摘要:压力测试工具ab,访问工具curl,http状态码,https的实现过程
压力测试工具ab
httpd的压力测试工具,这里主要介绍ab
ab [OPTIONS] URL
,来自httpd-tools
包
options:
-n:总请求数 -c:模拟的并行数 -k:以持久连接模式测试 ulimit –n # 调整能打开的文件数
$ ab -c 100 -n 2000 http://192.168.1.8/huge.txt
Server Software: Apache
Server Hostname: 172.20.114.173
Server Port: 80
Document Path: /index.html
Document Length: 27 bytes
Concurrency Level: 100
Time taken for tests: 0.582 seconds
Complete requests: 1000
Failed requests: 0
Write errors: 0
Total transferred: 272000 bytes
HTML transferred: 27000 bytes
Requests per second: 1718.83 [#/sec] (mean)
Time per request: 58.179 [ms] (mean)
Time per request: 0.582 [ms] (mean, across all concurrent requests)
Transfer rate: 456.57 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 0 6 27.6 3 361
Processing: 5 50 105.8 17 387
Waiting: 1 49 105.4 17 387
Total: 12 56 108.6 22 393
Percentage of the requests served within a certain time (ms)
50% 22
66% 23
75% 24
80% 24
90% 29
95% 384
98% 389
99% 390
100% 393 (longest request)
ab命令在一般系统上面做测试时候,一般并发不能超过1024个,其实是因为因为系统限制每个进程打开的最大文件数为1024,可以用ulimit -a来查看
curl
curl是基于URL语法在命令行方式下工作的文件传输工具,它支持FTP, FTPS,HTTP, HTTPS, GOPHER, TELNET, DICT, FILE及LDAP等协议。curl支持HTTPS认证,并且支持HTTP的POST、PUT等方法, FTP上传, kerberos
认证,HTTP上传,代理服务器,cookies,用户名/密码认证, 下载文件断点续传,上载文件断点续传, http代理服务器管道( proxy tunneling
),还支持IPv6,socks5代理服务器,通过http代理服务器上传文件到FTP服务器等,功能十分强大.
$ curl -I 192.168.1.8
$ curl -v 192.168.1.8
$ curl -A "ie20" 192.168.1.8
$ curl -e "www.baidu.com" 192.168.1.8
$ curl http://192.168.1.8/f1.sh -O
$ curl http://192.168.1.8/f1.sh -o f11.sh
$ curl http://192.168.1.8/f1.sh |bash
$ curl -c cookie.txt 192.168.1.8/setcookie.php
$ cat cookie.txt
# Netscape HTTP Cookie File
# http://curl.haxx.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.
192.168.1.8 FALSE / FALSE 0 title ceo
192.168.1.8 FALSE / FALSE 1529553543 name wang
HTTP协议相关
http请求报文的模拟状态
$telnet 192.168.1.8 80
Trying 192.168.1.8...
Connected to 192.168.1.8.
Escape character is '^]'.
