Http(Apache2)

post thumb
Http
作者 Louis 发表于 2018年6月21日

摘要:压力测试工具ab,访问工具curl,http状态码,https的实现过程

压力测试工具ab

​ httpd的压力测试工具,这里主要介绍ab

ab [OPTIONS] URL,来自httpd-tools

options:

-n:总请求数 -c:模拟的并行数 -k:以持久连接模式测试 ulimit –n # 调整能打开的文件数

$ ab -c 100 -n 2000 http://192.168.1.8/huge.txt
Server Software:        Apache
Server Hostname:        172.20.114.173
Server Port:            80
Document Path:          /index.html
Document Length:        27 bytes
Concurrency Level:      100
Time taken for tests:   0.582 seconds
Complete requests:      1000
Failed requests:        0
Write errors:           0
Total transferred:      272000 bytes
HTML transferred:       27000 bytes
Requests per second:    1718.83 [#/sec] (mean)
Time per request:       58.179 [ms] (mean)
Time per request:       0.582 [ms] (mean, across all concurrent requests)
Transfer rate:          456.57 [Kbytes/sec] received
Connection Times (ms)
              min  mean[+/-sd] median   max
Connect:        0    6  27.6      3     361
Processing:     5   50 105.8     17     387
Waiting:        1   49 105.4     17     387
Total:         12   56 108.6     22     393
Percentage of the requests served within a certain time (ms)
  50%     22
  66%     23
  75%     24
  80%     24
  90%     29
  95%    384
  98%    389
  99%    390
 100%    393 (longest request)

ab命令在一般系统上面做测试时候,一般并发不能超过1024个,其实是因为因为系统限制每个进程打开的最大文件数为1024,可以用ulimit -a来查看

curl

​ curl是基于URL语法在命令行方式下工作的文件传输工具,它支持FTP, FTPS,HTTP, HTTPS, GOPHER, TELNET, DICT, FILE及LDAP等协议。curl支持HTTPS认证,并且支持HTTP的POST、PUT等方法, FTP上传, kerberos认证,HTTP上传,代理服务器,cookies,用户名/密码认证, 下载文件断点续传,上载文件断点续传, http代理服务器管道( proxy tunneling),还支持IPv6,socks5代理服务器,通过http代理服务器上传文件到FTP服务器等,功能十分强大.

$ curl -I 192.168.1.8
$ curl -v 192.168.1.8
$ curl -A "ie20" 192.168.1.8
$ curl -e "www.baidu.com" 192.168.1.8
$ curl http://192.168.1.8/f1.sh -O
$ curl http://192.168.1.8/f1.sh -o f11.sh
$ curl http://192.168.1.8/f1.sh |bash
$ curl -c cookie.txt 192.168.1.8/setcookie.php 
$ cat cookie.txt 
# Netscape HTTP Cookie File
# http://curl.haxx.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.
192.168.1.8	FALSE	/	FALSE	0	title	ceo
192.168.1.8	FALSE	/	FALSE	1529553543	name	wang

HTTP协议相关

​ http请求报文的模拟状态

$telnet 192.168.1.8 80
Trying 192.168.1.8...
Connected to 192.168.1.8.
Escape character is '^]'.
GET /index.html HTTP/1.1
host: 2.2.2.2      //需要enter两下,提交报文

HTTP/1.1 200 OK
Date: Thu, 21 Jun 2018 06:37:23 GMT
Server: Apache
Last-Modified: Thu, 21 Jun 2018 06:28:49 GMT
ETag: "11-56f210742b912"
Accept-Ranges: bytes
Content-Length: 17
Content-Type: text/html; charset=UTF-8

welcome to hong~

1529463184589

​ http响应报文状态的获取查看,利用curl -I URL

$curl -I 192.168.1.8
HTTP/1.1 200 OK
Date: Thu, 21 Jun 2018 06:19:20 GMT
Server: Apache
Last-Modified: Wed, 20 Jun 2018 15:29:42 GMT
ETag: "e-56f1477b8b86d"
Accept-Ranges: bytes
Content-Length: 14
Content-Type: text/html; charset=UTF-8

