1 Networking and Security Topics: Readings and References

  • Networking, Protocols, Servers and Security
    • MDN tutorials and references on HTTP
    • Networking, the TCP/IP protocol stack,
    • Websockets
    • Servers, middleboxes, DNS
    • Server side frameworks
    • Sessions, security, certificates, cookies, tokens, tracking

2 Networking

  1. My introductory networking slides.
  2. localhost and loopback addresses
    • IPv4 loopback address range: 127.0.0.1 to 127.255.255.254. We can listen on any of these.
    • localhost gets mapped to 127.0.0.1
  3. Note that these local/loopback IPv4 addresses should not be confused with private IP addresses.

3 HTTP/HTTPS/1 and 2, Websockets

  1. Overview of HTTP. Topics include:

    • Client (user-agent), Server, and Proxies
    • Basics of HTTP as a protocol; stateless but not sessionless
    • Controlling some aspects of HTTP: Cache, CORS, Authentication,…
  2. More information on proxy types. Forward and Reverse.

  3. HTTP Messages. Good overview of HTTP messages (both 1.x and 2). Goes over general structure of both Request and Response messages including start/status line, headers, and body.

  4. HTTP cookies. Lots of good info. More than we’ll need for the class.

  5. Identifying Resources on the Web. Fundamental. Topics include:

    • URI, URL, URN and all that…
    • Syntax of URIs: protocol, authority, port, path, query, fragment
  6. MIME Types. Used to inform the other side as to the type of content we are sending or wish to receive. See also their handy MIME reference list. We will frequently use the application/json type for data exchange.

  7. JSON is the the most popular general data exchange format used in modern web programming. Although the term AJAX for Asynchronous JavaScript And XML most modern web applications use JSON for these types of data exchanges.

  8. Websocket (Wikipedia), WebSockets (MDN). Note that Can I use? shows WebSockets supported by most modern browsers and is no longer “experimental”.

    • A pragmatic approach based on Socket.io
    • Their discussion of the benefits of websockets and the realities is quite good. They use a “long-polling” approach and they try to set up a better channel over Websockets or other mechanisms.
  9. HTTPS (wikipedia) runs the HTTP protocol over Transport Layer Security (TLS). It is important to use HTTPS for any web site that stores user data. In addition, you can only be sure of the legitimacy of a website if it uses HTTPS.

  10. Debugging applications at the network. Modern browsers (Firefox and Chrome) provide built in tools to see the messages that are sent between client and server. If one needs to actually verify what is being sent a sniffer/protocol analyzer such as the Wireshark can be used.

    • A good filter to use with wireshark is tcp.port == 8080 && http This selects all HTTP trafic associated with a particular port.
  11. The IETF HTTP Standards
    • Original HTTP 1.1 RFC2616 obsolete
    • Up to date HTTP 1.1 suite RFCs 7230, 7231, 7232, 7233, 7234, and 7235.
    • HTTP 2 RFC7540.

4 The Server Side of Things

  1. From the recent Netcraft surveys the two most popular web servers for active and top million busiest sites were Apache and nginx.

    • Wikipedia has a reasonably short Apache Overview. Basic Apache functionality is extended via Apache Modules (Wikipedia). These provide security enhancements, ability to interface with languages such as PHP, Python, Ruby, etc…
    • Apache 2.2 uses a process/thread model, making it significantly slower than nginx. Apache 2.4 has changed this somewhat. Apache probably has the steepest learning curve when it comes to configuration and use.
    • Note that there are OpenSource and Comercial versions of nginx.
  2. Server Side Web Frameworks

    • One “popularity” based listingskim, but this includes some frontend frameworks as well. Another listing somewhat broken down by languages is available at Web Frameworks (Wikipedia)skim.

    • For learning purposes we will use a minimalistic web framework, also known as a microframeworkread. It should be noted however that such systems are also used underneath much larger frameworks. Since we are restricting ourselves to a single language, JavaScript, in this course we will be using the Expressjs.

      • A microframework will give us near full access to the HTTP protocol (request, response messages) in a nice way without having to deal with TCP and IP layers.

      • Frequently in deployment server side frameworks sit behind a primary server. Recall the proxy stuff from the HTTP introduction.

      • A bit more fully featured but still relatively small framework built on express is Feathers. Fairly extensive documentation. I have not tried this yet.

      • Good article on how to scale up a Node.js application based on number of users. Optional.

4.1 Server Practice with Express.js

  1. The “Hello World” of websites.

  2. Making HTTP requests without a browser. We will use the very popular request library for Node.js to poke and probe our server side code. Note that this library is similar in spirit to the popular Requests Python package.

  • Use this to make a GET request to your website in part 1.
  • Use this to GET http://www.grotto-networking.com, look at the HTTP headers and tell me what server my web hosting company is using for my static site.
  1. Application layer routing on the Server.
  • Basic routing. This is a common approach used by many different frameworks in many different languages.
  • Looking at the request information including headers. Example code.
  • We need to be able to serve static files such as HTML pages, CSS, and JavaScript files. Most microframeworks have some provision for this, however, in production systems this could be handled more effectively by the front end server.
  • More advanced Routing can include matching for paths, and parameters extracted from the URL. This section also summarizes response methods.

  • Server side: APIs (RPC, REST, GraphQL,…), web servers and proxies (Apache, NGINX), server frameworks python or Node.js (Flask, Express), database types and uses
    • Basic Security: encryption, authentication, certificates
    • Server frameworks: Flask (or similar), Express.js

4.2 Templates

  • Template engines are used to create HTML from user inputs, database queries, etc on the server. In addition some Front-end frameworks also use them. Different computing languages can have different template languages, some work across multiple languages. These are also used to create static site generators. A comparison of some JavaScript Templating Engines shows quite a diversity and some rather unusual looking syntax for some of these.

  • We will use Mustache since it requires one of the smaller learning curves. The particular version we’ll use is mustache.js which we’ll install via npm: npm install -g mustache.

4.3 Sessions Between Browser and Servers

  1. HTTP cookies (MDN). Read section on Creating Cookies, Skim sections on Security and Tracking and privacy.
  1. Simple preferences and cookies example with express.js Will use templates so we can show information from the cookie.
  • See express examples.
  1. Web Tokens (to be reviewed)

4.4 Webpage/Webapp and server Interactions

Under Construction, subject to change

  1. AJAX and its progeny (we’ll use fetch), Promises
  • What could be sent from a browser? Forms, Files, …
  • Ability to send and receive from JavaScript running on a page.
  1. Web APIs: REST, GraphQL, etc…

5 DNS

  • More to come.

  • hosts file on my Windows machine is in C:\Windows\System32\drivers\etc. On most operating systems can assign one of the local loopback addresses to a specific host name via the hosts file.