GET /index.html HTTP/1.1
host: 2.2.2.2 //需要enter两下,提交报文
HTTP/1.1 200 OK
Date: Thu, 21 Jun 2018 06:37:23 GMT
Server: Apache
Last-Modified: Thu, 21 Jun 2018 06:28:49 GMT
ETag: "11-56f210742b912"
Accept-Ranges: bytes
Content-Length: 17
Content-Type: text/html; charset=UTF-8
welcome to hong~
http响应报文状态的获取查看,利用curl -I URL
$curl -I 192.168.1.8
HTTP/1.1 200 OK
Date: Thu, 21 Jun 2018 06:19:20 GMT
Server: Apache
Last-Modified: Wed, 20 Jun 2018 15:29:42 GMT
ETag: "e-56f1477b8b86d"
Accept-Ranges: bytes
Content-Length: 14
Content-Type: text/html; charset=UTF-8
协议查看或分析的工具:tcpdump
, wireshark
,tshark
http状态码
常见代码如下:
1xx:100-101 信息提示
2xx:200-206 成功
3xx:300-305 重定向
4xx:400-415 错误类信息,客户端错误
5xx:500-505 错误类信息,服务器端错误
详细状态码如下:
200: 成功,请求数据通过响应报文的entity-body部分发送;OK
301: 请求的URL指向的资源已经被删除;但在响应报文中通过首部Location指明了资源现在所处的新位置;Moved Permanently
302: 响应报文Location指明资源临时新位置 Moved Temporarily
304: 客户端发出了条件式请求,但服务器上的资源未曾发生改变,则通过响应此响应状态码通知客户端;Not Modified
401: 需要输入账号和密码认证方能访问资源;Unauthorized
403: 请求被禁止;Forbidden
404: 服务器无法找到客户端请求的资源;Not Found
500: 服务器内部错误;Internal Server Error
502: 代理服务器从后端服务器收到了一条伪响应,如无法连接到网关;BadGateway
503: 服务不可用,临时服务器维护或过载,服务器无法处理请求
504: 网关超时
Cookie
HTTP 是一种无状态协议。协议自身不对请求和响应之间的通信状态进行保存。也就是说在 HTTP 这个级别,协议对于发送过的请求或响应都不做持久化处理。这是为了更快地处理大量事务,确保协议的可伸缩性,而特意把 HTTP 协议设计成如此简单的。可是随着 Web 的不断发展,很多业务都需要对通信状态进行保存。于是引入了 Cookie 技术。使用 Cookie 的状态管理Cookie 技术通过在请求和响应报文中写入 Cookie 信息来控制客户端的状态。Cookie 会根据从服务器端发送的响应报文内的一个叫做 Set-Cookie
的首部字段信息,通知客户端保存Cookie。当下次客户端再往该服务器发送请求时,客户端会自动在请求报文中加入 Cookie 值后发送出去。服务器端发现客户端发送过来的 Cookie 后,会去检查究竟是从哪一个客户端发来的连接请求,然后对比服务器上的记录,最后得到之前的状态信息。
$ yum install php
$ cd /var/www/html
$ vim setcookie.php
<?php>
setcookie("title",'ceo');
setcookie("name",'wang',time()+86400);
?>
$ systemctl restart httpd
$ curl -v 192.168.1.8/setcookie.php
* About to connect() to 192.168.1.8 port 80 (#0)
* Trying 192.168.1.8...
* Connected to 192.168.1.8 (192.168.1.8) port 80 (#0)
> GET /setcookie.php HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 192.168.1.8
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Thu, 21 Jun 2018 06:40:31 GMT
< Server: Apache
< X-Powered-By: PHP/5.4.16
< Set-Cookie: title=ceo
< Set-Cookie: name=wang; expires=Fri, 22-Jun-2018 06:40:32 GMT
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
<
* Connection #0 to host 192.168.1.8 left intact
HTTPS
- https:
http over ssl
- SSL会话的简化过程
客户端发送可供选择的加密方式,并向服务器请求证书
服务器端发送证书以及选定的加密方式给客户端
客户端取得证书并进行证书验证,如果信任给其发证书的CA: 验证证书来源的合法性;用CA的公钥解密证书上数字签名 验证证书的内容的合法性:完整性验证 检查证书的有效期限 检查证书是否被吊销 证书中拥有者的名字,与访问的目标主机要一致
客户端生成临时会话密钥(对称密钥),并使用服务器端的公钥加密此数据发送给服务器,完成密钥交换
服务用此密钥加密用户请求的资源,响应给客户端
- 注意:SSL是基于IP地址实现,单IP的主机仅可以使用一个https虚拟主机
实验:模拟https的实现过程
https服务器的实现过程,生成ssl文件夹,放置证书相关文件,然后发送申请文件,等待CA发送httpd.cert
证书。
$ mkdir /etc/httpd/conf.d/ssl
$ cd /etc/httpd/conf.d/ssl
$ (umask 077;openssl genrsa -out httpd.key 1024)
Generating RSA private key, 1024 bit long modulus
.....................................................++++++
...........................++++++
e is 65537 (0x10001)
$openssl req -new -key httpd.key -out httpd.csr
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:httpd
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server's hostname) []:www.httpd.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
ssl]#scp httpd.csr 192.168.1.11:/etc/pki/CA/
The authenticity of host '192.168.1.11 (192.168.1.11)' can't be established.