1529560348043

协议查看或分析的工具:tcpdump, wireshark,tshark

http状态码

​ 常见代码如下:

1xx:100-101  信息提示
2xx:200-206  成功
3xx:300-305  重定向
4xx:400-415  错误类信息,客户端错误
5xx:500-505  错误类信息,服务器端错误

​ 详细状态码如下:

200: 成功,请求数据通过响应报文的entity-body部分发送;OK
301: 请求的URL指向的资源已经被删除;但在响应报文中通过首部Location指明了资源现在所处的新位置;Moved Permanently
302: 响应报文Location指明资源临时新位置 Moved Temporarily
304: 客户端发出了条件式请求,但服务器上的资源未曾发生改变,则通过响应此响应状态码通知客户端;Not Modified
401: 需要输入账号和密码认证方能访问资源;Unauthorized
403: 请求被禁止;Forbidden
404: 服务器无法找到客户端请求的资源;Not Found
500: 服务器内部错误;Internal Server Error
502: 代理服务器从后端服务器收到了一条伪响应,如无法连接到网关;BadGateway
503:   服务不可用,临时服务器维护或过载,服务器无法处理请求
504:   网关超时

Cookie

​ HTTP 是一种无状态协议。协议自身不对请求和响应之间的通信状态进行保存。也就是说在 HTTP 这个级别,协议对于发送过的请求或响应都不做持久化处理。这是为了更快地处理大量事务,确保协议的可伸缩性,而特意把 HTTP 协议设计成如此简单的。可是随着 Web 的不断发展,很多业务都需要对通信状态进行保存。于是引入了 Cookie 技术。使用 Cookie 的状态管理Cookie 技术通过在请求和响应报文中写入 Cookie 信息来控制客户端的状态。Cookie 会根据从服务器端发送的响应报文内的一个叫做 Set-Cookie 的首部字段信息,通知客户端保存Cookie。当下次客户端再往该服务器发送请求时,客户端会自动在请求报文中加入 Cookie 值后发送出去。服务器端发现客户端发送过来的 Cookie 后,会去检查究竟是从哪一个客户端发来的连接请求,然后对比服务器上的记录,最后得到之前的状态信息。

1529477372443

$ yum install php
$ cd /var/www/html
$ vim setcookie.php
<?php>
setcookie("title",'ceo');
setcookie("name",'wang',time()+86400);
?>
$ systemctl restart httpd
$ curl -v 192.168.1.8/setcookie.php
* About to connect() to 192.168.1.8 port 80 (#0)
*   Trying 192.168.1.8...
* Connected to 192.168.1.8 (192.168.1.8) port 80 (#0)
> GET /setcookie.php HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 192.168.1.8
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Thu, 21 Jun 2018 06:40:31 GMT
< Server: Apache
< X-Powered-By: PHP/5.4.16
< Set-Cookie: title=ceo
< Set-Cookie: name=wang; expires=Fri, 22-Jun-2018 06:40:32 GMT
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
< 
* Connection #0 to host 192.168.1.8 left intact

HTTPS

  • https:http over ssl
  • SSL会话的简化过程
  1. 客户端发送可供选择的加密方式,并向服务器请求证书

  2. 服务器端发送证书以及选定的加密方式给客户端

  3. 客户端取得证书并进行证书验证,如果信任给其发证书的CA: 验证证书来源的合法性;用CA的公钥解密证书上数字签名 验证证书的内容的合法性:完整性验证 检查证书的有效期限 检查证书是否被吊销 证书中拥有者的名字,与访问的目标主机要一致

  4. 客户端生成临时会话密钥(对称密钥),并使用服务器端的公钥加密此数据发送给服务器,完成密钥交换

  5. 服务用此密钥加密用户请求的资源,响应给客户端

  • 注意:SSL是基于IP地址实现,单IP的主机仅可以使用一个https虚拟主机

实验:模拟https的实现过程

​ https服务器的实现过程,生成ssl文件夹,放置证书相关文件,然后发送申请文件,等待CA发送httpd.cert证书。

$ mkdir /etc/httpd/conf.d/ssl
$ cd /etc/httpd/conf.d/ssl
$ (umask 077;openssl genrsa -out httpd.key 1024)
Generating RSA private key, 1024 bit long modulus
.....................................................++++++
...........................++++++
e is 65537 (0x10001)
$openssl req -new -key httpd.key  -out httpd.csr
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:httpd
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server's hostname) []:www.httpd.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
ssl]#scp httpd.csr 192.168.1.11:/etc/pki/CA/
The authenticity of host '192.168.1.11 (192.168.1.11)' can't be established.
ECDSA key fingerprint is SHA256:rwE9SvvRx3QSIGMK/vhD6ta3/HdDO4BykxP4Mumjs00.
ECDSA key fingerprint is MD5:31:d3:62:71:12:6a:f6:88:69:a4:95:4e:15:57:48:0a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.11' (ECDSA) to the list of known hosts.
root@192.168.1.11's password: 
httpd.csr                                     100%  651   435.0KB/s   00:00

​ CA颁发证书过程,先自签名证书,csr申请的信息必须与rootca前面的信息一致。

$ cd /etc/pki/CA/
$ (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.+++
.....................................................+++
e is 65537 (0x10001)
$openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:httpd
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server's hostname) []:ca.httpd.com
Email Address []:

​ 然后rootCA签署httpd.csr,生成httpd.crt,再发送到https服务器

$ touch index.txt
$ echo 01 > serial
$openssl ca -in httpd.csr -out certs/http.crt -days 720
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
$tree
.
├── cacert.pem
├── certs
│   └── http.crt
├── crl
├── httpd.csr
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│   └── 01.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old
$scp certs/http.crt 192.168.1.8:/etc/httpd/conf.d/ssl/
root@192.168.1.8's password: 
http.crt                                      100% 3699     2.2MB/s   00:00

https服务器收到证书后,安装install mod_ssl,修改相关的配置文件,开启https服务

$ yum install mod_ssl
$ vim /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/httpd/conf.d/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/conf.d/ssl/httpd.key
SSLCACertificateFile /etc/httpd/conf.d/ssl/cacert.pem
$ systemctl restart httpd

​ 实验验证,在图形界面下访问,简单的添加hosts文件,实现免dns解析。

$ vim /etc/hosts/
192.168.1.8 www.httpd.com
$ firefox https://www.httpd.com

​ 可能这里在浏览器里,大家看到的提示依旧不安全,这是因为证书没有导入的信任的缘故。导入证书即可变绿加🔒

1529567635757

http 重定向到 https

​ 将http请求转发至https的URL

Redirect [status] URL-path URL

$ vim /etc/httpd/conf.d/test.conf
redirect Permanent / https://www.httpd.com/
$ systemctl restart httpd

利用curl命令验证一下,的确进行了跳转。

$curl -I http://192.168.1.8/
HTTP/1.1 301 Moved Permanently
Date: Thu, 21 Jun 2018 08:22:49 GMT
Server: Apache
Location: https://www.httpd.com/
Content-Type: text/html; charset=iso-8859-1

HSTS

  • HSTS:HTTP Strict Transport Security

    服务器端配置支持HSTS后,会在给浏览器返回的HTTP首部中携带HSTS字段。浏览器获取到该信息后,会将所有HTTP访问请求在内部做307跳转到HTTPS。而无需任何网络过程

  • HSTS preload list

    是Chrome浏览器中的HSTS预载入列表,在该列表中的网站,使用Chrome浏览器访问时,会自动转换成HTTPS。Firefox、Safari、Edge浏览器也会采用这个列表

$ vim /etc/httpd/conf.d/test.conf
Header always set Strict-Transport-Security "max-age=31536000"
RewriteEngine on
RewriteRule ^(/.*)$ https://%{HTTP_HOST}$1 [redirect=302]
$ systemctl restart httpd

​ 实验验证一下,的确进行了跳转。

$curl -I http://192.168.1.8/
HTTP/1.1 302 Found
Date: Thu, 21 Jun 2018 08:19:20 GMT
Server: Apache
Strict-Transport-Security: max-age=31536000
Location: https://192.168.1.8/
Content-Type: text/html; charset=iso-8859-1
Tags: