Differences between HTTP Request Response Process and HTTPS
HTTP Protocol notes
The main application of HTTP protocol is between the server and the client, and the client accepts hypertext.
The communication protocol that the server sends to the client (usually a browser) according to certain rules. Similarly, there are also file transfer protocols (FTP) and simple mail ttransfer protocols (SMTP.
HTTP is an application layer protocol in the layer-7 network model. It consists of sending requests and receiving responses. It is a standard client server model. At the same time, HTTP is a stateless protocol. That is to say, the connection status cannot be determined through a single state. Therefore, sometimes communications between computers need to work together through other protocols to provide support.
Features of HTTP
Compared with other network transmission protocols, HTTP has its own characteristics, which also supports the basic functions of HTTP.
(1) Based on the B/S mode, that is, the customer/Server mode. At the same time, it can provide login authentication and secure transmission between networks. For example, adding an SSL layer under HTTP can provide secure HTTPS services.
(2) low communication overhead, simple and fast, and low transmission cost. When the server requests certain services, the viewer usually only needs to add the Request Path and method in the request message. This is the most common scenario, such as GET, HEAD, and POST.
Each request method has its own applicability. In the request message, rules are used to illustrate the types of communication between users and Web servers. At the same time, HTTP protocol rules are relatively simple, so the system using HTTP servers, code and program scale are relatively lightweight, but the communication speed is relatively high.
(3) Flexible Use: hypertext protocol allows servers and clients to transmit data objects of any type or any data structure. In addition, a simple header information, such as marking the Type being transferred by Content-Type, can be separated.
(4) Saving transmission time: the original version of HTTP uses non-persistent connections and only allows sending and processing a connection. When the request response is complete, that is, the server completes the client request, after receiving a response from the client browser, the connection is immediately disconnected. With this feature, the communication mode saves a lot of time for data transmission and waiting for response, and the time cost becomes very small.
At the same time, HTTP 1.1 supports persistent connections for higher versions of HTTP: Multiple objects can be transmitted through a single connection, without the need to create a new connection each time a web object is transmitted.
(5) transmission efficiency may be affected. Stateless: HTTP is a stateless protocol. Stateless. If the Protocol does not have a memory mechanism for transaction processing and the processing progress cannot be stored, in this case, if subsequent operations require the previous processing information, you need to re-Send the object that must be re-transmitted, the consequence is that the operation can be completed only after multiple connections, and the data volume increases accordingly. "On the server side, each HTTP request must be processed by an independent thread. Reducing the number of Http requests can effectively improve access performance (large-scale website Technical Architecture · Li smart )".
How HTTP works
Generally, the HTTP protocol works well. A user initiates a request to the server through a client, creates a TCP connection, and specifies the port number. The default value is 80, and then connects to the server. Listen to browser requests on that port. Once a client request is listened to and the type of request is analyzed, the server returns a response to the client, for example, "HTTP/1.0 404 OK", with specific data content returned, such as requested resources, error codes, and other status information.
HTTP Request Message
When a browser sends a request to the server to the Web server, it sends a data block or request information,
HTTP request information includes three parts:
Request Method URI protocol/version;
Request Header );
Request body;
The following is an example of an HTTP request:
GET/test. jsp HTTP/1.1
Accept: image/test. image/jpeg ,*/*
Accept-Language: zh-cn
Connection: Keep-Alive
Host: 222.35.232.103
User-Agent: Ila ila/5.0 (compatible; MSIE5.01; Window NT5.0)
Accept-Encoding: gzip, deflate
Username = bkjia & password = bkjia
(1) Request Method URI protocol/version
The first line of the request is "method/content URL protocol/Protocol version name ":
GET/test. jsp HTTP/1.1
In the above Code, "GET" indicates the request method. "/test. jsp" indicates network resources, spaces in the middle, and the version of the protocol and protocol.
According to HTTP standards, HTTP requests can use a variety of different request methods. For example, HTTP1.1 supports seven request methods (also called "actions"): GET, POST, HEAD, OPTIONS, PUT, DELETE, and TARCE. In daily development, GET and POST are the most common methods, mainly in related Web development.
The URL path specifies the network resource to be accessed. In general, what we need is a relative path. Because we can determine the resource location and know the path of the network resource to the root directory of the server, we can start. At the end of the header information, the version used for the HTTP protocol version during communication is declared.
Note that the method name is case sensitive. In some cases, the resource for a request may not support the corresponding request method, and the response will be given through different status codes. For example, the server returns a status code 405 (the method is not allowed). When the request server or method does not understand and does not support the corresponding time, it returns a status code 501 (not implemented ).
(2) Request Header)
The request header contains information about the customer's environment and request content. For example, the request header can declare the browser kernel, language usage, and request length.