ECDSA key fingerprint is SHA256:rwE9SvvRx3QSIGMK/vhD6ta3/HdDO4BykxP4Mumjs00.
ECDSA key fingerprint is MD5:31:d3:62:71:12:6a:f6:88:69:a4:95:4e:15:57:48:0a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.11' (ECDSA) to the list of known hosts.
root@192.168.1.11's password:
httpd.csr 100% 651 435.0KB/s 00:00
CA颁发证书过程,先自签名证书,csr申请的信息必须与rootca
前面的信息一致。
$ cd /etc/pki/CA/
$ (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.+++
.....................................................+++
e is 65537 (0x10001)
$openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:httpd
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server's hostname) []:ca.httpd.com
Email Address []:
然后rootCA
签署httpd.csr
,生成httpd.crt
,再发送到https服务器
$ touch index.txt
$ echo 01 > serial
$openssl ca -in httpd.csr -out certs/http.crt -days 720
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
$tree
.
├── cacert.pem
├── certs
│ └── http.crt
├── crl
├── httpd.csr
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
$scp certs/http.crt 192.168.1.8:/etc/httpd/conf.d/ssl/
root@192.168.1.8's password:
http.crt 100% 3699 2.2MB/s 00:00
https
服务器收到证书后,安装install mod_ssl
,修改相关的配置文件,开启https
服务
$ yum install mod_ssl
$ vim /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/httpd/conf.d/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/conf.d/ssl/httpd.key
SSLCACertificateFile /etc/httpd/conf.d/ssl/cacert.pem
$ systemctl restart httpd
实验验证,在图形界面下访问,简单的添加hosts
文件,实现免dns
解析。
$ vim /etc/hosts/
192.168.1.8 www.httpd.com
$ firefox https://www.httpd.com
可能这里在浏览器里,大家看到的提示依旧不安全,这是因为证书没有导入的信任的缘故。导入证书即可变绿加🔒
http 重定向到 https
将http请求转发至https
的URL
Redirect [status] URL-path URL
$ vim /etc/httpd/conf.d/test.conf
redirect Permanent / https://www.httpd.com/
$ systemctl restart httpd
利用curl命令验证一下,的确进行了跳转。
$curl -I http://192.168.1.8/
HTTP/1.1 301 Moved Permanently
Date: Thu, 21 Jun 2018 08:22:49 GMT
Server: Apache
Location: https://www.httpd.com/
Content-Type: text/html; charset=iso-8859-1
HSTS
-
HSTS:
HTTP Strict Transport Security
服务器端配置支持HSTS后,会在给浏览器返回的HTTP首部中携带HSTS字段。浏览器获取到该信息后,会将所有HTTP访问请求在内部做307跳转到HTTPS。而无需任何网络过程
-
HSTS preload list
是Chrome浏览器中的HSTS预载入列表,在该列表中的网站,使用Chrome浏览器访问时,会自动转换成HTTPS。
Firefox、Safari、Edge
浏览器也会采用这个列表
$ vim /etc/httpd/conf.d/test.conf
Header always set Strict-Transport-Security "max-age=31536000"
RewriteEngine on
RewriteRule ^(/.*)$ https://%{HTTP_HOST}$1 [redirect=302]
$ systemctl restart httpd
实验验证一下,的确进行了跳转。
$curl -I http://192.168.1.8/
HTTP/1.1 302 Found
Date: Thu, 21 Jun 2018 08:19:20 GMT
Server: Apache
Strict-Transport-Security: max-age=31536000
Location: https://192.168.1.8/
Content-Type: text/html; charset=iso-8859-1