本文主要是介绍网络拓扑和安全,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
网络拓扑和安全
- 1 简述
- 2 内容章节
- 2.1 报文传输
- 2.1.1 请求报文格式
- 2.1.2 响应报文数据
- 2.2网络拓扑图
- 2.3安全防控
- 3 Web漏洞缺陷分析和修复(简介)
- 3.1服务器
- 3.2客户端
- 4 参考文献
1 简述
大学我们都学过计算机网络和计算机组成原理,个人大学时并不是很注重这方面的知识,以前傻傻的觉得计算机组成原理这些东西不太重要,在工作过程中才发现越是计算机组成原理这玩意,越重要。这里个人回忆和学习的章节一些题外编程知识,主要章节如下(备注:这里是收集资料和学习工作思考笔记,按理说大部分借鉴,如有版权问题,请联系我删除);
- 报文传输
- 网络拓扑图
- 安全防控
- 一些漏洞分析和修复
2 内容章节
2.1 报文传输
个人这里简单使用nginx代理查看nginx的debuger日志来学习报文结构数据,首先配置nginx的debuger模式
- 安装nginx(个人mac os系统),brew install nginx
- 配置nginx配置,一般本地安装完会有提示配置文件路径,个人配置文件路径是/usr/local/etc/nginx/nginx.conf,如果没有提示,可以直接搜索locate nginx.config
- 找到配置文件后监听端口,配置如下
server {listen 8888;server_name localhost;error_log /Users/error.log debug;location / {proxy_set_header Host yqylfdyhg1gi-test.cn-north-1.jdcloud-api.net;proxy_set_header X-Real-IP $remote_addr;proxy_set_header REMOTE-HOST $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_pass http://yqylfdyhg1gi-test.cn-north-1.jdcloud-api.net;}}
配置完后测试请求,发送 http://localhost:8888/order/popOrderSearch 请求后,请求参数
{"test":"张三","age":241111
}
查看nginx日志/Users/error.log
http process request header line
http header: "Content-Type: application/json"
http header: "User-Agent: PostmanRuntime/7.26.8"
http header: "Accept: */*"
http header: "Cache-Control: no-cache"
http header: "Postman-Token: 501c36d1-75b2-4cd4-aa80-0a29fcebd486"
http header: "Host: localhost:8888"
http header: "Accept-Encoding: gzip, deflate, br"
http header: "Connection: keep-alive"
http header: "Content-Length: 41"
http header done
generic phase: 0
rewrite phase: 1
test location: "/"
using configuration "/"
http cl:41 max:1048576
rewrite phase: 3
post rewrite phase: 4
generic phase: 5
generic phase: 6
generic phase: 7
generic phase: 8
access phase: 9
access phase: 10
access phase: 11
post access phase: 12
generic phase: 13
generic phase: 14
http client request body preread 41
http request body content length filter
http body new buf t:1 f:0 00007FAA4680D72B, pos 00007FAA4680D72B, size: 41 file: 0, size: 0
http init upstream, client timer: 0
http script copy: "Host"
http script copy: "yqylfdyhg1gi-test.cn-north-1.jdcloud-api.net"
http script copy: "X-Real-IP"
http script var: "127.0.0.1"
http script copy: "REMOTE-HOST"
http script var: "127.0.0.1"
http script copy: "X-Forwarded-For"
http script var: "127.0.0.1"
http script copy: "Connection"
http script copy: "close"
http script copy: "Content-Length"
http script var: "41"
http script copy: ""
http proxy header: "Content-Type: application/json"
http proxy header: "User-Agent: PostmanRuntime/7.26.8"
http proxy header: "Accept: */*"
http proxy header: "Cache-Control: no-cache"
http proxy header: "Postman-Token: 501c36d1-75b2-4cd4-aa80-0a29fcebd486"
http proxy header: "Accept-Encoding: gzip, deflate, br"
http proxy header:"POST /order/popOrderSearch HTTP/1.0^M
Host: yqylfdyhg1gi-test.cn-north-1.jdcloud-api.net^M
X-Real-IP: 127.0.0.1^M
REMOTE-HOST: 127.0.0.1^M
X-Forwarded-For: 127.0.0.1^M
Connection: close^M
Content-Length: 41^M
Content-Type: application/json^M
User-Agent: PostmanRuntime/7.26.8^M
Accept: '*/*'
Cache-Control: no-cache^M
Postman-Token: 501c36d1-75b2-4cd4-aa80-0a29fcebd486^M
Accept-Encoding: gzip, deflate, br^M
^M
"http cleanup add: 00007FAA4680ED90
get rr peer, try: 1
stream socket 4
connect to 101.124.18.198:80, fd:4 #23
kevent set event: 4: ft:-1 fl:0025
kevent set event: 4: ft:-2 fl:0025
http upstream connect: -2
posix_memalign: 00007FAA45C05680:128 @16
event timer add: 4: 60000:259302474
http finalize request: -4, "/order/popOrderSearch?" a:1, c:2
http request count:2 blk:0
http upstream request: "/order/popOrderSearch?"
http upstream send request handler
http upstream send request
http upstream send request body
chain writer buf fl:0 s:398
chain writer buf fl:1 s:41
chain writer in: 00007FAA4680EDF0
writev: 439 of 439
chain writer out: 0000000000000000
event timer del: 4: 259302474
event timer add: 4: 60000:259302564
http upstream request: "/order/popOrderSearch?"
http upstream dummy handler
http upstream request: "/order/popOrderSearch?"
http upstream process header
malloc: 00007FAA48015C00:4096
recv: eof:1, avail:377, err:0
recv: fd:4 377 of 4096
http proxy status 401 "401 Unauthorized"
http proxy header: "Date: Thu, 11 Mar 2021 11:58:26 GMT"
http proxy header: "Content-Type: application/json; charset=utf-8"
http proxy header: "Connection: close"
http proxy header: "x-jdcloud-request-id: c150bpgmqwr218ur1oe60vsg2ome1qgn"
http proxy header: "Server: jfe"
http proxy header done
posix_memalign: 00007FAA48017200:4096 @16HTTP/1.1 401 Unauthorized^M
Server: nginx/1.19.6^M
Date: Thu, 11 Mar 2021 12:00:01 GMT^M
Content-Type: application/json; charset=utf-8^M
Transfer-Encoding: chunked^M
Connection: keep-alive^M
x-jdcloud-request-id: c150cg912cgphbkph7eeutuoqtb3944o^Mwrite new buf t:1 f:0 00007FAA48017220, pos 00007FAA48017220, size: 243 file: 0, size: 0
http write filter: l:0 f:0 s:243
http cacheable: 0
http proxy filter init s:401 h:0 c:0 l:-1
http upstream process upstream
pipe read upstream: 1
pipe preread: 176
pipe buf free s:0 t:1 f:0 00007FAA48015C00, pos 00007FAA48015CC9, size: 176 file: 0, size: 0
pipe length: -1
input buf #0
pipe write downstream: 1
pipe write downstream flush in
http output filter "/order/popOrderSearch?"
http copy filter: "/order/popOrderSearch?"
http postpone filter "/order/popOrderSearch?" 00007FAA4680EE00
http chunk: 176
write old buf t:1 f:0 00007FAA48017220, pos 00007FAA48017220, size: 243 file: 0, size: 0
write new buf t:1 f:0 00007FAA480174B8, pos 00007FAA480174B8, size: 4 file: 0, size: 0
write new buf t:1 f:0 00007FAA48015C00, pos 00007FAA48015CC9, size: 176 file: 0, size: 0
write new buf t:0 f:0 0000000000000000, pos 0000000105B29148, size: 2 file: 0, size: 0
http write filter: l:0 f:0 s:425
http copy filter: 0 "/order/popOrderSearch?"
pipe write downstream done
event timer: 4, old: 259302564, new: 259302612
http upstream exit: 0000000000000000
finalize http upstream request: 0
finalize http proxy request
free rr peer 1 0
close http upstream connection: 4
free: 00007FAA45C05680, unused: 48
event timer del: 4: 259302564
reusable connection: 0
http upstream temp fd: -1
http output filter "/order/popOrderSearch?"
http copy filter: "/order/popOrderSearch?"
http postpone filter "/order/popOrderSearch?" 00007FFEEA1AAFF0
http chunk: 0
write old buf t:1 f:0 00007FAA48017220, pos 00007FAA48017220, size: 243 file: 0, size: 0
write old buf t:1 f:0 00007FAA480174B8, pos 00007FAA480174B8, size: 4 file: 0, size: 0
write old buf t:1 f:0 00007FAA48015C00, pos 00007FAA48015CC9, size: 176 file: 0, size: 0
write old buf t:0 f:0 0000000000000000, pos 0000000105B29148, size: 2 file: 0, size: 0
write new buf t:0 f:0 0000000000000000, pos 0000000105B298D4, size: 5 file: 0, size: 0
http write filter: l:1 f:0 s:430
http write filter limit 0
writev: 430 of 430
http write filter 0000000000000000
http copy filter: 0 "/order/popOrderSearch?"