Accept: image/test. image/jpeg .*/*
Accept-Language: zh-cn
Connection: Keep-Alive
Host: 222.35.232.103
User-Agent: Ila ila/5.0 (compatible: MSIE5.01: Windows NT5.0)
Accept-Encoding: gzip, deflate.
(3) Request body
The request body and request header must have blank lines. This blank line must exist, indicating that the request header transmission is completed and the Body request is transmitted. The request body usually contains a lot of information, such as the user name and password submitted by the user. The login information is userlogin = bkjia & currentpwd = bkjia.
In real applications, the request body of the Protocol can contain a large amount of information, rather
The request body contains only one simple row of data.
HTTP response packets
Similar to request packets, HTTP response consists of three parts:
(1) Protocol Status version Code Description
(2) Response Header)
(3) response body
The following is an example of an HTTP response:
HTTP/1.1 200 OK
Server: Apache Tomcat/7.0.1
Date: Mon, 6Oct2014 13:23:42 GMT
Content-Length: 102
<Html>
<Head>
<Title> HTTP Response file <title>
</Head>
<Body>
This is an HTTP Response file!
</Body>
</Html>
The client sends a request to the server. Similar to the request message, the server returns the response in the status line.
Response packets include the version, result code, and other necessary information of the HTTP protocol, such as entity information. Different Response types allow or exclude entity content in response packets.
The HTTP response packet starts with a status line. For more information, see the sample code.
The response header is the packet header, which contains important information like the request header. In this example, we can see the date and time, server type, content length, and quantity.
Differences from HTTPS protocol
Https is an SSL/TLS-based Http protocol. All http data is transmitted over the SSL/TLS protocol encapsulation.
Based on the Http protocol, SSL/TLS handshakes and encrypted data transmission are added to the Https protocol, which is also an application layer protocol.
--> The HTTP protocol runs on TCP. All transmitted content is in plain text, and the client and server cannot verify the identity of the other party.
--> HTTPS is the HTTP protocol running on SSL/TLS, and SSL/TLS runs on TCP. All transmitted content is encrypted and symmetric encryption is used. However, the symmetric encryption key is asymmetric encryption with the server certificate.
Asymmetric encryption, symmetric encryption, and HASH algorithms are used in TLS/SSL.
The handshake process is described as follows:
1. the browser sends a set of encryption rules that it supports to the website.
2. The website selects a set of encryption algorithms and HASH algorithms, and sends the identity information to the browser in the form of a certificate. The certificate contains the website address, the encrypted public key, and the certificate authority.
3. After obtaining the website certificate, the browser should do the following:
A) verify the validity of the certificate (whether the certificate issuing authority is legal, whether the website address contained in the certificate is consistent with the address being accessed). If the certificate is trusted, A small lock header is displayed in the browser bar. Otherwise, a message indicating that the certificate is untrusted is displayed.
B) if the certificate is trusted or the user accepts the untrusted certificate, the browser generates a random number of passwords and encrypts them with the public key provided in the certificate.
C) use the agreed HASH to calculate the handshake message, encrypt the message using the generated random number, and finally send all the previously generated information to the website.
4. After the website receives data from the browser, perform the following operations:
A) use your own private key to decrypt the information and retrieve the password, use the password to decrypt the handshake message sent by the browser, and verify that the HASH is consistent with the one sent by the browser.
B) Use the password to encrypt a handshake message and send it to the browser.
5. the browser decrypts and computes the HASH of the handshake message. If it is consistent with the HASH sent by the server,
At this point, the handshake process ends, and all the communication data will be encrypted by the random password generated by the browser and using the symmetric encryption algorithm.
Here, the browser and the website send and verify encrypted handshake messages to ensure that both parties have obtained the same password and can encrypt and decrypt data normally, perform a test for subsequent real data transmission.
HTTPS generally uses the following encryption and HASH algorithms:
Asymmetric encryption algorithms: RSA, DSA/DSS
Symmetric encryption algorithms: AES, RC4, 3DES
HASH Algorithm: MD5, SHA1, SHA256
The asymmetric encryption algorithm is used to encrypt the generated password during the handshake process. The symmetric encryption algorithm is used to encrypt the actually transmitted data, while the HASH algorithm is used to verify the data integrity.
Because the password generated by the browser is the key to data encryption, asymmetric encryption is used during transmission.
Asymmetric encryption algorithms generate public keys and private keys. The public keys can only be used to encrypt data. Therefore, they can be transmitted at will. The private keys of websites are used to decrypt data, therefore, the website will be very careful to keep its own private key to prevent leakage.
If any error occurs during the TLS handshake, the encrypted connection is disconnected, thus blocking the transmission of private information.
This article permanently updates the link address: