I may be lacking in HTTP and HTTPS knowledge so apologies in advance.
I see that in the response to a curl request, using curl -i, we can see the HTTP version and response code, for e.g. HTTP/2 200. This is returned when the curl request is directed at a HTTPS endpoint (https://xxx).
Would it be possible to see a HTTPS in the response? If not, why not?
No, whether the communication is secure or not has nothing to do with which version of the protocol you are using, in the response you will see the version (commonly HTTP/1.1 or HTTP/2 these days)
Using https means that the connection is established over TLS, while the communication protocol is still HTTP.
In simple terms, TLS is a communication channel, while HTTP is a dialect
Related
We are trying to make a secure communication between our embedded system and web server.Firstly we implement HTTP connection to in our microcontroller. I am just connecting to 80 port of my web server and send simple GET request to this port as example below :
GET /foo.php?msg=test HTTP/1.1
HOST: foo.com
My questions is,How we will turn this to HTTPS ? Which port i should connect ?
Will be any difference on structure of GET request above ? Will i have to do some encryption manually or connect to "https" link instead "http" is enuogh for secure communication.
Thanks for any information
The only difference between a HTTP request and a HTTPS request is that the first is send over a plain TCP connection while the other is send over a TLS connection, i.e.:
with HTTP you establish a TCP connection and send the request over this connection
with HTTPS you establish a TCP connection, upgrade this connection to TLS (including proper certificate validation etc!) and then send the same request as you did with HTTP over this connection.
Apart from that I recommend to either use an established library for HTTP or carefully read the standard. Although HTTP looks simply it is actually not and there are many questions here where users try to do a simply HTTP request and trip over behavior they did not expect.
For example in your case the server might send the response with chunked encoding, with content-length or simply end it with connection close. And it might wait for further requests on the same connection since HTTP/1.1 implicitly enables HTTP keep-alive. Does your code really account for all these cases?
For HTTP, it is possible to upgrade all requests to HTTPS with a 301 response.
For websocket, however, it doesn't seem to be that easy. If I redirect the ws://127.0.0.1 request to wss:/127.0.0.1, I get an "error: undefined" in the browser using the test on websocket.org (and yes, certificate is trusted and works for wss if used directly). The initial request is made, and the redirect sent out. However, there is no second request on the TLS port.
The specification only covers redirects briefly.
Is upgrading ws to wss possible?
Do I need to send WebSocket specific headers even with the redirect response? (Currently, I don't – and the specification lists redirecting before completing the handshake)
Any other thing that I miss?
For HTTP, it is possible to upgrade all requests to HTTPS with a 301 response.
(Nitpicking) That's not really an upgrade of a request but instead a redirect which results in a different request.
Is upgrading ws to wss possible?
According to the websocket standard (RFC 6455):
If the status code received from the server is not 101, the
client handles the response per HTTP [RFC2616] procedures. In
particular, the client might perform authentication if it
receives a 401 status code; the server might redirect the client
using a 3xx status code (but clients are not required to follow
them), etc.
So yes, it might be supported be some clients but not by others. For example in Firefox the relevant property network.websocket.auto-follow-http-redirects defaults to false, i.e. it does not follow redirects by default.
Do I need to send WebSocket specific headers even with the redirect response?
These are only relevant for the upgrading of the request to websocket not for redirects. This means the headers should only be sent in the upgrade response (status code 101).
It depends upon whether the webSocket client implementation processes 3xx status codes or not. The webSocket specification does not require a client implementation to do so. Here's a quote from the spec:
If the status code received from the server is not 101, the
client handles the response per HTTP [RFC2616] procedures. In
particular, the client might perform authentication if it
receives a 401 status code; the server might redirect the client
using a 3xx status code (but clients are not required to follow
them), etc. Otherwise, proceed as follows.
The source of confusion is this answer.
To be honest, I know what is Http Request, Http Session, but I have never heard this - Http Connection. So it boils down to this only. What exactly is the difference b/w Http Request & Http Connection?
I'm trying to reproduce an odd bug that we believe may be caused by our load balancers trying to check the status of our services, with requests using HTTP/0.9. The service is only configured to use HTTPS, so they are being sent as HTTP/0.9 over HTTPS.
I could use use telnet to send a HTTP/0.9 request, but we have to use HTTPS so that doesn't work. My usual go-to tool for this kind of thing is cURL, but it doesn't look like cURL supports sending 0.9 requests (for good reasons, I know).
What could I use to generate a HTTP/0.9 GET request over HTTPS?
You could use openssl. First establish the SSL connection:
$ openssl s_client -crlf -connect ip:port
CONNECTED
...
lots of output, certificate etc
And then send the request
GET /
[empty line]
Imagine a webbrowser that makes an HTTP request to a remote server, such as site.example.com
If the browser is then configured to use a proxy server, let's call it proxy.example.com using port 8080, in which ways are the request now different?
Obviously the request is now sent to proxy.example.com:8080, but there must surely be other changes to enable the proxy to make a request to the original url?
RFC 7230 - Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing, Section 5.3.2. absolute-form:
When making a request to a proxy, other than a CONNECT or server-wide
OPTIONS request (as detailed below), a client MUST send the target
URI in absolute-form as the request-target.
absolute-form = absolute-URI
The proxy is requested to either service that request from a valid
cache, if possible, or make the same request on the client's behalf
to either the next inbound proxy server or directly to the origin
server indicated by the request-target. Requirements on such
"forwarding" of messages are defined in Section 5.7.
An example absolute-form of request-line would be:
GET http://www.example.org/pub/WWW/TheProject.html HTTP/1.1
So, without proxy, the connection is made to www.example.org:80:
GET /pub/WWW/TheProject.html HTTP/1.1
Host: www.example.org
With proxy it is made to proxy.example.com:8080:
GET http://www.example.org/pub/WWW/TheProject.html HTTP/1.1
Host: www.example.org
Where in the latter case the Host header is optional (for HTTP/1.0 clients), and must be recalculated by the proxy anyway.
The proxy simply makes the request on behalf of the original client. Hence the name "proxy", the same meaning as in legalese. The browser sends their request to the proxy, the proxy makes a request to the requested server (or not, depending on whether the proxy wants to forward this request or deny it), the server returns a response to the proxy, the proxy returns the response to the original client. There's no fundamental difference in what the server will see, except for the fact that the originating client will appear to be the proxy server. The proxy may or may not alter the request, and it may or may not cache it; meaning the server may not receive a request at all if the proxy decides to deliver a cached version instead.