificate, such as the certificate of google:

But the certificate is very expensive--

2.SSL/TLS improves security

HSTS--HTTP strict transfer protocol

HSTS is mainly to improve the following problems:

There is no way to know whether a website supports TLS: for example, when you connect for the first time, if you do not specify a protocol name, you will give priority to the http protocol, which is a security risk. When HSTS is enabled, browsers after the first visit to the domain name will automatically force HTTPS access.

Tolerance for certificate issues: when HSTS is not opened, if there is a problem with the certificate, the client will only prompt a warning instead of prohibiting access. When HSTS is enabled, access will be prohibited

Mixed-content problem: when HSTS is enabled, non-HTTPS resources under the same domain name on a HTTPS page will be automatically upgraded to HTTPS access

To enable HSTS, you only need to return it on the server side in a return message (IP is not supported)

Strict-Transport-Security: max-age=31536000 [; includeSubDomains] [; preload] # includeSubDomains can enable the HSTS function of a subdomain # but you need to assess whether this will have a negative impact.

Browsers are automatically accessed as HTTPS within the time specified by max-age. If you need to close HSTS, just return max-age=0.

Be careful

The first visit to HSTS still carries the risk of being hijacked, and the impact can be mitigated through HSTS preload (you need to apply to join the preload-list of each browser)

HSTS time is calculated based on local time, and if the client time is tampered with, it may cause the HSTS policy to be invalidated and bypassed.

Quote from some experience sharing about enabling HTTPS (1)

Do not enable HTTPS services as long as you are not sure to provide them forever. Because once HSTS takes effect, if you want to redirect the site to HTTP, the old users will be redirected indefinitely, and the only way is to change the domain name.

CSP-- content Security Policy

CSP is a declarative security mechanism originally designed to prevent XSS cross-site scripting attacks. For example, CSP can completely prohibit the execution of inline Javascript code and control which external Javascript files can be executed.

Content-Security-Policy: default-src 'self'; img-src *; script-src scripts.example.com

The above CSP policy allows access to local resources by default, allows all URL images to be displayed, and external link scripts only allow files from scripts.example.com to be executed.

Content-Security-Policy: default-src https: 'unsafe-inline'' unsafe-eval'; connect-src https:

The above CSP policy is that resources from any URL are allowed by default, as long as it is a secure HTTPS, and the execution of inline JS and eval is enabled (by default, it is prohibited by CSP). Connect-src sets that Ajax requests can only request HTTPS; (for partially enabling inline JS execution, please see Content Security Policy Level 2)

CSP report

Using the report-uri directive, violations of CSP policy will be reported to the CGI

After reading the above, do you have any further understanding of how to use HTTP/2 tools and applications based on Mac OS and Linux? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.