http finalize request: 0, "/order/popOrderSearch?" a:1, c:1
set http keepalive handler
http close request
http log handler
free: 00007FAA48015C00
free: 00007FAA4680F200, unused: 0
free: 00007FAA4680E200, unused: 8
free: 00007FAA48017200, unused: 2889
free: 00007FAA4680D600
hc free: 0000000000000000
hc busy: 0000000000000000 0
reusable connection: 1
event timer add: 3: 65000:259307612
http empty handler
event timer del: 3: 259307612
http keepalive handler
close http connection: 3
reusable connection: 0
free: 0000000000000000
free: 00007FAA472045C0, unused: 136
自己来分析一下报文结构:
"POST /order/popOrderSearch HTTP/1.0^M
Host: yqylfdyhg1gi-test.cn-north-1.jdcloud-api.net^M
X-Real-IP: 127.0.0.1^M
REMOTE-HOST: 127.0.0.1^M
X-Forwarded-For: 127.0.0.1^M
Connection: close^M
Content-Length: 41^M
Content-Type: application/json^M
User-Agent: PostmanRuntime/7.26.8^M
Accept: *\/*^M
Cache-Control: no-cache^M
Postman-Token: 5c574468-1bf1-47ea-9cd9-0d88b245090c^M
Accept-Encoding: gzip, deflate, br^M
^M
"
2.1.1 请求报文格式
1、进程处理中的请求行request header line
请求行主要由三部分组成: 请求方法(POST)、资源路径(/order/popOrderSearch或加文件名,若是get请求,请求报文会在后面拼接)、协议版本(HTTP/1.0)
POST /order/popOrderSearch HTTP/1.0
2、请求头http header
请求头主要包括验证签名数据,协议,版本,数据传输类型,host,接收数据类型,cookie等等,保证安全行访问有一篇文章https://infosec.mozilla.org/guidelines/web_security#x-xss-protection
3、空行
可能这里设计读取报文方式,个人没再查找资料
3、请求报文体 request body,由于stream,nginx没打印
如nginx代理数据:
http body new buf t:1 f:0 00007FAA4680D72B, pos 00007FAA4680D72B, size: 41 file: 0, size: 0
2.1.2 响应报文数据
HTTP/1.1 401 Unauthorized^M
Server: nginx/1.19.6^M
Date: Thu, 11 Mar 2021 12:00:01 GMT^M
Content-Type: application/json; charset=utf-8^M
Transfer-Encoding: chunked^M
Connection: keep-alive^M
x-jdcloud-request-id: c150cg912cgphbkph7eeutuoqtb3944o^M
1、响应状态行
协议、状态码、信息,如 HTTP/1.1 401 Unauthorized
2、响应头
报文响应头,和请求头类似
erver: nginx/1.19.6^M
Date: Thu, 11 Mar 2021 12:00:01 GMT^M
Content-Type: application/json; charset=utf-8^M
Transfer-Encoding: chunked^M
Connection: keep-alive^M
3、空行
4、返回体
返回的数据结构体,是stream流
2.2网络拓扑图
这里参考别人文献图 https://blog.csdn.net/tryheart/article/details/107471119
更多网络拓扑基本信息可参考 https://blog.csdn.net/tryheart/article/details/107471119
个人这里总结几点:
- internet的ip地址无法伪造,每个internet国际互联网都需要登记备案
- WAN广域网内部互通,路由寻地址
这就存在广域网、互联网、DMZ区的概念,正是因为存在这些原理,所以才能保证网络安全规范和操作。
2.3安全防控
我们可以利用抓包脚本抓包或者安装抓包工具(wireshark,fidder)
因为公网IP是不可伪造,可以利用防火墙强制设置出口和入口的就近公网IP
1、终端计算机
终端计算机非常关键,防止终端计算机中毒,电量不足等
2、出口防控
出口防控主要端口限制,更加安全操作有定向访问IP和端口,更加强制安全要求是访问网关,网关安全出口数据格式。在出口数据主要上报安全数据,指定的报文结构数据。端口防火墙开发等各种技术手段防控,防止一些木马程序导致数据安全丢失和不正当的操作导致数据丢失
3、入口防控
入口数据,访问数据授权,防止恶意窃取数据。这里防控主要IP白名单和和名单准入,以及端口开发转入,更多是上报数据报文格式操作。
4、公司对外发布服务的DMZ服务器
DMZ也就是“隔离区”,可地区隔离,局域网隔离,时间隔离,端口隔离等等
5、VPN和类似远程连接设备。
VPN专用虚拟网通道,就是创建一个专用IP通道进行通讯。更多可设计VPC虚拟物理隔离网
3 Web漏洞缺陷分析和修复(简介)
3.1服务器
- XSS跨站脚本攻击,通过非资源网站访问禁止操作。站点识别,签名验证等
- SQL注入,主要保证数据库安全,防止数据丢失等。可以通过sql过滤,预编译
- 水平垂直越权。不同用户动态权限校验,防止出现不该有的角色拿到越权的数据
- 防重复提交,防止数据错乱等等
- 数据存储。加密数据存储
- 数据枚举。特别是重要数据,用户数据枚举防控
- 若密码防控。只用多种符号密码组成判断
- 服务器文件目录遍历。目录权限控制,防止目录遍历
- 接口权限控制。接口鉴权。
- 宏机操作。防止雪崩效应,实现分布式
- …………
3.2客户端
- 客户端篡改。ios 手机禁止越狱判断、android root权限校验
- 屏幕录像。屏蔽屏幕录像监控,保护密码和用户私下截图
- 权限控制。尽量禁止定位和操作,防止个人行踪泄漏
- 数据存储。加密数据存储
- 敏感信息泄漏。查看信息脱敏
- 数据页面权限控制,防止接口泄漏和页面泄漏
- 代码泄漏。通过混淆编译,增加代码可读性等
4 参考文献
【1】HTTP报文的结构
【2】认识网络、几种常用的网络拓扑图
这篇关于网络拓扑和安全的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!
