1 Networking and Security Topics: Readings and References
- Networking, Protocols, Servers and Security
- MDN tutorials and references on HTTP
- Networking, the TCP/IP protocol stack,
- Servers, middleboxes, DNS
- Server side frameworks
- Sessions, security, certificates, cookies, tokens, tracking
3 HTTP/HTTPS/1 and 2, Websockets
Overview of HTTP. Topics include:
- Client (user-agent), Server, and Proxies
- Basics of HTTP as a protocol; stateless but not sessionless
- Controlling some aspects of HTTP: Cache, CORS, Authentication,…
HTTP Messages. Good overview of HTTP messages (both 1.x and 2). Goes over general structure of both Request and Response messages including start/status line, headers, and body.
- Long list of standard and non-standard HTTP headers.
HTTP cookies. Lots of good info. More than we’ll need for the class.
Identifying Resources on the Web. Fundamental. Topics include:
- URI, URL, URN and all that…
- Syntax of URIs: protocol, authority, port, path, query, fragment
MIME Types. Used to inform the other side as to the type of content we are sending or wish to receive. See also their handy MIME reference list. We will frequently use the
application/jsontype for data exchange.
HTTPS (wikipedia) runs the HTTP protocol over Transport Layer Security (TLS). It is important to use HTTPS for any web site that stores user data. In addition, you can only be sure of the legitimacy of a website if it uses HTTPS.
Debugging applications at the network. Modern browsers (Firefox and Chrome) provide built in tools to see the messages that are sent between client and server. If one needs to actually verify what is being sent a sniffer/protocol analyzer such as the Wireshark can be used.
- A good filter to use with wireshark is
tcp.port == 8080 && httpThis selects all HTTP trafic associated with a particular port.
- A good filter to use with wireshark is
- The IETF HTTP Standards
4 The Server Side of Things
- Wikipedia has a reasonably short Apache Overview. Basic Apache functionality is extended via Apache Modules (Wikipedia). These provide security enhancements, ability to interface with languages such as PHP, Python, Ruby, etc…
- Apache 2.2 uses a process/thread model, making it significantly slower than nginx. Apache 2.4 has changed this somewhat. Apache probably has the steepest learning curve when it comes to configuration and use.
- Note that there are OpenSource and Comercial versions of nginx.
Server Side Web Frameworks
A microframework will give us near full access to the HTTP protocol (request, response messages) in a nice way without having to deal with TCP and IP layers.
Frequently in deployment server side frameworks sit behind a primary server. Recall the proxy stuff from the HTTP introduction.
Good article on how to scale up a Node.js application based on number of users. Optional.
4.1 Server Practice with Express.js
The “Hello World” of websites.
Making HTTP requests without a browser. We will use the very popular request library for Node.js to poke and probe our server side code. Note that this library is similar in spirit to the popular Requests Python package.
- Use this to make a GET request to your website in part 1.
- Use this to GET
http://www.grotto-networking.com, look at the HTTP headers and tell me what server my web hosting company is using for my static site.
- Application layer routing on the Server.
- Basic routing. This is a common approach used by many different frameworks in many different languages.
- Looking at the request information including headers. Example code.
More advanced Routing can include matching for paths, and parameters extracted from the URL. This section also summarizes response methods.
- Server side: APIs (RPC, REST, GraphQL,…), web servers and proxies (Apache, NGINX), server frameworks python or Node.js (Flask, Express), database types and uses
- Basic Security: encryption, authentication, certificates
- Server frameworks: Flask (or similar), Express.js
4.3 Sessions Between Browser and Servers
- HTTP cookies (MDN). Read section on Creating Cookies, Skim sections on Security and Tracking and privacy.
- HTTP State Management Mechanism (RFC6265). The actual cookie specification from the IETF. For reference.
- Cookies in depth on Wikipedia. Optional reading: contains history and a bit broader perspective.
- Cookies and Tokens compared. This gives a nice brief overview of both methods, similarities, and differences.
- Simple preferences and cookies example with express.js Will use templates so we can show information from the cookie.
- See express examples.
- Web Tokens (to be reviewed)
4.4 Webpage/Webapp and server Interactions
Under Construction, subject to change
- AJAX and its progeny (we’ll use fetch), Promises
- What could be sent from a browser? Forms, Files, …
- Web APIs: REST, GraphQL, etc…
More to come.
hostsfile on my Windows machine is in
C:\Windows\System32\drivers\etc. On most operating systems can assign one of the local loopback addresses to a specific host name via the hosts file.